From fbea6d2d35f6ccb115f4d8d8c47af0f760b35694 Mon Sep 17 00:00:00 2001
From: Vladimir Kozhukalov <kozhukalov@gmail.com>
Date: Thu, 26 Jun 2025 14:58:16 -0500
Subject: [PATCH] [octavia] Add test case for load balancer

We've been merging quite a few improvements for Ocatavia
chart recently but we've been skipping testing them.
This PS adds the Octavia test case which tests the
simplest load balancing env with two workload instances
and one amphora instance.

The PS also brings some changes to the Octavia chart:

- Run driver agent as a separate deployment on network nodes
- Run worker as a daemonset (same as health manager) on network
  nodes. It creates an interface attached to the Octavia
  management network to get access to amophora instances.

Change-Id: Id12e30eb7aac432e3f12b83e1f93d98e54c503cf
Signed-off-by: Vladimir Kozhukalov <kozhukalov@gmail.com>
---
 .../bin/_octavia-worker-get-port.sh.tpl       |  26 ++
 .../bin/_octavia-worker-nic-init.sh.tpl       |  31 ++
 octavia/templates/bin/_octavia-worker.sh.tpl  |   7 +
 octavia/templates/configmap-bin.yaml          |   4 +
 ...ment-worker.yaml => daemonset-worker.yaml} |  72 +++-
 octavia/templates/deployment-api.yaml         |  48 ---
 .../templates/deployment-driver-agent.yaml    | 117 ++++++
 octavia/values.yaml                           | 100 +++--
 .../notes/octavia-73c0f7c8c13c00a1.yaml       |   8 +
 roles/deploy-env/files/calico_patch.yaml      |   2 +-
 roles/deploy-env/tasks/env_inventory.yaml     |  31 ++
 roles/deploy-env/tasks/main.yaml              |   6 +
 .../tasks/openstack_provider_gateway.yaml     |   4 +
 roles/deploy-env/tasks/prerequisites.yaml     |   1 +
 tools/deployment/common/prepare-bashrc.sh     |  24 ++
 .../180-create-resource-for-octavia.sh        |  84 ----
 .../component/octavia/200-octavia.sh          | 121 ------
 .../octavia/create_dual_intermediate_CA.sh    | 157 ++++++++
 .../component/octavia/heat_octavia_env.yaml   | 358 ++++++++++++++++++
 tools/deployment/component/octavia/octavia.sh | 186 +++++++++
 ...eate-octavia-certs.sh => octavia_certs.sh} |  21 +-
 .../component/octavia/octavia_resources.sh    | 116 ++++++
 .../component/octavia/octavia_test.sh         |  48 +++
 .../deployment/component/octavia/openssl.cnf  | 144 +++++++
 .../octavia/2025.1-ubuntu_jammy.yaml          |  23 ++
 .../octavia/2025.1-ubuntu_noble.yaml          |  23 ++
 zuul.d/2025.1.yaml                            |  11 +
 zuul.d/base.yaml                              |  41 +-
 zuul.d/nodesets.yaml                          |  35 ++
 zuul.d/project.yaml                           |   1 +
 30 files changed, 1545 insertions(+), 305 deletions(-)
 create mode 100644 octavia/templates/bin/_octavia-worker-get-port.sh.tpl
 create mode 100644 octavia/templates/bin/_octavia-worker-nic-init.sh.tpl
 rename octavia/templates/{deployment-worker.yaml => daemonset-worker.yaml} (60%)
 create mode 100644 octavia/templates/deployment-driver-agent.yaml
 create mode 100644 releasenotes/notes/octavia-73c0f7c8c13c00a1.yaml
 create mode 100644 roles/deploy-env/tasks/env_inventory.yaml
 create mode 100755 tools/deployment/common/prepare-bashrc.sh
 delete mode 100755 tools/deployment/component/octavia/180-create-resource-for-octavia.sh
 delete mode 100755 tools/deployment/component/octavia/200-octavia.sh
 create mode 100755 tools/deployment/component/octavia/create_dual_intermediate_CA.sh
 create mode 100644 tools/deployment/component/octavia/heat_octavia_env.yaml
 create mode 100755 tools/deployment/component/octavia/octavia.sh
 rename tools/deployment/component/octavia/{190-create-octavia-certs.sh => octavia_certs.sh} (64%)
 create mode 100755 tools/deployment/component/octavia/octavia_resources.sh
 create mode 100755 tools/deployment/component/octavia/octavia_test.sh
 create mode 100644 tools/deployment/component/octavia/openssl.cnf
 create mode 100644 values_overrides/octavia/2025.1-ubuntu_jammy.yaml
 create mode 100644 values_overrides/octavia/2025.1-ubuntu_noble.yaml

diff --git a/octavia/templates/bin/_octavia-worker-get-port.sh.tpl b/octavia/templates/bin/_octavia-worker-get-port.sh.tpl
new file mode 100644
index 0000000000..7d14a92700
--- /dev/null
+++ b/octavia/templates/bin/_octavia-worker-get-port.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+HOSTNAME=$(hostname -s)
+PORTNAME=octavia-worker-port-$HOSTNAME
+
+HM_PORT_ID=$(openstack port show $PORTNAME -c id -f value)
+HM_PORT_MAC=$(openstack port show $PORTNAME -c mac_address -f value)
+
+echo $HM_PORT_ID > /tmp/pod-shared/HM_PORT_ID
+echo $HM_PORT_MAC > /tmp/pod-shared/HM_PORT_MAC
diff --git a/octavia/templates/bin/_octavia-worker-nic-init.sh.tpl b/octavia/templates/bin/_octavia-worker-nic-init.sh.tpl
new file mode 100644
index 0000000000..f1ac3c40cc
--- /dev/null
+++ b/octavia/templates/bin/_octavia-worker-nic-init.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+HM_PORT_ID=$(cat /tmp/pod-shared/HM_PORT_ID)
+HM_PORT_MAC=$(cat /tmp/pod-shared/HM_PORT_MAC)
+
+ovs-vsctl --no-wait show
+
+ovs-vsctl --may-exist add-port br-int o-w0 \
+        -- set Interface o-w0 type=internal \
+        -- set Interface o-w0 external-ids:iface-status=active \
+        -- set Interface o-w0 external-ids:attached-mac=$HM_PORT_MAC \
+        -- set Interface o-w0 external-ids:iface-id=$HM_PORT_ID \
+        -- set Interface o-w0 external-ids:skip_cleanup=true
+
+ip link set dev o-w0 address $HM_PORT_MAC
diff --git a/octavia/templates/bin/_octavia-worker.sh.tpl b/octavia/templates/bin/_octavia-worker.sh.tpl
index f612ff38e9..db5a2a5f4c 100644
--- a/octavia/templates/bin/_octavia-worker.sh.tpl
+++ b/octavia/templates/bin/_octavia-worker.sh.tpl
@@ -20,6 +20,13 @@ set -ex
 COMMAND="${@:-start}"
 
 function start () {
+  cat > /tmp/dhclient.conf <<EOF
+request subnet-mask,broadcast-address,interface-mtu;
+do-forward-updates false;
+EOF
+
+  dhclient -v o-w0 -cf /tmp/dhclient.conf
+
   exec octavia-worker \
         --config-file /etc/octavia/octavia.conf
 }
diff --git a/octavia/templates/configmap-bin.yaml b/octavia/templates/configmap-bin.yaml
index f3f90fb285..53a1803eb5 100644
--- a/octavia/templates/configmap-bin.yaml
+++ b/octavia/templates/configmap-bin.yaml
@@ -59,6 +59,10 @@ data:
 {{ tuple "bin/_octavia-housekeeping.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   octavia-worker.sh: |
 {{ tuple "bin/_octavia-worker.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  octavia-worker-nic-init.sh: |
+{{ tuple "bin/_octavia-worker-nic-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  octavia-worker-get-port.sh: |
+{{ tuple "bin/_octavia-worker-get-port.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   rabbit-init.sh: |
 {{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
 {{- end }}
diff --git a/octavia/templates/deployment-worker.yaml b/octavia/templates/daemonset-worker.yaml
similarity index 60%
rename from octavia/templates/deployment-worker.yaml
rename to octavia/templates/daemonset-worker.yaml
index 1229994279..4455f84b94 100644
--- a/octavia/templates/deployment-worker.yaml
+++ b/octavia/templates/daemonset-worker.yaml
@@ -14,17 +14,19 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
-{{- if .Values.manifests.deployment_worker }}
-{{- $envAll := . }}
+{{- define "octavia.worker.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
 
 {{- $mounts_octavia_worker := .Values.pod.mounts.octavia_worker.octavia_worker }}
 {{- $mounts_octavia_worker_init := .Values.pod.mounts.octavia_worker.init_container }}
 
-{{- $serviceAccountName := "octavia-worker" }}
-{{ tuple $envAll "worker" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
 metadata:
   name: octavia-worker
   annotations:
@@ -32,11 +34,10 @@ metadata:
   labels:
 {{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
-  replicas: {{ .Values.pod.replicas.worker }}
   selector:
     matchLabels:
 {{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+{{ tuple $envAll "worker" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
   template:
     metadata:
       labels:
@@ -51,12 +52,42 @@ spec:
       serviceAccountName: {{ $serviceAccountName }}
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
-      affinity:
-{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+    #   hostPID: true
       nodeSelector:
         {{ .Values.labels.worker.node_selector_key }}: {{ .Values.labels.worker.node_selector_value }}
       initContainers:
 {{ tuple $envAll "worker" $mounts_octavia_worker_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: octavia-worker-get-port
+{{ tuple $envAll "octavia_worker_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity "admin" ) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/octavia-worker-get-port.sh
+          volumeMounts:
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: octavia-bin
+              mountPath: /tmp/octavia-worker-get-port.sh
+              subPath: octavia-worker-get-port.sh
+              readOnly: true
+        - name: octavia-worker-nic-init
+{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "octavia_worker" "container" "octavia_worker_nic_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/octavia-worker-nic-init.sh
+          volumeMounts:
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: octavia-bin
+              mountPath: /tmp/octavia-worker-nic-init.sh
+              subPath: octavia-worker-nic-init.sh
+              readOnly: true
+            - name: run
+              mountPath: /run
       containers:
         - name: octavia-worker
 {{ tuple $envAll "octavia_worker" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -98,7 +129,28 @@ spec:
             defaultMode: 0555
         - name: octavia-etc
           secret:
-            secretName: octavia-etc
+            secretName: {{ $configMapName }}
             defaultMode: 0444
+        - name: pod-shared
+          emptyDir: {}
+        - name: run
+          hostPath:
+            path: /run
 {{ if $mounts_octavia_worker.volumes }}{{ toYaml $mounts_octavia_worker.volumes | indent 8 }}{{ end }}
 {{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_worker }}
+{{- $envAll := . }}
+{{- $daemonset := "worker" }}
+{{- $configMapName := "octavia-etc" }}
+{{- $serviceAccountName := "octavia-worker" }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "worker" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{ tuple $envAll "worker" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "octavia.worker.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "octavia.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/octavia/templates/deployment-api.yaml b/octavia/templates/deployment-api.yaml
index 3aaac901ec..62034c3e49 100644
--- a/octavia/templates/deployment-api.yaml
+++ b/octavia/templates/deployment-api.yaml
@@ -33,7 +33,6 @@ httpGet:
 {{- $envAll := . }}
 
 {{- $mounts_octavia_api := .Values.pod.mounts.octavia_api.octavia_api }}
-{{- $mounts_octavia_driver_agent := .Values.pod.mounts.octavia_api.octavia_driver_agent }}
 {{- $mounts_octavia_api_init := .Values.pod.mounts.octavia_api.init_container }}
 
 {{- $serviceAccountName := "octavia-api" }}
@@ -92,8 +91,6 @@ spec:
 {{ dict "envAll" $envAll "component" "api" "container" "octavia-api" "type" "readiness" "probeTemplate" (include "octaviaApiReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
 {{ dict "envAll" $envAll "component" "api" "container" "octavia-api" "type" "liveness" "probeTemplate" (include "octaviaApiLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
           volumeMounts:
-            - name: run-openvswitch
-              mountPath: /var/run/ovn
             - name: pod-etc-octavia
               mountPath: /etc/octavia
             - name: octavia-bin
@@ -114,54 +111,9 @@ spec:
               subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
               readOnly: true
             {{- end }}
-            - name: octavia-driver-agents
-              mountPath: /var/run/octavia
-{{ if $mounts_octavia_api.volumeMounts }}{{ toYaml $mounts_octavia_api.volumeMounts | indent 12 }}{{ end }}
-        - name: octavia-driver-agent
-{{ tuple $envAll "octavia_driver_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.driver_agent | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "octavia_api" "container" "octavia_driver_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          command:
-            - /tmp/octavia-driver-agent.sh
-            - start
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /tmp/octavia-driver-agent.sh
-                  - stop
-          volumeMounts:
-            - name: pod-etc-octavia
-              mountPath: /etc/octavia
-              readOnly: true
-            - name: octavia-bin
-              mountPath: /tmp/octavia-driver-agent.sh
-              subPath: octavia-driver-agent.sh
-              readOnly: true
-            - name: octavia-etc
-              mountPath: /etc/octavia/octavia.conf
-              subPath: octavia.conf
-              readOnly: true
-            {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
-            - name: octavia-etc
-              mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
-              subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
-              readOnly: true
-            {{- end }}
-            - name: octavia-driver-agents
-              mountPath: /var/run/octavia
-            - name: run-openvswitch
-              mountPath: /var/run/ovn
-{{ if $mounts_octavia_driver_agent.volumeMounts }}{{ toYaml $mounts_octavia_driver_agent.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-etc-octavia
           emptyDir: {}
-        - name: run-openvswitch
-          hostPath:
-            path: /run/openvswitch
-            type: DirectoryOrCreate
-        - name: octavia-driver-agents
-          emptyDir: {}
         - name: octavia-bin
           configMap:
             name: octavia-bin
diff --git a/octavia/templates/deployment-driver-agent.yaml b/octavia/templates/deployment-driver-agent.yaml
new file mode 100644
index 0000000000..985f0298d3
--- /dev/null
+++ b/octavia/templates/deployment-driver-agent.yaml
@@ -0,0 +1,117 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+
+{{- define "octaviaDriverAgentLivenessProbeTemplate" }}
+{{- end }}
+
+{{- define "octaviaDriverAgentReadinessProbeTemplate" }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_driver_agent }}
+{{- $envAll := . }}
+
+{{- $mounts_octavia_driver_agent := .Values.pod.mounts.octavia_driver_agent.octavia_driver_agent }}
+{{- $mounts_octavia_dirver_agent_init := .Values.pod.mounts.octavia_driver_agent.init_container }}
+
+{{- $serviceAccountName := "octavia-driver-agent" }}
+{{ tuple $envAll "driver_agent" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: octavia-driver-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "octavia" "driver_agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.driver_agent }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "octavia" "driver_agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "octavia" "driver_agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ tuple "octavia_driver_agent" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }}
+    spec:
+{{ tuple "octavia_driver_agent" . | include "helm-toolkit.snippets.kubernetes_pod_priority_class" | indent 6 }}
+{{ tuple "octavia_driver_agent" . | include "helm-toolkit.snippets.kubernetes_pod_runtime_class" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "octavia" "driver_agent" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.driver_agent.node_selector_key }}: {{ .Values.labels.driver_agent.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "driver_agent" $mounts_octavia_dirver_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: octavia-driver-agent
+{{ tuple $envAll "octavia_driver_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.driver_agent | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "octavia_driver_agent" "container" "octavia_driver_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/octavia-driver-agent.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/octavia-driver-agent.sh
+                  - stop
+          volumeMounts:
+            - name: pod-etc-octavia
+              mountPath: /etc/octavia
+            - name: octavia-bin
+              mountPath: /tmp/octavia-driver-agent.sh
+              subPath: octavia-driver-agent.sh
+              readOnly: true
+            - name: octavia-etc
+              mountPath: /etc/octavia/octavia.conf
+              subPath: octavia.conf
+              readOnly: true
+            {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+            - name: octavia-etc
+              mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: octavia-driver-agents
+              mountPath: /var/run/octavia
+            - name: run-openvswitch
+              mountPath: /var/run/ovn
+{{ if $mounts_octavia_driver_agent.volumeMounts }}{{ toYaml $mounts_octavia_driver_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-octavia
+          emptyDir: {}
+        - name: run-openvswitch
+          hostPath:
+            path: /run/openvswitch
+            type: DirectoryOrCreate
+        - name: octavia-driver-agents
+          emptyDir: {}
+        - name: octavia-bin
+          configMap:
+            name: octavia-bin
+            defaultMode: 0555
+        - name: octavia-etc
+          secret:
+            secretName: octavia-etc
+            defaultMode: 0444
+{{ if $mounts_octavia_driver_agent.volumes }}{{ toYaml $mounts_octavia_driver_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/octavia/values.yaml b/octavia/values.yaml
index 6cdc820406..b18c15480d 100644
--- a/octavia/values.yaml
+++ b/octavia/values.yaml
@@ -24,8 +24,11 @@ labels:
   api:
     node_selector_key: openstack-control-plane
     node_selector_value: enabled
+  driver_agent:
+    node_selector_key: openstack-network-node
+    node_selector_value: enabled
   worker:
-    node_selector_key: openstack-control-plane
+    node_selector_key: openstack-network-node
     node_selector_value: enabled
   housekeeping:
     node_selector_key: openstack-control-plane
@@ -40,23 +43,24 @@ labels:
 images:
   tags:
     test: docker.io/xrally/xrally-openstack:2.0.0
-    bootstrap: quay.io/airshipit/heat:2024.1-ubuntu_jammy
-    db_init: quay.io/airshipit/heat:2024.1-ubuntu_jammy
-    octavia_db_sync: quay.io/airshipit/octavia:master-ubuntu
-    db_drop: quay.io/airshipit/heat:2024.1-ubuntu_jammy
+    bootstrap: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    db_init: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    octavia_db_sync: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    db_drop: quay.io/airshipit/heat:2025.1-ubuntu_jammy
     rabbit_init: docker.io/rabbitmq:3.13-management
-    ks_user: quay.io/airshipit/heat:2024.1-ubuntu_jammy
-    ks_service: quay.io/airshipit/heat:2024.1-ubuntu_jammy
-    ks_endpoints: quay.io/airshipit/heat:2024.1-ubuntu_jammy
+    ks_user: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    ks_service: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    ks_endpoints: quay.io/airshipit/heat:2025.1-ubuntu_jammy
     dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
     image_repo_sync: docker.io/docker:17.07.0
-    octavia_api: quay.io/airshipit/octavia:2024.1-ubuntu_jammy
-    octavia_driver_agent: quay.io/airshipit/octavia:2024.1-ubuntu_jammy
-    octavia_worker: quay.io/airshipit/octavia:2024.1-ubuntu_jammy
-    octavia_housekeeping: quay.io/airshipit/octavia:2024.1-ubuntu_jammy
-    octavia_health_manager: quay.io/airshipit/octavia:2024.1-ubuntu_jammy
-    octavia_health_manager_init: quay.io/airshipit/openstack-client:2024.1-ubuntu_jammy
-    openvswitch_vswitchd: docker.io/openstackhelm/openvswitch:latest-ubuntu_focal
+    octavia_api: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_driver_agent: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_worker: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_worker_init: quay.io/airshipit/openstack-client:2025.1-ubuntu_jammy
+    octavia_housekeeping: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_health_manager: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_health_manager_init: quay.io/airshipit/openstack-client:2025.1-ubuntu_jammy
+    openvswitch_vswitchd: docker.io/openstackhelm/openvswitch:latest-ubuntu_jammy
   pull_policy: "IfNotPresent"
   local_registry:
     active: false
@@ -117,6 +121,27 @@ dependencies:
           service: oslo_cache
         - endpoint: internal
           service: network
+    driver_agent:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+        - octavia-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_db_persistence
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: load_balancer
     worker:
       jobs:
         - octavia-db-sync
@@ -222,8 +247,8 @@ conf:
     DEFAULT:
       log_config_append: /etc/octavia/logging.conf
     ovn:
-      ovn_nb_connection: unix:/run/ovn/ovnnb_db.sock
-      ovn_sb_connection: unix:/run/ovn/ovnsb_db.sock
+      ovn_nb_connection: unix:/var/run/ovn/ovnnb_db.sock
+      ovn_sb_connection: unix:/var/run/ovn/ovnsb_db.sock
     api_settings:
       api_handler: queue_producer
       bind_host: 0.0.0.0
@@ -233,7 +258,7 @@ conf:
     health_manager:
       bind_port: 5555
       bind_ip: 0.0.0.0
-      controller_ip_port_list: 0.0.0.0:5555
+      controller_ip_port_list: null
       heartbeat_key: insecure
     keystone_authtoken:
       auth_type: password
@@ -241,12 +266,12 @@ conf:
       memcache_security_strategy: ENCRYPT
       service_type: load-balancer
     certificates:
-      ca_private_key_passphrase: foobar
-      ca_private_key: /etc/octavia/certs/private/cakey.pem
-      ca_certificate: /etc/octavia/certs/ca_01.pem
+      ca_private_key_passphrase: not-secure-passphrase
+      ca_private_key: /etc/octavia/certs/private/server_ca.key.pem
+      ca_certificate: /etc/octavia/certs/server_ca.cert.pem
     haproxy_amphora:
-      server_ca: /etc/octavia/certs/ca_01.pem
-      client_cert: /etc/octavia/certs/client.pem
+      server_ca: /etc/octavia/certs/server_ca-chain.cert.pem
+      client_cert: /etc/octavia/certs/private/client.cert-and-key.pem
       base_path: /var/lib/octavia
       base_cert_dir: /var/lib/octavia/certs
     controller_worker:
@@ -263,6 +288,7 @@ conf:
       amp_active_retries: 100
       amp_active_wait_sec: 2
       loadbalancer_topology: SINGLE
+      client_ca: /etc/octavia/certs/client_ca.cert.pem
     oslo_messaging:
       topic: octavia_prov
       rpc_thread_pool_size: 2
@@ -293,10 +319,10 @@ conf:
         - context
         - default
     logger_root:
-      level: WARNING
-      handlers: 'null'
+      level: INFO
+      handlers: stdout
     logger_octavia:
-      level: WARNING
+      level: INFO
       handlers:
         - stdout
       qualname: octavia
@@ -589,14 +615,27 @@ pod:
           capabilities:
             add:
               - SYS_NICE
+    octavia_driver_agent:
+      container:
         octavia_driver_agent:
           capabilities:
             add:
               - SYS_NICE
+          runAsUser: 42424
     octavia_worker:
       container:
+        octavia_worker_nic_init:
+          runAsUser: 0
+          capabilities:
+            add:
+              - NET_ADMIN
+              - NET_RAW
+              - NET_BIND_SERVICE
         octavia_worker:
-          runAsUser: 42424
+          runAsUser: 0
+          capabilities:
+            add:
+              - NET_ADMIN
     octavia_housekeeping:
       container:
         octavia_housekeeping:
@@ -627,6 +666,8 @@ pod:
       octavia_api:
         volumeMounts:
         volumes:
+    octavia_driver_agent:
+      init_container: null
       octavia_driver_agent:
         volumeMounts:
         volumes:
@@ -652,7 +693,7 @@ pod:
         volumes:
   replicas:
     api: 1
-    worker: 1
+    driver_agent: 1
     housekeeping: 1
   lifecycle:
     upgrades:
@@ -792,8 +833,9 @@ manifests:
   configmap_bin: true
   configmap_etc: true
   daemonset_health_manager: true
+  daemonset_worker: true
   deployment_api: true
-  deployment_worker: true
+  deployment_driver_agent: true
   deployment_housekeeping: true
   ingress_api: true
   job_bootstrap: true
diff --git a/releasenotes/notes/octavia-73c0f7c8c13c00a1.yaml b/releasenotes/notes/octavia-73c0f7c8c13c00a1.yaml
new file mode 100644
index 0000000000..424e886721
--- /dev/null
+++ b/releasenotes/notes/octavia-73c0f7c8c13c00a1.yaml
@@ -0,0 +1,8 @@
+---
+octavia:
+  - Run driver agent as a separate deployment on network nodes
+  - Run worker as a daemonset instead of deployment on network nodes
+  - |
+    Worker daemonset creates an interface attached to the
+    Octavia management network to get access to amphora instances
+...
diff --git a/roles/deploy-env/files/calico_patch.yaml b/roles/deploy-env/files/calico_patch.yaml
index 882d4a84f6..0d340a535d 100644
--- a/roles/deploy-env/files/calico_patch.yaml
+++ b/roles/deploy-env/files/calico_patch.yaml
@@ -8,5 +8,5 @@ spec:
             # we need Calico to skip this interface while discovering the
             # network changes on the host to prevent announcing unnecessary networks.
             - name: IP_AUTODETECTION_METHOD
-              value: "skip-interface=br-ex|provider.*|client.*"
+              value: "skip-interface=br-ex|provider.*|client.*|o-hm.*|o-w.*"
 ...
diff --git a/roles/deploy-env/tasks/env_inventory.yaml b/roles/deploy-env/tasks/env_inventory.yaml
new file mode 100644
index 0000000000..eec9381b39
--- /dev/null
+++ b/roles/deploy-env/tasks/env_inventory.yaml
@@ -0,0 +1,31 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Set cluster device
+  set_fact:
+    default_dev: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['interface'] }}"
+
+- name: Stats
+  shell: |
+    echo {{ default_dev }} > /tmp/inventory_default_dev.txt
+
+    echo -n > /tmp/inventory_k8s_control_plane.txt
+    {% for host in (groups['k8s_control_plane'] | default([])) %}
+      echo {{ hostvars[host].ansible_hostname }} >> /tmp/inventory_k8s_control_plane.txt
+    {% endfor %}
+
+    echo -n > /tmp/inventory_k8s_nodes.txt
+    {% for host in (groups['k8s_nodes'] | default([])) %}
+      echo {{ hostvars[host].ansible_hostname }} >> /tmp/inventory_k8s_nodes.txt
+    {% endfor %}
+...
diff --git a/roles/deploy-env/tasks/main.yaml b/roles/deploy-env/tasks/main.yaml
index 9705890694..21f0e8c2d8 100644
--- a/roles/deploy-env/tasks/main.yaml
+++ b/roles/deploy-env/tasks/main.yaml
@@ -108,4 +108,10 @@
   when:
     - ingress_setup
     - inventory_hostname in (groups['primary'] | default([]))
+
+- name: Include env inventory tasks
+  include_tasks:
+    file: env_inventory.yaml
+  when:
+    - inventory_hostname in (groups['primary'] | default([]))
 ...
diff --git a/roles/deploy-env/tasks/openstack_provider_gateway.yaml b/roles/deploy-env/tasks/openstack_provider_gateway.yaml
index b1ab7b3cc6..67e480b38c 100644
--- a/roles/deploy-env/tasks/openstack_provider_gateway.yaml
+++ b/roles/deploy-env/tasks/openstack_provider_gateway.yaml
@@ -26,6 +26,10 @@
   shell: |
     iptables -t nat -A POSTROUTING -o {{ cluster_default_dev }} -s {{ openstack_provider_network_cidr }} -j MASQUERADE
 
+- name: Set up FORWARD for packets going from VMs
+  shell: |
+    iptables -t filter -I FORWARD -s {{ openstack_provider_network_cidr }} -j ACCEPT
+
 # We use tcp proxy to forward traffic to make it possible to connect
 # to the Openstack public endpoint (managed by Metallb) from VMs.
 - name: Setup TCP proxy
diff --git a/roles/deploy-env/tasks/prerequisites.yaml b/roles/deploy-env/tasks/prerequisites.yaml
index f792336bb6..26295d1ff0 100644
--- a/roles/deploy-env/tasks/prerequisites.yaml
+++ b/roles/deploy-env/tasks/prerequisites.yaml
@@ -35,6 +35,7 @@
       - git
       - git-review
       - gnupg2
+      - htop
       - iptables
       - ipvsadm
       - jq
diff --git a/tools/deployment/common/prepare-bashrc.sh b/tools/deployment/common/prepare-bashrc.sh
new file mode 100755
index 0000000000..5f4137d48f
--- /dev/null
+++ b/tools/deployment/common/prepare-bashrc.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+cat >> ${HOME}/.bashrc <<EOF
+export RUN_HELM_TESTS=no
+export OS_CLOUD="openstack_helm"
+export OPENSTACK_RELEASE="${OPENSTACK_RELEASE}"
+export CONTAINER_DISTRO_NAME="${CONTAINER_DISTRO_NAME}"
+export CONTAINER_DISTRO_VERSION="${CONTAINER_DISTRO_VERSION}"
+export FEATURES="${FEATURES}"
+EOF
diff --git a/tools/deployment/component/octavia/180-create-resource-for-octavia.sh b/tools/deployment/component/octavia/180-create-resource-for-octavia.sh
deleted file mode 100755
index 23e1b3a790..0000000000
--- a/tools/deployment/component/octavia/180-create-resource-for-octavia.sh
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 Samsung Electronics Co., Ltd.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-export OS_CLOUD=openstack_helm
-
-: ${OSH_LB_SUBNET:="172.31.0.0/24"}
-: ${OSH_LB_SUBNET_START:="172.31.0.2"}
-: ${OSH_LB_SUBNET_END="172.31.0.200"}
-: ${OSH_LB_AMPHORA_IMAGE_NAME:="amphora-x64-haproxy"}
-: ${OSH_AMPHORA_IMAGE_FILE_PATH:=""}
-
-sudo pip3 install python-octaviaclient==1.6.0
-
-# NOTE(hagun.kim): These resources are required to use Octavia service.
-
-# Create Octavia management network and its security group
-openstack network create lb-mgmt-net -f value -c id
-openstack subnet create --subnet-range $OSH_LB_SUBNET --allocation-pool start=$OSH_LB_SUBNET_START,end=$OSH_LB_SUBNET_END --network lb-mgmt-net lb-mgmt-subnet -f value -c id
-openstack security group create lb-mgmt-sec-grp
-openstack security group rule create --protocol icmp lb-mgmt-sec-grp
-openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp
-openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp
-
-# Create security group for Octavia health manager
-openstack security group create lb-health-mgr-sec-grp
-openstack security group rule create --protocol udp --dst-port 5555 lb-health-mgr-sec-grp
-
-# Create ports for health manager (octavia-health-manager-port-{KUBE_NODE_NAME})
-# octavia-health-manager pod will be run on each controller node as daemonset.
-# The pod will create o-hm0 NIC to each controller node.
-# Each o-hm0 NIC uses the IP of these ports.
-CONTROLLER_IP_PORT_LIST=''
-CTRLS=$(kubectl get nodes -l openstack-control-plane=enabled -o name | awk -F"/" '{print $2}')
-for node in $CTRLS
-do
-  PORTNAME=octavia-health-manager-port-$node
-  openstack port create --security-group lb-health-mgr-sec-grp --device-owner Octavia:health-mgr --host=$node -c id -f value --network lb-mgmt-net $PORTNAME
-  IP=$(openstack port show $PORTNAME -c fixed_ips -f value | awk -F',' '{print $1}' | awk -F'=' '{print $2}' | tr -d \')
-  if [ -z $CONTROLLER_IP_PORT_LIST ]; then
-    CONTROLLER_IP_PORT_LIST=$IP:5555
-  else
-    CONTROLLER_IP_PORT_LIST=$CONTROLLER_IP_PORT_LIST,$IP:5555
-  fi
-done
-
-# Each health manager information should be passed into octavia configuration.
-echo $CONTROLLER_IP_PORT_LIST > /tmp/octavia_hm_controller_ip_port_list
-
-# Create a flavor for amphora instance
-openstack flavor create --id auto --ram 1024 --disk 2 --vcpus 1 --private m1.amphora
-
-# Create key pair to connect amphora instance via management network
-ssh-keygen -b 2048 -t rsa -N '' -f ~/.ssh/octavia_ssh_key
-openstack keypair create --public-key ~/.ssh/octavia_ssh_key.pub octavia_ssh_key
-
-# Create amphora image from file. Default is https://tarballs.openstack.org/octavia/test-images/
-if [ "$OSH_AMPHORA_IMAGE_FILE_PATH" == "" ]; then
-  curl https://tarballs.openstack.org/octavia/test-images/test-only-amphora-x64-haproxy-ubuntu-xenial.qcow2 \
-  -o /tmp/test-only-amphora-x64-haproxy-ubuntu-xenial.qcow2
-
-  OSH_AMPHORA_IMAGE_FILE_PATH=/tmp/test-only-amphora-x64-haproxy-ubuntu-xenial.qcow2
-fi
-
-OSH_AMPHORA_IMAGE_ID=$(openstack image create -f value -c id \
-    --public \
-    --container-format=bare \
-    --disk-format qcow2 < $OSH_AMPHORA_IMAGE_FILE_PATH \
-    $OSH_LB_AMPHORA_IMAGE_NAME)
-openstack image set --tag amphora $OSH_AMPHORA_IMAGE_ID
diff --git a/tools/deployment/component/octavia/200-octavia.sh b/tools/deployment/component/octavia/200-octavia.sh
deleted file mode 100755
index 64442527f5..0000000000
--- a/tools/deployment/component/octavia/200-octavia.sh
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 Samsung Electronics Co., Ltd.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-export OS_CLOUD=openstack_helm
-
-: ${OSH_LB_AMPHORA_IMAGE_NAME:="amphora-x64-haproxy"}
-: ${OSH_LB_HM_HOST_PORT:="5555"}
-
-#NOTE: Deploy command
-: ${OSH_EXTRA_HELM_ARGS:=""}
-tee /tmp/octavia.yaml <<EOF
-pod:
-  mounts:
-    octavia_api:
-      octavia_api:
-        volumeMounts:
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/private/cakey.pem
-            subPath: cakey.pem
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/ca_01.pem
-            subPath: ca_01.pem
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/client.pem
-            subPath: client.pem
-        volumes:
-          - name: octavia-certs
-            secret:
-              secretName: octavia-certs
-              defaultMode: 0644
-    octavia_worker:
-      octavia_worker:
-        volumeMounts:
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/private/cakey.pem
-            subPath: cakey.pem
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/ca_01.pem
-            subPath: ca_01.pem
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/client.pem
-            subPath: client.pem
-        volumes:
-          - name: octavia-certs
-            secret:
-              secretName: octavia-certs
-              defaultMode: 0644
-    octavia_housekeeping:
-      octavia_housekeeping:
-        volumeMounts:
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/private/cakey.pem
-            subPath: cakey.pem
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/ca_01.pem
-            subPath: ca_01.pem
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/client.pem
-            subPath: client.pem
-        volumes:
-          - name: octavia-certs
-            secret:
-              secretName: octavia-certs
-              defaultMode: 0644
-    octavia_health_manager:
-      octavia_health_manager:
-        volumeMounts:
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/private/cakey.pem
-            subPath: cakey.pem
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/ca_01.pem
-            subPath: ca_01.pem
-          - name: octavia-certs
-            mountPath: /etc/octavia/certs/client.pem
-            subPath: client.pem
-        volumes:
-          - name: octavia-certs
-            secret:
-              secretName: octavia-certs
-              defaultMode: 0644
-conf:
-  octavia:
-    controller_worker:
-      amp_image_owner_id: $(openstack image show $OSH_LB_AMPHORA_IMAGE_NAME -f value -c owner)
-      amp_secgroup_list: $(openstack security group list -f value | grep lb-mgmt-sec-grp | awk '{print $1}')
-      amp_flavor_id: $(openstack flavor show m1.amphora -f value -c id)
-      amp_boot_network_list: $(openstack network list --name lb-mgmt-net -f value -c ID)
-    health_manager:
-      bind_port: $OSH_LB_HM_HOST_PORT
-      bind_ip: 0.0.0.0
-      controller_ip_port_list: $(cat /tmp/octavia_hm_controller_ip_port_list)
-EOF
-helm upgrade --install octavia ./octavia \
-  --namespace=openstack \
-  --values=/tmp/octavia.yaml \
-  ${OSH_EXTRA_HELM_ARGS} \
-  ${OSH_EXTRA_HELM_ARGS_OCTAVIA}
-
-#NOTE: Wait for deploy
-helm osh wait-for-pods openstack
-
-#NOTE: Validate Deployment info
-export OS_CLOUD=openstack_helm
-openstack service list
-sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
diff --git a/tools/deployment/component/octavia/create_dual_intermediate_CA.sh b/tools/deployment/component/octavia/create_dual_intermediate_CA.sh
new file mode 100755
index 0000000000..6685800d6e
--- /dev/null
+++ b/tools/deployment/component/octavia/create_dual_intermediate_CA.sh
@@ -0,0 +1,157 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
+echo "Please use the Octavia Certificate Configuration guide:"
+echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+
+# This script produces weak security PKI to save resources in the test gates.
+# It should be modified to use stronger encryption (aes256), better pass
+# phrases, and longer keys (4096).
+# Please see the Octavia Certificate Configuration guide:
+# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
+
+set -x -e
+
+OPENSSL_CONF="$(readlink -f "$(dirname "$0")")"/openssl.cnf
+
+CA_PATH=dual_ca
+
+rm -rf $CA_PATH
+mkdir $CA_PATH
+chmod 700 $CA_PATH
+cd $CA_PATH
+
+mkdir -p etc/octavia/certs
+chmod 700 etc/octavia/certs
+
+###### Client Root CA
+mkdir client_ca
+cd client_ca
+mkdir certs crl newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# Create the client CA private key
+openssl genpkey -algorithm RSA -out private/ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase
+chmod 400 private/ca.key.pem
+
+# Create the client CA root certificate
+openssl req -config ${OPENSSL_CONF} -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase
+
+###### Client Intermediate CA
+mkdir intermediate_ca
+mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
+chmod 700 intermediate_ca/private
+touch intermediate_ca/index.txt
+echo 1000 > intermediate_ca/serial
+
+# Create the client intermediate CA private key
+openssl genpkey -algorithm RSA -out intermediate_ca/private/intermediate.ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase
+chmod 400 intermediate_ca/private/intermediate.ca.key.pem
+
+# Create the client intermediate CA certificate signing request
+openssl req -config ${OPENSSL_CONF} -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase
+
+# Create the client intermediate CA certificate
+openssl ca -config ${OPENSSL_CONF} -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
+
+# Create the client CA certificate chain
+cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
+
+###### Create the client key and certificate
+openssl genpkey -algorithm RSA -out intermediate_ca/private/controller.key.pem -aes-128-cbc -pass pass:not-secure-passphrase
+chmod 400 intermediate_ca/private/controller.key.pem
+
+# Create the client controller certificate signing request
+openssl req -config ${OPENSSL_CONF} -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase
+
+# Create the client controller certificate
+openssl ca -config ${OPENSSL_CONF} -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch
+
+# Build the cancatenated client cert and key
+openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase
+
+cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem
+
+# We are done with the client CA
+cd ..
+
+###### Stash the octavia default client CA cert files
+cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem
+chmod 444 etc/octavia/certs/client_ca.cert.pem
+cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem
+chmod 600 etc/octavia/certs/client.cert-and-key.pem
+
+###### Server Root CA
+mkdir server_ca
+cd server_ca
+mkdir certs crl newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# Create the server CA private key
+openssl genpkey -algorithm RSA -out private/ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase
+chmod 400 private/ca.key.pem
+
+# Create the server CA root certificate
+openssl req -config ${OPENSSL_CONF} -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerRootCA" -passin pass:not-secure-passphrase
+
+###### Server Intermediate CA
+mkdir intermediate_ca
+mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
+chmod 700 intermediate_ca/private
+touch intermediate_ca/index.txt
+echo 1000 > intermediate_ca/serial
+
+# Create the server intermediate CA private key
+openssl genpkey -algorithm RSA -out intermediate_ca/private/intermediate.ca.key.pem -aes-128-cbc -pass pass:not-secure-passphrase
+chmod 400 intermediate_ca/private/intermediate.ca.key.pem
+
+# Create the server intermediate CA certificate signing request
+openssl req -config ${OPENSSL_CONF} -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/server_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerIntermediateCA" -passin pass:not-secure-passphrase
+
+# Create the server intermediate CA certificate
+openssl ca -config ${OPENSSL_CONF} -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/server_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
+
+# Create the server CA certificate chain
+cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
+
+# We are done with the server CA
+cd ..
+
+###### Stash the octavia default server CA cert files
+cp server_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca-chain.cert.pem
+chmod 444 etc/octavia/certs/server_ca-chain.cert.pem
+cp server_ca/intermediate_ca/certs/intermediate.cert.pem etc/octavia/certs/server_ca.cert.pem
+chmod 400 etc/octavia/certs/server_ca.cert.pem
+cp server_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem
+chmod 400 etc/octavia/certs/server_ca.key.pem
+
+##### Validate the Octavia PKI files
+set +x
+echo "################# Verifying the Octavia files ###########################"
+openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem
+openssl verify -CAfile etc/octavia/certs/server_ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem
+
+# We are done, stop enforcing shell errexit
+set +e
+
+echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
+echo "Please use the Octavia Certificate Configuration guide:"
+echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
diff --git a/tools/deployment/component/octavia/heat_octavia_env.yaml b/tools/deployment/component/octavia/heat_octavia_env.yaml
new file mode 100644
index 0000000000..d4bb4a05d3
--- /dev/null
+++ b/tools/deployment/component/octavia/heat_octavia_env.yaml
@@ -0,0 +1,358 @@
+---
+heat_template_version: 2021-04-16
+
+parameters:
+  public_network_name:
+    type: string
+    default: public
+
+  public_physical_network_name:
+    type: string
+    default: public
+
+  public_subnet_name:
+    type: string
+    default: public
+
+  public_subnet_cidr:
+    type: string
+    default: 172.24.4.0/24
+
+  public_subnet_gateway:
+    type: string
+    default: 172.24.4.1
+
+  public_allocation_pool_start:
+    type: string
+    default: 172.24.4.10
+
+  public_allocation_pool_end:
+    type: string
+    default: 172.24.4.254
+
+  private_subnet_cidr:
+    type: string
+    default: 192.168.128.0/24
+
+  dns_nameserver:
+    type: string
+    default: 172.24.4.1
+
+  image_name:
+    type: string
+    default: Ubuntu Jammy
+
+  image_url:
+    type: string
+    default: "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img"
+
+  ssh_key:
+    type: string
+    default: octavia-key
+
+  compute_flavor_id:
+    type: string
+
+  az_1:
+    type: string
+
+  az_2:
+    type: string
+
+resources:
+  public_net:
+    type: OS::Neutron::ProviderNet
+    properties:
+      name:
+        get_param: public_network_name
+      router_external: true
+      physical_network:
+        get_param: public_physical_network_name
+      network_type: flat
+
+  public_subnet:
+    type: OS::Neutron::Subnet
+    properties:
+      name:
+        get_param: public_subnet_name
+      network:
+        get_resource: public_net
+      cidr:
+        get_param: public_subnet_cidr
+      gateway_ip:
+        get_param: public_subnet_gateway
+      enable_dhcp: false
+      dns_nameservers:
+        - get_param: public_subnet_gateway
+      allocation_pools:
+        - start: {get_param: public_allocation_pool_start}
+          end: {get_param: public_allocation_pool_end}
+
+  private_net:
+    type: OS::Neutron::Net
+
+  private_subnet:
+    type: OS::Neutron::Subnet
+    properties:
+      network:
+        get_resource: private_net
+      cidr:
+        get_param: private_subnet_cidr
+      dns_nameservers:
+        - get_param: dns_nameserver
+
+  image:
+    type: OS::Glance::WebImage
+    properties:
+      name:
+        get_param: image_name
+      location:
+        get_param: image_url
+      container_format: bare
+      disk_format: qcow2
+      min_disk: 3
+      visibility: public
+
+  flavor_vm:
+    type: OS::Nova::Flavor
+    properties:
+      name: m1.test
+      disk: 3
+      ram: 1024
+      vcpus: 2
+
+  wait_handle_1:
+    type: OS::Heat::WaitConditionHandle
+
+  wait_handle_2:
+    type: OS::Heat::WaitConditionHandle
+
+  server_1:
+    type: OS::Nova::Server
+    properties:
+      image:
+        get_resource: image
+      flavor:
+        get_resource: flavor_vm
+      key_name:
+        get_param: ssh_key
+      networks:
+        - port:
+            get_resource: server_port_1
+      user_data_format: RAW
+      user_data:
+        str_replace:
+          template: |
+            #!/bin/bash
+            echo "nameserver $nameserver" > /etc/resolv.conf
+            echo "127.0.0.1 $(hostname)" >> /etc/hosts
+            systemctl stop systemd-resolved
+            systemctl disable systemd-resolved
+            mkdir -p /var/www/html/
+            echo "Hello from server_1: $(hostname)" > /var/www/html/index.html
+            nohup python3 -m http.server 8000 --directory /var/www/html > /dev/null 2>&1 &
+            $wc_notify --data-binary '{ "status": "SUCCESS" }'
+          params:
+            $nameserver: {get_param: dns_nameserver}
+            $wc_notify: {get_attr: ['wait_handle_1', 'curl_cli']}
+      availability_zone: {get_param: az_1}
+
+  wait_server_1:
+    type: OS::Heat::WaitCondition
+    properties:
+      handle: {get_resource: wait_handle_1}
+      timeout: 1200
+
+  server_2:
+    type: OS::Nova::Server
+    properties:
+      image:
+        get_resource: image
+      flavor:
+        get_resource: flavor_vm
+      key_name:
+        get_param: ssh_key
+      networks:
+        - port:
+            get_resource: server_port_2
+      user_data_format: RAW
+      user_data:
+        str_replace:
+          template: |
+            #!/bin/bash
+            echo "nameserver $nameserver" > /etc/resolv.conf
+            echo "127.0.0.1 $(hostname)" >> /etc/hosts
+            systemctl stop systemd-resolved
+            systemctl disable systemd-resolved
+            mkdir -p /var/www/html/
+            echo "Hello from server_2: $(hostname)" > /var/www/html/index.html
+            nohup python3 -m http.server 8000 --directory /var/www/html > /dev/null 2>&1 &
+            $wc_notify --data-binary '{ "status": "SUCCESS" }'
+          params:
+            $nameserver: {get_param: dns_nameserver}
+            $wc_notify: {get_attr: ['wait_handle_2', 'curl_cli']}
+      availability_zone: {get_param: az_2}
+
+  wait_server_2:
+    type: OS::Heat::WaitCondition
+    properties:
+      handle: {get_resource: wait_handle_2}
+      timeout: 1200
+
+  security_group:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      name: default_port_security_group
+      rules:
+        - remote_ip_prefix: 0.0.0.0/0
+          protocol: tcp
+          port_range_min: 22
+          port_range_max: 22
+        - remote_ip_prefix: 0.0.0.0/0
+          protocol: tcp
+          port_range_min: 8000
+          port_range_max: 8000
+        - remote_ip_prefix: 0.0.0.0/0
+          protocol: icmp
+
+  server_port_1:
+    type: OS::Neutron::Port
+    properties:
+      network:
+        get_resource: private_net
+      fixed_ips:
+        - subnet:
+            get_resource: private_subnet
+      security_groups:
+        - get_resource: security_group
+
+  server_floating_ip_1:
+    type: OS::Neutron::FloatingIP
+    properties:
+      floating_network:
+        get_resource: public_net
+      port_id:
+        get_resource: server_port_1
+
+  server_port_2:
+    type: OS::Neutron::Port
+    properties:
+      network:
+        get_resource: private_net
+      fixed_ips:
+        - subnet:
+            get_resource: private_subnet
+      security_groups:
+        - get_resource: security_group
+
+  server_floating_ip_2:
+    type: OS::Neutron::FloatingIP
+    properties:
+      floating_network:
+        get_resource: public_net
+      port_id:
+        get_resource: server_port_2
+
+  router:
+    type: OS::Neutron::Router
+    properties:
+      external_gateway_info:
+        network:
+          get_resource: public_net
+
+  router_interface:
+    type: OS::Neutron::RouterInterface
+    properties:
+      router_id:
+        get_resource: router
+      subnet_id:
+        get_resource: private_subnet
+
+  flavor_profile:
+    type: "OS::Octavia::FlavorProfile"
+    properties:
+      provider_name: amphora
+      flavor_data:
+        str_replace:
+          template: |
+            {
+              "loadbalancer_topology": "SINGLE",
+              "compute_flavor": "%compute_flavor%"
+            }
+          params:
+            "%compute_flavor%": {get_param: compute_flavor_id}
+
+  flavor:
+    type: "OS::Octavia::Flavor"
+    properties:
+      flavor_profile:
+        get_resource: flavor_profile
+
+  loadbalancer:
+    type: "OS::Octavia::LoadBalancer"
+    properties:
+      name: osh
+      provider: amphora
+      vip_subnet:
+        get_resource: private_subnet
+      flavor:
+        get_resource: flavor
+
+  floating_ip:
+    type: OS::Neutron::FloatingIP
+    properties:
+      floating_network: {get_resource: public_net}
+      port_id: {get_attr: [loadbalancer, vip_port_id]}
+
+  listener:
+    type: "OS::Octavia::Listener"
+    properties:
+      protocol_port: 80
+      protocol: "HTTP"
+      loadbalancer:
+        get_resource: loadbalancer
+
+  pool:
+    type: "OS::Octavia::Pool"
+    properties:
+      lb_algorithm: "ROUND_ROBIN"
+      listener:
+        get_resource: listener
+      protocol: "HTTP"
+
+  monitor:
+    type: "OS::Octavia::HealthMonitor"
+    properties:
+      delay: 3
+      max_retries: 9
+      timeout: 3
+      type: "PING"
+      pool:
+        get_resource: pool
+
+  pool_member_1:
+    type: "OS::Octavia::PoolMember"
+    properties:
+      subnet:
+        get_resource: private_subnet
+      protocol_port: 8000
+      pool:
+        get_resource: pool
+      address:
+        get_attr:
+          - "server_1"
+          - "first_address"
+
+  pool_member_2:
+    type: "OS::Octavia::PoolMember"
+    properties:
+      subnet:
+        get_resource: private_subnet
+      protocol_port: 8000
+      pool:
+        get_resource: pool
+      address:
+        get_attr:
+          - "server_2"
+          - "first_address"
+...
diff --git a/tools/deployment/component/octavia/octavia.sh b/tools/deployment/component/octavia/octavia.sh
new file mode 100755
index 0000000000..1d2e9d8607
--- /dev/null
+++ b/tools/deployment/component/octavia/octavia.sh
@@ -0,0 +1,186 @@
+#!/bin/bash
+
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Define variables
+: ${OSH_HELM_REPO:="../openstack-helm"}
+: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"}
+: ${OSH_EXTRA_HELM_ARGS_OCTAVIA:="$(helm osh get-values-overrides ${DOWNLOAD_OVERRIDES:-} -p ${OSH_VALUES_OVERRIDES_PATH} -c octavia ${FEATURES})"}
+
+export OS_CLOUD=openstack_helm
+
+OSH_AMPHORA_IMAGE_NAME="amphora-x64-haproxy-ubuntu-jammy"
+OSH_AMPHORA_IMAGE_OWNER_ID=$(openstack image show "${OSH_AMPHORA_IMAGE_NAME}" -f value -c owner)
+OSH_AMPHORA_SECGROUP_LIST=$(openstack security group list -f value | grep lb-mgmt-sec-grp | awk '{print $1}')
+OSH_AMPHORA_FLAVOR_ID=$(openstack flavor show m1.amphora -f value -c id)
+OSH_AMPHORA_BOOT_NETWORK_LIST=$(openstack network list --name lb-mgmt-net -f value -c ID)
+# Test nodes are quite small (usually 8Gb RAM) and for testing Octavia
+# we need two worker VM instances and one amphora VM instance.
+# We are going to run them all on different K8s nodes.
+# The /tmp/inventory_k8s_nodes.txt file is created by the deploy-env role and contains the list
+# of all K8s nodes. Amphora instance is run on the first K8s node from the list.
+OSH_AMPHORA_TARGET_HOSTNAME=$(sed -n '1p' /tmp/inventory_k8s_nodes.txt)
+CONTROLLER_IP_PORT_LIST=$(cat /tmp/octavia_hm_controller_ip_port_list)
+
+#NOTE: Deploy command
+tee /tmp/octavia.yaml <<EOF
+pod:
+  mounts:
+    octavia_api:
+      octavia_api:
+        volumeMounts:
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca.cert.pem
+            subPath: server_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca-chain.cert.pem
+            subPath: server_ca-chain.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/server_ca.key.pem
+            subPath: server_ca.key.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/client_ca.cert.pem
+            subPath: client_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/client.cert-and-key.pem
+            subPath: client.cert-and-key.pem
+        volumes:
+          - name: octavia-certs
+            secret:
+              secretName: octavia-certs
+              defaultMode: 0644
+    octavia_worker:
+      octavia_worker:
+        volumeMounts:
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca.cert.pem
+            subPath: server_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca-chain.cert.pem
+            subPath: server_ca-chain.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/server_ca.key.pem
+            subPath: server_ca.key.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/client_ca.cert.pem
+            subPath: client_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/client.cert-and-key.pem
+            subPath: client.cert-and-key.pem
+        volumes:
+          - name: octavia-certs
+            secret:
+              secretName: octavia-certs
+              defaultMode: 0644
+    octavia_housekeeping:
+      octavia_housekeeping:
+        volumeMounts:
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca.cert.pem
+            subPath: server_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca-chain.cert.pem
+            subPath: server_ca-chain.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/server_ca.key.pem
+            subPath: server_ca.key.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/client_ca.cert.pem
+            subPath: client_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/client.cert-and-key.pem
+            subPath: client.cert-and-key.pem
+        volumes:
+          - name: octavia-certs
+            secret:
+              secretName: octavia-certs
+              defaultMode: 0644
+    octavia_health_manager:
+      octavia_health_manager:
+        volumeMounts:
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca.cert.pem
+            subPath: server_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca-chain.cert.pem
+            subPath: server_ca-chain.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/server_ca.key.pem
+            subPath: server_ca.key.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/client_ca.cert.pem
+            subPath: client_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/client.cert-and-key.pem
+            subPath: client.cert-and-key.pem
+        volumes:
+          - name: octavia-certs
+            secret:
+              secretName: octavia-certs
+              defaultMode: 0644
+    octavia_driver_agent:
+      octavia_driver_agent:
+        volumeMounts:
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca.cert.pem
+            subPath: server_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/server_ca-chain.cert.pem
+            subPath: server_ca-chain.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/server_ca.key.pem
+            subPath: server_ca.key.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/client_ca.cert.pem
+            subPath: client_ca.cert.pem
+          - name: octavia-certs
+            mountPath: /etc/octavia/certs/private/client.cert-and-key.pem
+            subPath: client.cert-and-key.pem
+        volumes:
+          - name: octavia-certs
+            secret:
+              secretName: octavia-certs
+              defaultMode: 0644
+conf:
+  octavia:
+    controller_worker:
+      amp_image_owner_id: ${OSH_AMPHORA_IMAGE_OWNER_ID}
+      amp_secgroup_list: ${OSH_AMPHORA_SECGROUP_LIST}
+      amp_flavor_id: ${OSH_AMPHORA_FLAVOR_ID}
+      amp_boot_network_list: ${OSH_AMPHORA_BOOT_NETWORK_LIST}
+      amp_image_tag: amphora
+      amp_ssh_key_name: octavia-key
+    health_manager:
+      bind_port: 5555
+      bind_ip: 0.0.0.0
+      controller_ip_port_list: ${CONTROLLER_IP_PORT_LIST}
+    task_flow:
+      jobboard_enabled: false
+    nova:
+      availability_zone: nova:${OSH_AMPHORA_TARGET_HOSTNAME}
+EOF
+helm upgrade --install octavia ${OSH_HELM_REPO}/octavia \
+  --namespace=openstack \
+  --values=/tmp/octavia.yaml \
+  ${OSH_EXTRA_HELM_ARGS:=} \
+  ${OSH_EXTRA_HELM_ARGS_OCTAVIA}
+
+#NOTE: Wait for deploy
+helm osh wait-for-pods openstack
+
+#NOTE: Validate Deployment info
+openstack service list
diff --git a/tools/deployment/component/octavia/190-create-octavia-certs.sh b/tools/deployment/component/octavia/octavia_certs.sh
similarity index 64%
rename from tools/deployment/component/octavia/190-create-octavia-certs.sh
rename to tools/deployment/component/octavia/octavia_certs.sh
index bb1b14c89d..52486be450 100755
--- a/tools/deployment/component/octavia/190-create-octavia-certs.sh
+++ b/tools/deployment/component/octavia/octavia_certs.sh
@@ -31,18 +31,17 @@ metadata:
   name: octavia-certs
 type: Opaque
 data:
-   ca_01.pem: $(trim_data /tmp/octavia_certs/ca_01.pem)
-   cakey.pem: $(trim_data /tmp/octavia_certs/private/cakey.pem)
-   client.pem: $(trim_data /tmp/octavia_certs/client.pem)
+  server_ca.cert.pem: $(trim_data dual_ca/etc/octavia/certs/server_ca.cert.pem)
+  server_ca-chain.cert.pem: $(trim_data dual_ca/etc/octavia/certs/server_ca-chain.cert.pem)
+  server_ca.key.pem: $(trim_data dual_ca/etc/octavia/certs/server_ca.key.pem)
+  client_ca.cert.pem: $(trim_data dual_ca/etc/octavia/certs/client_ca.cert.pem)
+  client.cert-and-key.pem: $(trim_data dual_ca/etc/octavia/certs/client.cert-and-key.pem)
 EOF
   }| kubectl apply --namespace openstack -f -
 }
 
-rm -rf /tmp/octavia
-git clone -b stable/stein https://github.com/openstack/octavia.git /tmp/octavia
-cd /tmp/octavia/bin
-
-rm -rf /tmp/octavia_certs
-./create_certificates.sh /tmp/octavia_certs /tmp/octavia/etc/certificates/openssl.cnf
-
-create_secret
+(
+    cd "$(dirname "$0")";
+    ./create_dual_intermediate_CA.sh
+    create_secret
+)
diff --git a/tools/deployment/component/octavia/octavia_resources.sh b/tools/deployment/component/octavia/octavia_resources.sh
new file mode 100755
index 0000000000..00ffd27837
--- /dev/null
+++ b/tools/deployment/component/octavia/octavia_resources.sh
@@ -0,0 +1,116 @@
+#!/bin/bash
+
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+export OS_CLOUD=openstack_helm
+
+SSH_DIR="${HOME}/.ssh"
+OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS="${OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS} -v ${SSH_DIR}:${SSH_DIR} -v /tmp:/tmp"
+export OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS
+
+: ${OSH_LB_SUBNET:="172.31.0.0/24"}
+: ${OSH_LB_SUBNET_START:="172.31.0.2"}
+: ${OSH_LB_SUBNET_END="172.31.0.200"}
+: ${OSH_AMPHORA_IMAGE_NAME:="amphora-x64-haproxy-ubuntu-jammy"}
+: ${OSH_AMPHORA_IMAGE_FILE:="test-only-amphora-x64-haproxy-ubuntu-jammy.qcow2"}
+: ${OSH_AMPHORA_IMAGE_URL:="https://tarballs.opendev.org/openstack/octavia/test-images/test-only-amphora-x64-haproxy-ubuntu-jammy.qcow2"}
+
+# # This is for debugging, to be able to connect via ssh to the amphora instance from the cluster node
+# # and make the amphora able to connect to Internet.
+# # The /tmp/inventory_default_dev.txt file is created by the deploy-env role and contains
+# # the name of the default interface on a node.
+# sudo iptables -t nat -I POSTROUTING -o $(cat /tmp/inventory_default_dev.txt) -s ${OSH_LB_SUBNET} -j MASQUERADE
+# sudo iptables -t filter -I FORWARD -s ${OSH_LB_SUBNET} -j ACCEPT
+
+# Create Octavia management network and its security group
+openstack network show lb-mgmt-net || \
+    openstack network create lb-mgmt-net -f value -c id
+openstack subnet show lb-mgmt-subnet || \
+    openstack subnet create --subnet-range $OSH_LB_SUBNET --allocation-pool start=$OSH_LB_SUBNET_START,end=$OSH_LB_SUBNET_END --network lb-mgmt-net lb-mgmt-subnet -f value -c id
+openstack security group show lb-mgmt-sec-grp || \
+    { openstack security group create lb-mgmt-sec-grp; \
+      openstack security group rule create --protocol icmp lb-mgmt-sec-grp; \
+      openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp; \
+      openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp; }
+
+# Create security group for Octavia health manager
+openstack security group show lb-health-mgr-sec-grp || \
+    { openstack security group create lb-health-mgr-sec-grp; \
+      openstack security group rule create --protocol udp --dst-port 5555 lb-health-mgr-sec-grp; }
+
+# Create security group for Octavia worker
+openstack security group show lb-worker-sec-grp || \
+    { openstack security group create lb-worker-sec-grp; }
+
+# Create ports for health manager (octavia-health-manager-port-{KUBE_NODE_NAME})
+# and the same for worker (octavia-worker-port-{KUBE_NODE_NAME})
+# octavia-health-manager and octavia-worker pods will be run on each network node as daemonsets.
+# The pods will create NICs on each network node attached to lb-mgmt-net.
+CONTROLLER_IP_PORT_LIST=''
+CTRLS=$(kubectl get nodes -l openstack-network-node=enabled -o name | awk -F"/" '{print $2}')
+for node in $CTRLS
+do
+  PORTNAME=octavia-health-manager-port-$node
+  openstack port show $PORTNAME || \
+    openstack port create --security-group lb-health-mgr-sec-grp --device-owner Octavia:health-mgr --host=$node -c id -f value --network lb-mgmt-net $PORTNAME
+  IP=$(openstack port show $PORTNAME -f json | jq -r  '.fixed_ips[0].ip_address')
+  if [ -z $CONTROLLER_IP_PORT_LIST ]; then
+    CONTROLLER_IP_PORT_LIST=$IP:5555
+  else
+    CONTROLLER_IP_PORT_LIST=$CONTROLLER_IP_PORT_LIST,$IP:5555
+  fi
+  WORKER_PORTNAME=octavia-worker-port-$node
+  openstack port show $WORKER_PORTNAME || \
+    openstack port create --security-group lb-worker-sec-grp --device-owner Octavia:worker --host=$node -c id -f value --network lb-mgmt-net $WORKER_PORTNAME
+  openstack port show $WORKER_PORTNAME -f json | jq -r  '.fixed_ips[0].ip_address'
+done
+
+# Each health manager information should be passed into octavia configuration.
+echo $CONTROLLER_IP_PORT_LIST > /tmp/octavia_hm_controller_ip_port_list
+
+# Create a flavor for amphora instance
+openstack flavor show m1.amphora || \
+    openstack flavor create --ram 1024 --disk 3 --vcpus 1 m1.amphora
+
+# Create key pair to connect amphora instance via management network
+mkdir -p ${SSH_DIR}
+openstack keypair show octavia-key || \
+  openstack keypair create --private-key ${SSH_DIR}/octavia_key octavia-key
+sudo chown $(id -un) ${SSH_DIR}/octavia_key
+chmod 600 ${SSH_DIR}/octavia_key
+
+# accept diffie-hellman-group1-sha1 algo for SSH (for compatibility with older images)
+sudo tee -a /etc/ssh/ssh_config <<EOF
+    KexAlgorithms +diffie-hellman-group1-sha1
+    HostKeyAlgorithms +ssh-rsa
+    PubkeyAcceptedKeyTypes +ssh-rsa
+EOF
+
+if [ ! -f "/tmp/${OSH_AMPHORA_IMAGE_FILE}" ]; then
+  curl --fail -sSL ${OSH_AMPHORA_IMAGE_URL} -o /tmp/${OSH_AMPHORA_IMAGE_FILE}
+fi
+
+openstack image show ${OSH_AMPHORA_IMAGE_NAME} || \
+    openstack image create -f value -c id \
+    --public \
+    --container-format=bare \
+    --disk-format qcow2 \
+    --min-disk 2 \
+    --file /tmp/${OSH_AMPHORA_IMAGE_FILE} \
+    ${OSH_AMPHORA_IMAGE_NAME}
+OSH_AMPHORA_IMAGE_ID=$(openstack image show ${OSH_AMPHORA_IMAGE_NAME} -f value -c id)
+openstack image set --tag amphora ${OSH_AMPHORA_IMAGE_ID}
diff --git a/tools/deployment/component/octavia/octavia_test.sh b/tools/deployment/component/octavia/octavia_test.sh
new file mode 100755
index 0000000000..ef09d074e1
--- /dev/null
+++ b/tools/deployment/component/octavia/octavia_test.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+export OS_CLOUD=openstack_helm
+
+HEAT_DIR="$(readlink -f ./tools/deployment/component/octavia)"
+SSH_DIR="${HOME}/.ssh"
+
+OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS="${OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS} -v ${HEAT_DIR}:${HEAT_DIR} -v ${SSH_DIR}:${SSH_DIR}"
+export OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS
+
+COMPUTE_FLAVOR_ID=$(openstack flavor show -f value -c id m1.amphora)
+# The /tmp/inventory_k8s_nodes.txt file is created by the deploy-env role and contains the list
+# of all K8s nodes. Amphora instance is run on the first K8s node from the list.
+# Worker VM instances are run on the rest of the nodes.
+TARGET_HOST_1=$(sed -n '2p' /tmp/inventory_k8s_nodes.txt)
+TARGET_HOST_2=$(sed -n '3p' /tmp/inventory_k8s_nodes.txt)
+
+openstack stack show "octavia-env" || \
+  openstack stack create --wait \
+    --parameter compute_flavor_id=${COMPUTE_FLAVOR_ID} \
+    --parameter az_1="nova:${TARGET_HOST_1}" \
+    --parameter az_2="nova:${TARGET_HOST_2}" \
+    -t ${HEAT_DIR}/heat_octavia_env.yaml \
+    octavia-env
+
+sleep 30
+
+LB_FLOATING_IP=$(openstack floating ip list --port $(openstack loadbalancer show osh -c vip_port_id -f value) -f value -c "Floating IP Address" | head -n1)
+
+echo -n > /tmp/curl.txt
+curl http://${LB_FLOATING_IP} >> /tmp/curl.txt
+curl http://${LB_FLOATING_IP} >> /tmp/curl.txt
+grep "Hello from server_1" /tmp/curl.txt
+grep "Hello from server_2" /tmp/curl.txt
diff --git a/tools/deployment/component/octavia/openssl.cnf b/tools/deployment/component/octavia/openssl.cnf
new file mode 100644
index 0000000000..fe4cdb4334
--- /dev/null
+++ b/tools/deployment/component/octavia/openssl.cnf
@@ -0,0 +1,144 @@
+# OpenSSL root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = ./
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+# 10 years
+default_days      = 7300
+preserve          = no
+policy            = policy_strict
+
+[ CA_intermediate ]
+# Directory and file locations.
+dir               = ./intermediate_ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = ./private/ca.key.pem
+certificate       = ./certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+# 5 years
+default_days      = 3650
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     = Oregon
+localityName_default            = Corvallis
+0.organizationName_default      = OpenStack
+organizationalUnitName_default  = Octavia
+emailAddress_default            =
+commonName_default              = example.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
diff --git a/values_overrides/octavia/2025.1-ubuntu_jammy.yaml b/values_overrides/octavia/2025.1-ubuntu_jammy.yaml
new file mode 100644
index 0000000000..bc5a0c2f7f
--- /dev/null
+++ b/values_overrides/octavia/2025.1-ubuntu_jammy.yaml
@@ -0,0 +1,23 @@
+---
+images:
+  tags:
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    bootstrap: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    db_init: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    octavia_db_sync: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    db_drop: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    rabbit_init: docker.io/rabbitmq:3.13-management
+    ks_user: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    ks_service: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    ks_endpoints: quay.io/airshipit/heat:2025.1-ubuntu_jammy
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy
+    image_repo_sync: docker.io/docker:17.07.0
+    octavia_api: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_driver_agent: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_worker: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_worker_init: quay.io/airshipit/openstack-client:2025.1-ubuntu_jammy
+    octavia_housekeeping: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_health_manager: quay.io/airshipit/octavia:2025.1-ubuntu_jammy
+    octavia_health_manager_init: quay.io/airshipit/openstack-client:2025.1-ubuntu_jammy
+    openvswitch_vswitchd: docker.io/openstackhelm/openvswitch:latest-ubuntu_jammy
+...
diff --git a/values_overrides/octavia/2025.1-ubuntu_noble.yaml b/values_overrides/octavia/2025.1-ubuntu_noble.yaml
new file mode 100644
index 0000000000..5098da3d57
--- /dev/null
+++ b/values_overrides/octavia/2025.1-ubuntu_noble.yaml
@@ -0,0 +1,23 @@
+---
+images:
+  tags:
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    bootstrap: quay.io/airshipit/heat:2025.1-ubuntu_noble
+    db_init: quay.io/airshipit/heat:2025.1-ubuntu_noble
+    octavia_db_sync: quay.io/airshipit/octavia:2025.1-ubuntu_noble
+    db_drop: quay.io/airshipit/heat:2025.1-ubuntu_noble
+    rabbit_init: docker.io/rabbitmq:3.13-management
+    ks_user: quay.io/airshipit/heat:2025.1-ubuntu_noble
+    ks_service: quay.io/airshipit/heat:2025.1-ubuntu_noble
+    ks_endpoints: quay.io/airshipit/heat:2025.1-ubuntu_noble
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_noble
+    image_repo_sync: docker.io/docker:17.07.0
+    octavia_api: quay.io/airshipit/octavia:2025.1-ubuntu_noble
+    octavia_driver_agent: quay.io/airshipit/octavia:2025.1-ubuntu_noble
+    octavia_worker: quay.io/airshipit/octavia:2025.1-ubuntu_noble
+    octavia_worker_init: quay.io/airshipit/openstack-client:2025.1-ubuntu_noble
+    octavia_housekeeping: quay.io/airshipit/octavia:2025.1-ubuntu_noble
+    octavia_health_manager: quay.io/airshipit/octavia:2025.1-ubuntu_noble
+    octavia_health_manager_init: quay.io/airshipit/openstack-client:2025.1-ubuntu_noble
+    openvswitch_vswitchd: docker.io/openstackhelm/openvswitch:latest-ubuntu_noble
+...
diff --git a/zuul.d/2025.1.yaml b/zuul.d/2025.1.yaml
index 0de0cdb316..e38281fbe8 100644
--- a/zuul.d/2025.1.yaml
+++ b/zuul.d/2025.1.yaml
@@ -63,4 +63,15 @@
         openstack_release: "2025.1"
         container_distro_name: ubuntu
         container_distro_version: noble
+
+- job:
+    name: openstack-helm-octavia-2025-1-ubuntu_jammy
+    parent: openstack-helm-octavia
+    nodeset: openstack-helm-4nodes-ubuntu_jammy
+    timeout: 10800
+    vars:
+      osh_params:
+        openstack_release: "2025.1"
+        container_distro_name: ubuntu
+        container_distro_version: jammy
 ...
diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml
index 7563cf1931..99660f7a0a 100644
--- a/zuul.d/base.yaml
+++ b/zuul.d/base.yaml
@@ -126,6 +126,7 @@
     abstract: true
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -151,6 +152,7 @@
     abstract: true
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -177,6 +179,7 @@
     abstract: true
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -202,6 +205,7 @@
     vars:
       osh_helm_repo: openstack-helm
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/prepare-helm-repos-local.sh
@@ -230,6 +234,7 @@
       osh_helm_repo: openstack-helm
       download_overrides: "-d"
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/prepare-helm-repos-public.sh
@@ -256,6 +261,7 @@
     abstract: true
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -285,6 +291,7 @@
       - ^zuul\.d/.*$
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -305,6 +312,7 @@
       - ^tools/deployment/component/cinder/.*$
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -329,6 +337,7 @@
       - ^tools/deployment/ceph/.*$
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -364,6 +373,7 @@
     vars:
       run_helm_tests: "yes"
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -384,6 +394,7 @@
       - ^tools/deployment/component/horizon/.*$
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -403,6 +414,7 @@
     voting: false
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -434,6 +446,7 @@
     timeout: 7200
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -453,10 +466,11 @@
 
 - job:
     name: openstack-helm-skyline
-    parent: openstack-helm-compute-kit
+    parent: openstack-helm-deploy
     timeout: 10800
     vars:
       gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
         - ./tools/deployment/common/setup-client.sh
@@ -471,4 +485,29 @@
         - ./tools/deployment/component/compute-kit/compute-kit.sh
         - ./tools/deployment/component/skyline/skyline.sh
         - ./tools/gate/selenium/skyline-selenium.sh
+
+- job:
+    name: openstack-helm-octavia
+    parent: openstack-helm-deploy
+    timeout: 10800
+    vars:
+      gate_scripts:
+        - ./tools/deployment/common/prepare-bashrc.sh
+        - ./tools/deployment/common/prepare-k8s.sh
+        - ./tools/deployment/common/prepare-charts.sh
+        - ./tools/deployment/common/setup-client.sh
+        - export VOLUME_HELM_ARGS="--set volume.enabled=false"; ./tools/deployment/component/common/rabbitmq.sh
+        - ./tools/deployment/db/mariadb.sh
+        - ./tools/deployment/component/common/memcached.sh
+        - ./tools/deployment/component/keystone/keystone.sh
+        - ./tools/deployment/component/heat/heat.sh
+        - export GLANCE_BACKEND=local; ./tools/deployment/component/glance/glance.sh
+        - ./tools/deployment/component/compute-kit/openvswitch.sh
+        - ./tools/deployment/component/compute-kit/libvirt.sh
+        - ./tools/deployment/component/compute-kit/compute-kit.sh
+        - ./tools/deployment/component/barbican/barbican.sh
+        - ./tools/deployment/component/octavia/octavia_resources.sh
+        - ./tools/deployment/component/octavia/octavia_certs.sh
+        - ./tools/deployment/component/octavia/octavia.sh
+        - ./tools/deployment/component/octavia/octavia_test.sh
 ...
diff --git a/zuul.d/nodesets.yaml b/zuul.d/nodesets.yaml
index 4f09233828..30c3672efb 100644
--- a/zuul.d/nodesets.yaml
+++ b/zuul.d/nodesets.yaml
@@ -193,6 +193,41 @@
         nodes:
           - primary
 
+- nodeset:
+    name: openstack-helm-4nodes-ubuntu_jammy
+    nodes:
+      - name: primary
+        label: ubuntu-jammy
+      - name: node-1
+        label: ubuntu-jammy
+      - name: node-2
+        label: ubuntu-jammy
+      - name: node-3
+        label: ubuntu-jammy
+    groups:
+      - name: primary
+        nodes:
+          - primary
+      - name: nodes
+        nodes:
+          - node-1
+          - node-2
+          - node-3
+      - name: k8s_cluster
+        nodes:
+          - primary
+          - node-1
+          - node-2
+          - node-3
+      - name: k8s_control_plane
+        nodes:
+          - primary
+      - name: k8s_nodes
+        nodes:
+          - node-1
+          - node-2
+          - node-3
+
 - nodeset:
     name: openstack-helm-5nodes-ubuntu_jammy
     nodes:
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 188135174e..4f46ca432c 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -38,6 +38,7 @@
         - openstack-helm-cinder-2025-1-ubuntu_jammy  # 3 nodes rook
         - openstack-helm-compute-kit-2025-1-ubuntu_jammy  # 1 node + 3 nodes
         - openstack-helm-skyline-2025-1-ubuntu_jammy  # 3 nodes
+        - openstack-helm-octavia-2025-1-ubuntu_jammy  # 4 nodes
         # 2025.1 Ubuntu Noble
         - openstack-helm-cinder-2025-1-ubuntu_noble  # 5 nodes rook
         - openstack-helm-compute-kit-2025-1-ubuntu_noble  # 1 node + 3 nodes