diff --git a/manifests/agents/metadata.pp b/manifests/agents/metadata.pp
index 944863308..512529118 100644
--- a/manifests/agents/metadata.pp
+++ b/manifests/agents/metadata.pp
@@ -8,10 +8,12 @@
 #   (required) Shared secret to validate proxies Neutron metadata requests.
 #
 # [*package_ensure*]
-#   Ensure state of the package. Defaults to 'present'.
+#   (optional) Ensure state of the package.
+#   Defaults to 'present'.
 #
 # [*enabled*]
-#   State of the service. Defaults to true.
+#   (optional) State of the service.
+#   Defaults to true.
 #
 # [*manage_service*]
 #   (optional) Whether to start/stop the service
@@ -21,31 +23,38 @@
 #   Debug. Defaults to $facts['os_service_default'].
 #
 # [*auth_ca_cert*]
-#   CA cert to check against with for ssl keystone. (Defaults to $facts['os_service_default'])
+#   (optionall) CA cert to check against with for ssl keystone.
+#   Defaults to $facts['os_service_default']
 #
 # [*nova_client_cert*]
-#   Client certificate for nova metadata api server. (Defaults to $facts['os_service_default'])
+#   (optionall) Client certificate for nova metadata api server.
+#   Defaults to $facts['os_service_default']
 #
 # [*nova_client_priv_key*]
-#   Private key of client certificate. (Defaults to $facts['os_service_default'])
+#   (optionall) Private key of client certificate.
+#   Defaults to $facts['os_service_default']
 #
 # [*metadata_host*]
-#   The hostname of the metadata service. Defaults to $facts['os_service_default'].
+#   (optionall) The hostname of the metadata service.
+#   Defaults to $facts['os_service_default']
 #
 # [*metadata_port*]
-#   The TCP port of the metadata service. Defaults to $facts['os_service_default'].
+#   (optionall) The TCP port of the metadata service.
+#   Defaults to $facts['os_service_default']
 #
 # [*metadata_protocol*]
-#   The protocol to use for requests to Nova metadata server. Defaults to $facts['os_service_default'].
+#   (optionall) The protocol to use for requests to Nova metadata server.
+#   Defaults to $facts['os_service_default']
 #
 # [*metadata_workers*]
 #   (optional) Number of separate worker processes to spawn.  Greater than 0
 #   launches that number of child processes as workers.  The parent process
 #   manages them.
-#   Defaults to: $facts['os_workers']
+#   Defaults to $facts['os_workers']
 #
 # [*metadata_backlog*]
-#   (optional) Number of backlog requests to configure the metadata server socket with.
+#   (optional) Number of backlog requests to configure the metadata server
+#   socket with.
 #   Defaults to $facts['os_service_default']
 #
 # [*metadata_insecure*]
@@ -81,14 +90,14 @@ class neutron::agents::metadata (
   Boolean $manage_service    = true,
   $debug                     = $facts['os_service_default'],
   $auth_ca_cert              = $facts['os_service_default'],
+  $nova_client_cert          = $facts['os_service_default'],
+  $nova_client_priv_key      = $facts['os_service_default'],
   $metadata_host             = $facts['os_service_default'],
   $metadata_port             = $facts['os_service_default'],
   $metadata_protocol         = $facts['os_service_default'],
   $metadata_workers          = $facts['os_workers'],
   $metadata_backlog          = $facts['os_service_default'],
   $metadata_insecure         = $facts['os_service_default'],
-  $nova_client_cert          = $facts['os_service_default'],
-  $nova_client_priv_key      = $facts['os_service_default'],
   $report_interval           = $facts['os_service_default'],
   $rpc_response_max_timeout  = $facts['os_service_default'],
   Boolean $purge_config      = false,
@@ -110,6 +119,8 @@ class neutron::agents::metadata (
   neutron_metadata_agent_config {
     'DEFAULT/debug':                          value => $debug;
     'DEFAULT/auth_ca_cert':                   value => $auth_ca_cert;
+    'DEFAULT/nova_client_cert':               value => $nova_client_cert;
+    'DEFAULT/nova_client_priv_key':           value => $nova_client_priv_key;
     'DEFAULT/nova_metadata_host':             value => $metadata_host;
     'DEFAULT/nova_metadata_port':             value => $metadata_port;
     'DEFAULT/nova_metadata_protocol':         value => $metadata_protocol;
@@ -117,8 +128,6 @@ class neutron::agents::metadata (
     'DEFAULT/metadata_proxy_shared_secret':   value => $shared_secret, secret => true;
     'DEFAULT/metadata_workers':               value => $metadata_workers;
     'DEFAULT/metadata_backlog':               value => $metadata_backlog;
-    'DEFAULT/nova_client_cert':               value => $nova_client_cert;
-    'DEFAULT/nova_client_priv_key':           value => $nova_client_priv_key;
     'agent/report_interval':                  value => $report_interval;
     'DEFAULT/rpc_response_max_timeout':       value => $rpc_response_max_timeout;
   }
diff --git a/manifests/agents/ml2/ovn/metadata.pp b/manifests/agents/ml2/ovn/metadata.pp
new file mode 100644
index 000000000..1ca0d1ef3
--- /dev/null
+++ b/manifests/agents/ml2/ovn/metadata.pp
@@ -0,0 +1,87 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: neutron::agents:ml2::ovn::metadata
+#
+# Setups metadata extension options for ovn agent
+#
+# === Parameters
+#
+# [*shared_secret*]
+#   (required) Shared secret to validate proxies Neutron metadata requests.
+#
+# [*auth_ca_cert*]
+#   (optionall) CA cert to check against with for ssl keystone.
+#   Defaults to $facts['os_service_default']
+#
+# [*nova_client_cert*]
+#   (optionall) Client certificate for nova metadata api server.
+#   Defaults to $facts['os_service_default']
+#
+# [*nova_client_priv_key*]
+#   (optionall) Private key of client certificate.
+#   Defaults to $facts['os_service_default']
+#
+# [*metadata_host*]
+#   (optionall) The hostname of the metadata service.
+#   Defaults to $facts['os_service_default']
+#
+# [*metadata_port*]
+#   (optionall) The TCP port of the metadata service.
+#   Defaults to $facts['os_service_default']
+#
+# [*metadata_protocol*]
+#   (optionall) The protocol to use for requests to Nova metadata server.
+#   Defaults to $facts['os_service_default']
+#
+# [*metadata_workers*]
+#   (optional) Number of separate worker processes to spawn.  Greater than 0
+#   launches that number of child processes as workers.  The parent process
+#   manages them.
+#   Defaults to $facts['os_service_default']
+#
+# [*metadata_backlog*]
+#   (optional) Number of backlog requests to configure the metadata server
+#   socket with.
+#   Defaults to $facts['os_service_default']
+#
+# [*metadata_insecure*]
+#   (optional) Allow to perform insecure SSL (https) requests to nova metadata.
+#   Defaults to $facts['os_service_default']
+#
+class neutron::agents::ml2::ovn::metadata (
+  $shared_secret,
+  $auth_ca_cert         = $facts['os_service_default'],
+  $nova_client_cert     = $facts['os_service_default'],
+  $nova_client_priv_key = $facts['os_service_default'],
+  $metadata_host        = $facts['os_service_default'],
+  $metadata_port        = $facts['os_service_default'],
+  $metadata_protocol    = $facts['os_service_default'],
+  $metadata_workers     = $facts['os_service_default'],
+  $metadata_backlog     = $facts['os_service_default'],
+  $metadata_insecure    = $facts['os_service_default'],
+) {
+  include neutron::deps
+
+  neutron_agent_ovn {
+    'DEFAULT/auth_ca_cert':                 value => $auth_ca_cert;
+    'DEFAULT/nova_client_cert':             value => $nova_client_cert;
+    'DEFAULT/nova_client_priv_key':         value => $nova_client_priv_key;
+    'DEFAULT/nova_metadata_host':           value => $metadata_host;
+    'DEFAULT/nova_metadata_port':           value => $metadata_port;
+    'DEFAULT/nova_metadata_protocol':       value => $metadata_protocol;
+    'DEFAULT/metadata_proxy_shared_secret': value => $shared_secret, secret => true;
+    'DEFAULT/metadata_workers':             value => $metadata_workers;
+    'DEFAULT/metadata_backlog':             value => $metadata_backlog;
+    'DEFAULT/nova_metadata_insecure':       value => $metadata_insecure;
+  }
+}
diff --git a/manifests/agents/ml2/ovn/metadata_rate_limiting.pp b/manifests/agents/ml2/ovn/metadata_rate_limiting.pp
new file mode 100644
index 000000000..481a58db9
--- /dev/null
+++ b/manifests/agents/ml2/ovn/metadata_rate_limiting.pp
@@ -0,0 +1,62 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: neutron::agents:ml2::ovn::metadata_rate_limiting
+#
+# Setups metadata ratelimit options for ovn agent
+#
+# === Parameters
+#
+# [*rate_limit_enabled*]
+#  (Optional) Enable rate limiting on the metadata API.
+#  Defaults to $facts['os_service_default'].
+#
+# [*ip_versions*]
+#  (Optional) List of the metadata address IP versions for which rate limiting
+#  will be enabled.
+#  Defaults to $facts['os_service_default'].
+#
+# [*base_window_duration*]
+#  (Optional) Duration (seconds) of the base window on the metadata API.
+#  Defaults to $facts['os_service_default'].
+#
+# [*base_query_rate_limit*]
+#  (Optional) Max number of queries to accept during the base window.
+#  Defaults to $facts['os_service_default'].
+#
+# [*burst_window_duration*]
+#  (Optional) Duration (seconds) of the burst window on the metadata API.
+#  Defaults to $facts['os_service_default'].
+#
+# [*burst_query_rate_limit*]
+#  (Optional) Max number of queries to accept during the burst window.
+#  Defaults to $facts['os_service_default'].
+#
+class neutron::agents::ml2::ovn::metadata_rate_limiting (
+  $rate_limit_enabled     = $facts['os_service_default'],
+  $ip_versions            = $facts['os_service_default'],
+  $base_window_duration   = $facts['os_service_default'],
+  $base_query_rate_limit  = $facts['os_service_default'],
+  $burst_window_duration  = $facts['os_service_default'],
+  $burst_query_rate_limit = $facts['os_service_default'],
+) {
+  include neutron::deps
+
+  neutron_agent_ovn {
+    'metadata_rate_limiting/rate_limit_enabled':     value => $rate_limit_enabled;
+    'metadata_rate_limiting/ip_versions':            value => join(any2array($ip_versions), ',');
+    'metadata_rate_limiting/base_window_duration':   value => $base_window_duration;
+    'metadata_rate_limiting/base_query_rate_limit':  value => $base_query_rate_limit;
+    'metadata_rate_limiting/burst_window_duration':  value => $burst_window_duration;
+    'metadata_rate_limiting/burst_query_rate_limit': value => $burst_query_rate_limit;
+  }
+}
diff --git a/manifests/agents/ovn_metadata.pp b/manifests/agents/ovn_metadata.pp
index fac8fbdfa..d3819b965 100644
--- a/manifests/agents/ovn_metadata.pp
+++ b/manifests/agents/ovn_metadata.pp
@@ -18,31 +18,31 @@
 #   Defaults to true
 #
 # [*debug*]
-#   Debug. Defaults to $facts['os_service_default'].
+#   (optional) Debug. Defaults to $facts['os_service_default'].
 #
 # [*auth_ca_cert*]
-#   CA cert to check against with for ssl keystone.
-#   Defaults to $facts['os_service_default'].
+#   (optionall) CA cert to check against with for ssl keystone.
+#   Defaults to $facts['os_service_default']
 #
 # [*nova_client_cert*]
-#   Client certificate for nova metadata api server.
-#   Defaults to $facts['os_service_default'].
+#   (optionall) Client certificate for nova metadata api server.
+#   Defaults to $facts['os_service_default']
 #
 # [*nova_client_priv_key*]
-#   Private key of client certificate.
-#   Defaults to $facts['os_service_default'].
+#   (optionall) Private key of client certificate.
+#   Defaults to $facts['os_service_default']
 #
 # [*metadata_host*]
-#   The hostname of the metadata service.
-#   Defaults to $facts['os_service_default'].
+#   (optionall) The hostname of the metadata service.
+#   Defaults to $facts['os_service_default']
 #
 # [*metadata_port*]
-#   The TCP port of the metadata service.
-#   Defaults to $facts['os_service_default'].
+#   (optionall) The TCP port of the metadata service.
+#   Defaults to $facts['os_service_default']
 #
 # [*metadata_protocol*]
-#   The protocol to use for requests to Nova metadata server.
-#   Defaults to $facts['os_service_default'].
+#   (optionall) The protocol to use for requests to Nova metadata server.
+#   Defaults to $facts['os_service_default']
 #
 # [*metadata_workers*]
 #   (optional) Number of separate worker processes to spawn.  Greater than 0
@@ -51,7 +51,8 @@
 #   Defaults to: $facts['os_service_defaut']
 #
 # [*metadata_backlog*]
-#   (optional) Number of backlog requests to configure the metadata server socket with.
+#   (optional) Number of backlog requests to configure the metadata server
+#   socket with.
 #   Defaults to $facts['os_service_default']
 #
 # [*metadata_insecure*]
@@ -63,8 +64,8 @@
 #   Defaults to 'tcp:127.0.0.1:6640'
 #
 # [*ovs_manager*]
-#   The manager target that will be set to OVS so that the metadata agent can
-#   connect to.
+#   (optional) The manager target that will be set to OVS so that the metadata
+#   agent can connect to.
 #   Defaults to 'ptcp:6640:127.0.0.1'
 #
 # [*ovn_sb_connection*]
@@ -99,14 +100,14 @@
 #   Defaults to $facts['os_service_default'].
 #
 # [*root_helper*]
-#  (optional) Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
-#  root filter facility. Change to "sudo" to skip the filtering and just run the command
-#  directly
-#  Defaults to 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf'.
+#   (optional) Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use
+#   the real root filter facility. Change to "sudo" to skip the filtering and
+#   just run the command directly
+#   Defaults to 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf'.
 #
 # [*root_helper_daemon*]
-#  (optional) Root helper daemon application to use when possible.
-#  Defaults to $facts['os_service_default'].
+#   (optional) Root helper daemon application to use when possible.
+#   Defaults to $facts['os_service_default'].
 #
 # [*state_path*]
 #   (optional) Where to store state files. This directory must be writable
@@ -161,10 +162,10 @@ class neutron::agents::ovn_metadata (
     'DEFAULT/nova_metadata_host':             value => $metadata_host;
     'DEFAULT/nova_metadata_port':             value => $metadata_port;
     'DEFAULT/nova_metadata_protocol':         value => $metadata_protocol;
-    'DEFAULT/nova_metadata_insecure':         value => $metadata_insecure;
     'DEFAULT/metadata_proxy_shared_secret':   value => $shared_secret, secret => true;
     'DEFAULT/metadata_workers':               value => $metadata_workers;
     'DEFAULT/metadata_backlog':               value => $metadata_backlog;
+    'DEFAULT/nova_metadata_insecure':         value => $metadata_insecure;
     'DEFAULT/nova_client_cert':               value => $nova_client_cert;
     'DEFAULT/nova_client_priv_key':           value => $nova_client_priv_key;
     'DEFAULT/state_path':                     value => $state_path;
diff --git a/spec/classes/neutron_agents_ml2_ovn_metadata_ratelimiting_spec.rb b/spec/classes/neutron_agents_ml2_ovn_metadata_ratelimiting_spec.rb
new file mode 100644
index 000000000..5463f38f5
--- /dev/null
+++ b/spec/classes/neutron_agents_ml2_ovn_metadata_ratelimiting_spec.rb
@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe 'neutron::agents::ml2::ovn::metadata_rate_limiting' do
+  shared_examples 'neutron::agents::ml2::ovn::metadata_rate_limiting' do
+    context 'with defaults' do
+      it 'configures the default values' do
+        should contain_neutron_agent_ovn('metadata_rate_limiting/rate_limit_enabled').with_value('<SERVICE DEFAULT>');
+        should contain_neutron_agent_ovn('metadata_rate_limiting/ip_versions').with_value('<SERVICE DEFAULT>');
+        should contain_neutron_agent_ovn('metadata_rate_limiting/base_window_duration').with_value('<SERVICE DEFAULT>');
+        should contain_neutron_agent_ovn('metadata_rate_limiting/base_query_rate_limit').with_value('<SERVICE DEFAULT>');
+        should contain_neutron_agent_ovn('metadata_rate_limiting/burst_window_duration').with_value('<SERVICE DEFAULT>');
+        should contain_neutron_agent_ovn('metadata_rate_limiting/burst_query_rate_limit').with_value('<SERVICE DEFAULT>');
+      end
+    end
+
+    context 'with parameters' do
+      let :params do
+        {
+          :rate_limit_enabled     => false,
+          :ip_versions            => [4],
+          :base_window_duration   => 10,
+          :base_query_rate_limit  => 11,
+          :burst_window_duration  => 12,
+          :burst_query_rate_limit => 13,
+        }
+      end
+      it 'configures the given values' do
+        should contain_neutron_agent_ovn('metadata_rate_limiting/rate_limit_enabled').with_value(false);
+        should contain_neutron_agent_ovn('metadata_rate_limiting/ip_versions').with_value(4);
+        should contain_neutron_agent_ovn('metadata_rate_limiting/base_window_duration').with_value(10);
+        should contain_neutron_agent_ovn('metadata_rate_limiting/base_query_rate_limit').with_value(11);
+        should contain_neutron_agent_ovn('metadata_rate_limiting/burst_window_duration').with_value(12);
+        should contain_neutron_agent_ovn('metadata_rate_limiting/burst_query_rate_limit').with_value(13);
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'neutron::agents::ml2::ovn::metadata_rate_limiting'
+    end
+  end
+end
diff --git a/spec/classes/neutron_agents_ml2_ovn_metadata_spec.rb b/spec/classes/neutron_agents_ml2_ovn_metadata_spec.rb
new file mode 100644
index 000000000..7ce944ae6
--- /dev/null
+++ b/spec/classes/neutron_agents_ml2_ovn_metadata_spec.rb
@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+describe 'neutron::agents::ml2::ovn::metadata' do
+  let :pre_condition do
+    "class { 'neutron': }"
+  end
+
+  let :params do
+    {
+      :shared_secret => 'metadata-secret',
+    }
+  end
+
+  shared_examples 'neutron::agents::ml2::ovn::metadata' do
+    it 'configures ovn_agent.ini' do
+      should contain_neutron_agent_ovn('DEFAULT/auth_ca_cert').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/nova_client_cert').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/nova_client_priv_key').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/nova_metadata_host').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/nova_metadata_port').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/nova_metadata_protocol').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/metadata_workers').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/metadata_backlog').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/nova_metadata_insecure').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_agent_ovn('DEFAULT/metadata_proxy_shared_secret').with_value(params[:shared_secret]).with_secret(true)
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+      it_behaves_like 'neutron::agents::ml2::ovn::metadata'
+    end
+  end
+end