diff --git a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
index f78c925ba30..c8622a1d4b6 100755
--- a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
+++ b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
@@ -33,6 +33,12 @@ OPENSHIFT_HYPERSHIFT_IMAGE=$(podman run --quiet --rm ${release} image hypershift
 OPENSHIFT_HYPERKUBE_IMAGE=$(podman run --quiet --rm ${release} image hyperkube)
 
 CLUSTER_BOOTSTRAP_IMAGE=$(podman run --quiet --rm ${release} image cluster-bootstrap)
+KEEPALIVED_IMAGE=$(podman run --quiet --rm ${release} image keepalived-ipfailover)
+COREDNS_IMAGE=$(podman run --quiet --rm ${release} image coredns)
+MDNS_PUBLISHER_IMAGE=$(podman run --quiet --rm ${release} image mdns-publisher)
+HAPROXY_IMAGE=$(podman run --quiet --rm ${release} image haproxy-router)
+RUNTIMECFG_IMAGE=$(podman run --quiet --rm ${release} image baremetal-runtimecfg)
+
 
 # Now, as early as possible we replace the pause image and reload crio to use it, to ensure
 # that we're using the pause image from our payload just like the primary cluster.
@@ -194,17 +200,30 @@ then
 			--machine-config-operator-image=${MACHINE_CONFIG_OPERATOR_IMAGE} \
 			--machine-config-oscontent-image=${MACHINE_CONFIG_OSCONTENT} \
 			--infra-image=${MACHINE_CONFIG_INFRA_IMAGE} \
+			--keepalived-image=${KEEPALIVED_IMAGE} \
+			--coredns-image=${COREDNS_IMAGE} \
+			--mdns-publisher-image=${MDNS_PUBLISHER_IMAGE} \
+			--haproxy-image=${HAPROXY_IMAGE} \
+			--baremetal-runtimecfg-image=${RUNTIMECFG_IMAGE} \
 			--cloud-config-file=/assets/manifests/cloud-provider-config.yaml
 
 	# Bootstrap MachineConfigController uses /etc/mcc/bootstrap/manifests/ dir to
 	# 1. read the controller config rendered by MachineConfigOperator
 	# 2. read the default MachineConfigPools rendered by MachineConfigOperator
 	# 3. read any additional MachineConfigs that are needed for the default MachineConfigPools.
-	mkdir --parents /etc/mcc/bootstrap /etc/mcs/bootstrap /etc/kubernetes/manifests
+	mkdir --parents /etc/mcc/bootstrap /etc/mcs/bootstrap /etc/kubernetes/manifests /etc/kubernetes/static-pod-resources
 	cp mco-bootstrap/bootstrap/manifests/* /etc/mcc/bootstrap/
 	cp openshift/* /etc/mcc/bootstrap/
 	cp auth/kubeconfig-kubelet /etc/mcs/kubeconfig
 	cp mco-bootstrap/bootstrap/machineconfigoperator-bootstrap-pod.yaml /etc/kubernetes/manifests/
+	if [ -d mco-bootstrap/baremetal/manifests ]; then
+	    cp mco-bootstrap/baremetal/manifests/* /etc/kubernetes/manifests/
+	    cp -r mco-bootstrap/baremetal/static-pod-resources/* /etc/kubernetes/static-pod-resources/
+	fi
+	if [ -d mco-bootstrap/openstack/manifests ]; then
+	    cp mco-bootstrap/openstack/manifests/* /etc/kubernetes/manifests/
+	    cp -r mco-bootstrap/openstack/static-pod-resources/* /etc/kubernetes/static-pod-resources/
+	fi
 	cp mco-bootstrap/manifests/* manifests/
 
 	# /etc/ssl/mcs/tls.{crt, key} are locations for MachineConfigServer's tls assets.
diff --git a/data/data/openstack/bootstrap/main.tf b/data/data/openstack/bootstrap/main.tf
index 7c456c2a1fe..cac46a4ed44 100644
--- a/data/data/openstack/bootstrap/main.tf
+++ b/data/data/openstack/bootstrap/main.tf
@@ -18,40 +18,46 @@ data "ignition_config" "redirect" {
 
   files = [
     data.ignition_file.hostname.id,
-    data.ignition_file.bootstrap_ifcfg.id,
+    data.ignition_file.dns_conf.id,
+    data.ignition_file.dhcp_conf.id,
   ]
 }
 
-data "ignition_file" "bootstrap_ifcfg" {
+data "ignition_file" "dhcp_conf" {
   filesystem = "root"
-  mode       = "420" // 0644
-  path       = "/etc/sysconfig/network-scripts/ifcfg-eth0"
+  mode       = "420"
+  path       = "/etc/NetworkManager/conf.d/dhcp-client.conf"
 
   content {
     content = <<EOF
-DEVICE="eth0"
-BOOTPROTO="dhcp"
-ONBOOT="yes"
-TYPE="Ethernet"
-PERSISTENT_DHCLIENT="yes"
-DNS1="${var.service_vm_fixed_ip}"
-PEERDNS="no"
-NM_CONTROLLED="yes"
+[main]
+dhcp=dhclient
 EOF
+  }
+}
 
+data "ignition_file" "dns_conf" {
+  filesystem = "root"
+  mode = "420"
+  path = "/etc/dhcp/dhclient.conf"
+
+  content {
+    content = <<EOF
+send dhcp-client-identifier = hardware;
+prepend domain-name-servers 127.0.0.1;
+EOF
   }
 }
 
 data "ignition_file" "hostname" {
   filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/hostname"
+  mode       = "420" // 0644
+  path       = "/etc/hostname"
 
   content {
     content = <<EOF
 ${var.cluster_id}-bootstrap
 EOF
-
   }
 }
 
@@ -81,4 +87,3 @@ resource "openstack_compute_instance_v2" "bootstrap" {
     openshiftClusterID = var.cluster_id
   }
 }
-
diff --git a/data/data/openstack/bootstrap/variables.tf b/data/data/openstack/bootstrap/variables.tf
index 1e8c96a4fb5..769703f2a48 100644
--- a/data/data/openstack/bootstrap/variables.tf
+++ b/data/data/openstack/bootstrap/variables.tf
@@ -13,11 +13,6 @@ variable "cluster_id" {
   description = "The identifier for the cluster."
 }
 
-variable "cluster_domain" {
-  type        = string
-  description = "The domain name of the cluster. All DNS records must be under this domain."
-}
-
 variable "ignition" {
   type        = string
   description = "The content of the bootstrap ignition file."
@@ -32,8 +27,3 @@ variable "bootstrap_port_id" {
   type        = string
   description = "The subnet ID for the bootstrap node."
 }
-
-variable "service_vm_fixed_ip" {
-  type = string
-}
-
diff --git a/data/data/openstack/main.tf b/data/data/openstack/main.tf
index 62dc76a0f2d..49c0c9ac907 100644
--- a/data/data/openstack/main.tf
+++ b/data/data/openstack/main.tf
@@ -22,72 +22,45 @@ provider "openstack" {
   user_name           = var.openstack_credentials_user_name
 }
 
-module "service" {
-  source = "./service"
+module "bootstrap" {
+  source = "./bootstrap"
 
   swift_container   = openstack_objectstorage_container_v1.container.name
   cluster_id        = var.cluster_id
-  cluster_domain    = var.cluster_domain
   image_name        = var.openstack_base_image
   flavor_name       = var.openstack_master_flavor_name
   ignition          = var.ignition_bootstrap
-  lb_floating_ip    = var.openstack_lb_floating_ip
-  service_port_id   = module.topology.service_port_id
-  service_port_ip   = module.topology.service_port_ip
-  master_ips        = module.topology.master_ips
-  master_port_names = module.topology.master_port_names
-  bootstrap_ip      = module.topology.bootstrap_port_ip
-}
-
-module "bootstrap" {
-  source = "./bootstrap"
-
-  swift_container     = openstack_objectstorage_container_v1.container.name
-  cluster_id          = var.cluster_id
-  cluster_domain      = var.cluster_domain
-  image_name          = var.openstack_base_image
-  flavor_name         = var.openstack_master_flavor_name
-  ignition            = var.ignition_bootstrap
-  bootstrap_port_id   = module.topology.bootstrap_port_id
-  service_vm_fixed_ip = module.topology.service_vm_fixed_ip
+  bootstrap_port_id = module.topology.bootstrap_port_id
 }
 
 module "masters" {
   source = "./masters"
 
-  base_image          = var.openstack_base_image
-  bootstrap_ip        = module.topology.bootstrap_port_ip
-  cluster_id          = var.cluster_id
-  cluster_domain      = var.cluster_domain
-  flavor_name         = var.openstack_master_flavor_name
-  instance_count      = var.master_count
-  lb_floating_ip      = var.openstack_lb_floating_ip
-  master_ips          = module.topology.master_ips
-  master_port_ids     = module.topology.master_port_ids
-  master_port_names   = module.topology.master_port_names
-  user_data_ign       = var.ignition_master
-  service_vm_fixed_ip = module.topology.service_vm_fixed_ip
-  api_int_ip          = var.openstack_api_int_ip
-  node_dns_ip         = var.openstack_node_dns_ip
+  base_image      = var.openstack_base_image
+  cluster_id      = var.cluster_id
+  flavor_name     = var.openstack_master_flavor_name
+  instance_count  = var.master_count
+  master_port_ids = module.topology.master_port_ids
+  user_data_ign   = var.ignition_master
   master_sg_ids = concat(
     var.openstack_master_extra_sg_ids,
     [module.topology.master_sg_id],
   )
 }
 
-# TODO(shadower) add a dns module here
-
 module "topology" {
   source = "./topology"
 
   cidr_block          = var.machine_cidr
   cluster_id          = var.cluster_id
+  cluster_domain      = var.cluster_domain
   external_network    = var.openstack_external_network
   external_network_id = var.openstack_external_network_id
   masters_count       = var.master_count
   lb_floating_ip      = var.openstack_lb_floating_ip
   api_int_ip          = var.openstack_api_int_ip
   node_dns_ip         = var.openstack_node_dns_ip
+  ingress_ip          = var.openstack_ingress_ip
   trunk_support       = var.openstack_trunk_support
   octavia_support     = var.openstack_octavia_support
 }
@@ -98,9 +71,11 @@ resource "openstack_objectstorage_container_v1" "container" {
   # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
   metadata = merge(
     {
-      "Name"               = "${var.cluster_id}-ignition-master"
+      "Name"               = "${var.cluster_id}-ignition"
       "openshiftClusterID" = var.cluster_id
     },
+    # FIXME(mandre) the openstack_extra_tags should be applied to all resources
+    # created
     var.openstack_extra_tags,
   )
 }
diff --git a/data/data/openstack/masters/main.tf b/data/data/openstack/masters/main.tf
index 85ca44a707f..60296796a2b 100644
--- a/data/data/openstack/masters/main.tf
+++ b/data/data/openstack/masters/main.tf
@@ -16,23 +16,6 @@ data "ignition_file" "hostname" {
   content {
     content = <<EOF
 ${var.cluster_id}-master-${count.index}
-EOF
-
-  }
-}
-
-data "ignition_file" "clustervars" {
-  filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/kubernetes/static-pod-resources/clustervars"
-
-  content {
-    content = <<EOF
-export API_VIP=${var.api_int_ip}
-export DNS_VIP=${var.node_dns_ip}
-export FLOATING_IP=${var.lb_floating_ip}
-export BOOTSTRAP_IP=${var.bootstrap_ip}
-${replace(join("\n", formatlist("export MASTER_FIXED_IPS_%s=%s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
 EOF
   }
 }
@@ -45,8 +28,7 @@ data "ignition_config" "master_ignition_config" {
   }
 
   files = [
-    element(data.ignition_file.hostname.*.id, count.index),
-    data.ignition_file.clustervars.id,
+    element(data.ignition_file.hostname.*.id, count.index)
   ]
 }
 
@@ -67,6 +49,7 @@ resource "openstack_compute_instance_v2" "master_conf" {
   }
 
   metadata = {
+    # FIXME(mandre) shouldn't it be "${var.cluster_id}-master-${count.index}" ?
     Name = "${var.cluster_id}-master"
     # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
     openshiftClusterID = var.cluster_id
diff --git a/data/data/openstack/masters/variables.tf b/data/data/openstack/masters/variables.tf
index e0249b456a9..7e73d627d3c 100644
--- a/data/data/openstack/masters/variables.tf
+++ b/data/data/openstack/masters/variables.tf
@@ -2,20 +2,11 @@ variable "base_image" {
   type = string
 }
 
-variable "bootstrap_ip" {
-  type = string
-}
-
 variable "cluster_id" {
   type        = string
   description = "The identifier for the cluster."
 }
 
-variable "cluster_domain" {
-  type        = string
-  description = "The domain name of the cluster. All DNS records must be under this domain."
-}
-
 variable "flavor_name" {
   type = string
 }
@@ -24,14 +15,6 @@ variable "instance_count" {
   type = string
 }
 
-variable "lb_floating_ip" {
-  type = string
-}
-
-variable "master_ips" {
-  type = list(string)
-}
-
 variable "master_sg_ids" {
   type        = list(string)
   default     = ["default"]
@@ -43,22 +26,6 @@ variable "master_port_ids" {
   description = "List of port ids for the master nodes"
 }
 
-variable "master_port_names" {
-  type = list(string)
-}
-
 variable "user_data_ign" {
   type = string
 }
-
-variable "api_int_ip" {
-  type = string
-}
-
-variable "node_dns_ip" {
-  type = string
-}
-
-variable "service_vm_fixed_ip" {
-  type = string
-}
diff --git a/data/data/openstack/service/main.tf b/data/data/openstack/service/main.tf
deleted file mode 100644
index 367a9d8d556..00000000000
--- a/data/data/openstack/service/main.tf
+++ /dev/null
@@ -1,320 +0,0 @@
-data "openstack_images_image_v2" "bootstrap_image" {
-  name        = var.image_name
-  most_recent = true
-}
-
-data "openstack_compute_flavor_v2" "bootstrap_flavor" {
-  name = var.flavor_name
-}
-
-data "ignition_systemd_unit" "haproxy_unit" {
-  name    = "haproxy.service"
-  enabled = true
-
-  content = <<EOF
-[Unit]
-Description=Load balancer for the OpenShift services
-
-[Service]
-ExecStartPre=/sbin/setenforce 0
-ExecStartPre=/bin/systemctl disable --now bootkube kubelet progress openshift
-ExecStart=/bin/podman run --rm -ti --net=host -v /etc/haproxy:/usr/local/etc/haproxy:ro docker.io/library/haproxy:1.7
-ExecStop=/bin/podman stop -t 10 haproxy
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_systemd_unit" "haproxy_unit_watcher" {
-  name = "haproxy-watcher.service"
-  enabled = true
-
-  content = <<EOF
-[Unit]
-Description=HAproxy config updater
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/bin/haproxy-watcher.sh
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_systemd_unit" "haproxy_timer_watcher" {
-  name    = "haproxy-watcher.timer"
-  enabled = true
-
-  content = <<EOF
-[Timer]
-OnCalendar=*:0/2
-
-[Install]
-WantedBy=timers.target
-EOF
-
-}
-
-data "ignition_file" "haproxy_watcher_script" {
-  filesystem = "root"
-  mode = "489" // 0755
-  path = "/usr/local/bin/haproxy-watcher.sh"
-
-  content {
-    content = <<TFEOF
-#!/bin/bash
-
-set -x
-
-# NOTE(flaper87): We're doing this here for now
-# because our current vendored verison for terraform
-# doesn't support appending to an ignition_file. This
-# is coming in 2.3
-grep -qxF "127.0.0.1 api.${var.cluster_domain}" /etc/hosts || echo "127.0.0.1 api.${var.cluster_domain}" | sudo tee -a /etc/hosts
-
-mkdir -p /etc/haproxy
-export KUBECONFIG=/opt/openshift/auth/kubeconfig
-TEMPLATE="{{range .items}}{{\$addresses:=.status.addresses}}{{range .status.conditions}}{{if eq .type \"Ready\"}}{{if eq .status \"True\" }}{{range \$addresses}}{{if eq .type \"InternalIP\"}}{{.address}}{{end}}{{end}}{{end}}{{end}}{{end}} {{end}}"
-MASTERS=$(oc get nodes -l node-role.kubernetes.io/master -ogo-template="$TEMPLATE")
-WORKERS=$(oc get nodes -l node-role.kubernetes.io/worker -ogo-template="$TEMPLATE")
-
-update_cfg_and_restart() {
-    CHANGED=$(diff /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.new)
-
-    if [[ ! -f /etc/haproxy/haproxy.cfg ]] || [[ ! -z "$CHANGED" ]];
-    then
-        cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.backup || true
-        cp /etc/haproxy/haproxy.cfg.new /etc/haproxy/haproxy.cfg
-        systemctl restart haproxy
-    fi
-}
-
-if [[ -z "$MASTERS" ]];
-then
-cat > /etc/haproxy/haproxy.cfg.new << EOF
-listen ${var.cluster_id}-api-masters
-    bind 0.0.0.0:6443
-    bind 0.0.0.0:22623
-    mode tcp
-    balance roundrobin
-    server bootstrap-22623 ${var.bootstrap_ip} check port 22623
-    server bootstrap-6443 ${var.bootstrap_ip} check port 6443
-    ${replace(join("\n    ", formatlist("server master-%s %s check port 6443", var.master_port_names, var.master_ips)), "master-port-", "")}
-EOF
-    update_cfg_and_restart
-    exit 0
-fi
-
-for master in $MASTERS;
-do
-    MASTER_LINES="$MASTER_LINES
-    server $master $master check port 6443"
-done
-
-for worker in $WORKERS;
-do
-    WORKER_LINES="$WORKER_LINES
-    server $worker $worker check port 443"
-done
-
-cat > /etc/haproxy/haproxy.cfg.new << EOF
-listen ${var.cluster_id}-api-masters
-    bind 0.0.0.0:6443
-    bind 0.0.0.0:22623
-    mode tcp
-    balance roundrobin$MASTER_LINES
-
-listen ${var.cluster_id}-api-workers
-    bind 0.0.0.0:80
-    bind 0.0.0.0:443
-    mode tcp
-    balance roundrobin$WORKER_LINES
-EOF
-
-update_cfg_and_restart
-TFEOF
-
-}
-}
-
-data "ignition_file" "corefile" {
-  filesystem = "root"
-  mode       = "420" // 0644
-  path       = "/etc/coredns/Corefile"
-
-  content {
-    content = <<EOF
-. {
-    log
-    errors
-    reload 10s
-
-${length(var.lb_floating_ip) == 0 ? "" : "    file /etc/coredns/db.${var.cluster_domain} api.${var.cluster_domain} {\n    }\n"}
-
-    hosts {
-        ${replace(join("\n", formatlist("%s %s", var.master_ips, var.master_port_names)), "port-", "")}
-        fallthrough
-    }
-
-
-    file /etc/coredns/db.${var.cluster_domain} _etcd-server-ssl._tcp.${var.cluster_domain} {
-    }
-
-    file /etc/coredns/db.${var.cluster_domain} bootstrap.${var.cluster_domain} {
-        upstream /etc/resolv.conf
-    }
-
-${replace(join("\n", formatlist("    file /etc/coredns/db.${var.cluster_domain} master-%s.${var.cluster_domain} {\n    upstream /etc/resolv.conf\n    }\n", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-${replace(join("\n", formatlist("    file /etc/coredns/db.${var.cluster_domain} etcd-%s.${var.cluster_domain} {\n    upstream /etc/resolv.conf\n    }\n", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-
-    forward . /etc/resolv.conf {
-    }
-}
-
-${var.cluster_domain} {
-    log
-    errors
-    reload 10s
-
-    file /etc/coredns/db.${var.cluster_domain} {
-        upstream /etc/resolv.conf
-    }
-}
-
-EOF
-
-  }
-}
-
-data "ignition_file" "coredb" {
-  filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/coredns/db.${var.cluster_domain}"
-
-  content {
-    content = <<EOF
-$ORIGIN ${var.cluster_domain}.
-@    3600 IN SOA host.${var.cluster_domain}. hostmaster (
-                                2017042752 ; serial
-                                7200       ; refresh (2 hours)
-                                3600       ; retry (1 hour)
-                                1209600    ; expire (2 weeks)
-                                3600       ; minimum (1 hour)
-                                )
-
-${length(var.lb_floating_ip) == 0 ? "api  IN  A  ${var.service_port_ip}" : "api  IN  A  ${var.lb_floating_ip}"}
-${length(var.lb_floating_ip) == 0 ? "*.apps  IN  A  ${var.service_port_ip}" : "*.apps  IN  A  ${var.lb_floating_ip}"}
-
-api-int  IN  A  ${var.service_port_ip}
-
-bootstrap.${var.cluster_domain}  IN  A  ${var.bootstrap_ip}
-${replace(join("\n", formatlist("%s  IN  A %s", var.master_port_names, var.master_ips)), "port-", "")}
-${replace(join("\n", formatlist("master-%s  IN  A %s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
-
-${replace(join("\n", formatlist("etcd-%s  IN  A  %s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
-${replace(join("\n", formatlist("_etcd-server-ssl._tcp  8640  IN  SRV  0  10  2380   etcd-%s.${var.cluster_domain}.", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-EOF
-
-  }
-}
-
-data "ignition_systemd_unit" "local_dns" {
-  name = "local-dns.service"
-
-  content = <<EOF
-[Unit]
-Description=Internal DNS serving the required OpenShift records
-
-[Service]
-ExecStart=/bin/podman run --rm -i -t -m 128m --net host --cap-add=NET_ADMIN -v /etc/coredns:/etc/coredns:Z quay.io/openshift/origin-coredns:v4.0 -conf /etc/coredns/Corefile
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_file" "hostname" {
-  filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/hostname"
-
-  content {
-    content = <<EOF
-${var.cluster_id}-api
-EOF
-
-  }
-}
-
-data "ignition_user" "core" {
-  name = "core"
-}
-
-resource "openstack_objectstorage_object_v1" "service_ignition" {
-  container_name = var.swift_container
-  name           = "load-balancer.ign"
-  content        = var.ignition
-}
-
-resource "openstack_objectstorage_tempurl_v1" "service_ignition_tmpurl" {
-  container = var.swift_container
-  method    = "get"
-  object    = openstack_objectstorage_object_v1.service_ignition.name
-  ttl       = 3600
-}
-
-data "ignition_config" "service_redirect" {
-  append {
-    source = openstack_objectstorage_tempurl_v1.service_ignition_tmpurl.url
-  }
-
-  files = [
-    data.ignition_file.hostname.id,
-    data.ignition_file.haproxy_watcher_script.id,
-    data.ignition_file.corefile.id,
-    data.ignition_file.coredb.id,
-  ]
-
-  systemd = [
-    data.ignition_systemd_unit.haproxy_unit.id,
-    data.ignition_systemd_unit.haproxy_unit_watcher.id,
-    data.ignition_systemd_unit.haproxy_timer_watcher.id,
-    data.ignition_systemd_unit.local_dns.id,
-  ]
-
-  users = [
-    data.ignition_user.core.id,
-  ]
-}
-
-resource "openstack_compute_instance_v2" "load_balancer" {
-  name      = "${var.cluster_id}-api"
-  flavor_id = data.openstack_compute_flavor_v2.bootstrap_flavor.id
-  image_id  = data.openstack_images_image_v2.bootstrap_image.id
-
-  user_data = data.ignition_config.service_redirect.rendered
-
-  network {
-    port = var.service_port_id
-  }
-
-  metadata = {
-    Name     = "${var.cluster_id}-api"
-    Hostname = "${var.cluster_id}-api.${var.cluster_domain}"
-    # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
-    openshiftClusterID = var.cluster_id
-  }
-}
-
diff --git a/data/data/openstack/service/variables.tf b/data/data/openstack/service/variables.tf
deleted file mode 100644
index f33a4bee006..00000000000
--- a/data/data/openstack/service/variables.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-variable "image_name" {
-  type        = string
-  description = "The name of the Glance image for the bootstrap node."
-}
-
-variable "swift_container" {
-  type        = string
-  description = "The Swift container name for bootstrap ignition file."
-}
-
-variable "cluster_id" {
-  type        = string
-  description = "The identifier for the cluster."
-}
-
-variable "cluster_domain" {
-  type        = string
-  description = "The domain name of the cluster. All DNS records must be under this domain."
-}
-
-variable "ignition" {
-  type        = string
-  description = "The content of the bootstrap ignition file."
-}
-
-variable "flavor_name" {
-  type        = string
-  default     = "m1.medium"
-  description = "The Nova flavor for the bootstrap node."
-}
-
-variable "service_port_id" {
-  type        = string
-  description = "The subnet ID for the service node."
-}
-
-variable "service_port_ip" {
-  type        = string
-  description = "The subnet IP for the service node."
-}
-
-variable "master_ips" {
-  type = list(string)
-}
-
-variable "master_port_names" {
-  type = list(string)
-}
-
-variable "bootstrap_ip" {
-  type = string
-}
-
-variable "lb_floating_ip" {
-  type = string
-}
-
diff --git a/data/data/openstack/topology/outputs.tf b/data/data/openstack/topology/outputs.tf
index 017fa597be8..0e1cef91fe6 100644
--- a/data/data/openstack/topology/outputs.tf
+++ b/data/data/openstack/topology/outputs.tf
@@ -1,31 +1,7 @@
-output "service_port_id" {
-  value = openstack_networking_port_v2.service_port.id
-}
-
-output "service_port_ip" {
-  value = openstack_networking_port_v2.service_port.all_fixed_ips[0]
-}
-
 output "bootstrap_port_id" {
   value = openstack_networking_port_v2.bootstrap_port.id
 }
 
-output "bootstrap_port_ip" {
-  value = openstack_networking_port_v2.bootstrap_port.all_fixed_ips[0]
-}
-
-output "master_ips" {
-  value = flatten(openstack_networking_port_v2.masters.*.all_fixed_ips)
-}
-
-output "master_port_names" {
-  value = openstack_networking_port_v2.masters.*.name
-}
-
-output "service_vm_fixed_ip" {
-  value = openstack_networking_port_v2.service_port.all_fixed_ips[0]
-}
-
 output "master_sg_id" {
   value = openstack_networking_secgroup_v2.master.id
 }
diff --git a/data/data/openstack/topology/private-network.tf b/data/data/openstack/topology/private-network.tf
index 6002a892695..41b217194c0 100644
--- a/data/data/openstack/topology/private-network.tf
+++ b/data/data/openstack/topology/private-network.tf
@@ -1,6 +1,5 @@
 locals {
-  nodes_cidr_block   = cidrsubnet(var.cidr_block, 1, 0)
-  service_cidr_block = cidrsubnet(var.cidr_block, 1, 1)
+  nodes_cidr_block = var.cidr_block
 }
 
 data "openstack_networking_network_v2" "external_network" {
@@ -15,21 +14,12 @@ resource "openstack_networking_network_v2" "openshift-private" {
   tags           = ["openshiftClusterID=${var.cluster_id}"]
 }
 
-resource "openstack_networking_subnet_v2" "service" {
-  name       = "${var.cluster_id}-service"
-  cidr       = local.service_cidr_block
+resource "openstack_networking_subnet_v2" "nodes" {
+  name       = "${var.cluster_id}-nodes"
+  cidr       = local.nodes_cidr_block
   ip_version = 4
   network_id = openstack_networking_network_v2.openshift-private.id
   tags       = ["openshiftClusterID=${var.cluster_id}"]
-}
-
-resource "openstack_networking_subnet_v2" "nodes" {
-  name            = "${var.cluster_id}-nodes"
-  cidr            = local.nodes_cidr_block
-  ip_version      = 4
-  network_id      = openstack_networking_network_v2.openshift-private.id
-  tags            = ["openshiftClusterID=${var.cluster_id}"]
-  dns_nameservers = [openstack_networking_port_v2.service_port.all_fixed_ips[0]]
 
   # We reserve some space at the beginning of the CIDR to use for the VIPs
   # It would be good to make this more dynamic by calculating the number of
@@ -49,6 +39,11 @@ resource "openstack_networking_port_v2" "masters" {
   security_group_ids = [openstack_networking_secgroup_v2.master.id]
   tags               = ["openshiftClusterID=${var.cluster_id}"]
 
+  extra_dhcp_option {
+    name  = "domain-search"
+    value = var.cluster_domain
+  }
+
   fixed_ip {
     subnet_id = openstack_networking_subnet_v2.nodes.id
   }
@@ -60,6 +55,10 @@ resource "openstack_networking_port_v2" "masters" {
   allowed_address_pairs {
     ip_address = var.node_dns_ip
   }
+
+  allowed_address_pairs {
+    ip_address = var.ingress_ip
+  }
 }
 
 resource "openstack_networking_trunk_v2" "masters" {
@@ -78,28 +77,43 @@ resource "openstack_networking_port_v2" "bootstrap_port" {
   network_id         = openstack_networking_network_v2.openshift-private.id
   security_group_ids = [openstack_networking_secgroup_v2.master.id]
   tags               = ["openshiftClusterID=${var.cluster_id}"]
+  extra_dhcp_option {
+    name  = "domain-search"
+    value = var.cluster_domain
+  }
 
   fixed_ip {
     subnet_id = openstack_networking_subnet_v2.nodes.id
   }
-}
-
-resource "openstack_networking_port_v2" "service_port" {
-  name = "${var.cluster_id}-service-port"
 
-  admin_state_up     = "true"
-  network_id         = openstack_networking_network_v2.openshift-private.id
-  security_group_ids = [openstack_networking_secgroup_v2.api.id]
-  tags               = ["openshiftClusterID=${var.cluster_id}"]
+  allowed_address_pairs {
+    ip_address = var.api_int_ip
+  }
 
-  fixed_ip {
-    subnet_id = openstack_networking_subnet_v2.service.id
+  allowed_address_pairs {
+    ip_address = var.node_dns_ip
   }
 }
 
-resource "openstack_networking_floatingip_associate_v2" "service_fip" {
+// Assign the floating IP to one of the masters.
+//
+// Strictly speaking, this is not required to finish the installation. We
+// support environments without floating IPs. However, since the installer
+// is running outside of the nodes subnet (often outside of the OpenStack
+// cluster itself), it needs a floating IP to monitor the progress.
+//
+// This IP address is not expected to be the final solution for providing HA.
+// It is only here to let the installer finish without any errors. Configuring
+// a load balancer and providing external connectivity is a post-installation
+// step that can't always be automated (we need to support OpenStack clusters)
+// that do not have or do not want to use Octavia.
+//
+// If the floating IP is not provided, the installer will time out waiting for
+// bootstrapping to complete, but the OpenShift cluster itself should come up
+// as expected.
+resource "openstack_networking_floatingip_associate_v2" "api_fip" {
   count       = length(var.lb_floating_ip) == 0 ? 0 : 1
-  port_id     = openstack_networking_port_v2.service_port.id
+  port_id     = openstack_networking_port_v2.masters[0].id
   floating_ip = var.lb_floating_ip
 }
 
@@ -110,11 +124,6 @@ resource "openstack_networking_router_v2" "openshift-external-router" {
   tags                = ["openshiftClusterID=${var.cluster_id}"]
 }
 
-resource "openstack_networking_router_interface_v2" "service_router_interface" {
-  router_id = openstack_networking_router_v2.openshift-external-router.id
-  subnet_id = openstack_networking_subnet_v2.service.id
-}
-
 resource "openstack_networking_router_interface_v2" "nodes_router_interface" {
   router_id = openstack_networking_router_v2.openshift-external-router.id
   subnet_id = openstack_networking_subnet_v2.nodes.id
diff --git a/data/data/openstack/topology/sg-lb.tf b/data/data/openstack/topology/sg-lb.tf
deleted file mode 100644
index 67b98337459..00000000000
--- a/data/data/openstack/topology/sg-lb.tf
+++ /dev/null
@@ -1,85 +0,0 @@
-resource "openstack_networking_secgroup_v2" "api" {
-  name = "${var.cluster_id}-api"
-  tags = ["openshiftClusterID=${var.cluster_id}"]
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_mcs" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 22623
-  port_range_max    = 22623
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_https" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 6443
-  port_range_max    = 6443
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "router_http" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 80
-  port_range_max    = 80
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "router_https" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 443
-  port_range_max    = 443
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_dns_udp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "udp"
-  port_range_min    = 53
-  port_range_max    = 53
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_dns_tcp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 53
-  port_range_max    = 53
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_ssh_tcp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 22
-  port_range_max    = 22
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_icmp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "icmp"
-  port_range_min    = 0
-  port_range_max    = 0
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
diff --git a/data/data/openstack/topology/sg-master.tf b/data/data/openstack/topology/sg-master.tf
index 7159db7bfed..1f6ca608e2c 100644
--- a/data/data/openstack/topology/sg-master.tf
+++ b/data/data/openstack/topology/sg-master.tf
@@ -9,7 +9,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_mcs" {
   protocol          = "tcp"
   port_range_min    = 22623
   port_range_max    = 22623
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -19,7 +19,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
   protocol          = "icmp"
   port_range_min    = 0
   port_range_max    = 0
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -33,6 +33,26 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 53
+  port_range_max    = 53
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.master.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "udp"
+  port_range_min    = 53
+  port_range_max    = 53
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.master.id}"
+}
+
 resource "openstack_networking_secgroup_rule_v2" "master_ingress_mdns_udp" {
   direction         = "ingress"
   ethertype         = "IPv4"
@@ -49,7 +69,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_http" {
   protocol          = "tcp"
   port_range_min    = 80
   port_range_max    = 80
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -59,7 +79,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_https" {
   protocol          = "tcp"
   port_range_min    = 6443
   port_range_max    = 6445
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -242,3 +262,10 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services" {
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = 112
+  security_group_id = openstack_networking_secgroup_v2.master.id
+}
+
diff --git a/data/data/openstack/topology/sg-worker.tf b/data/data/openstack/topology/sg-worker.tf
index 9d6ef9decde..17ecbaf28f8 100644
--- a/data/data/openstack/topology/sg-worker.tf
+++ b/data/data/openstack/topology/sg-worker.tf
@@ -147,3 +147,9 @@ resource "openstack_networking_secgroup_rule_v2" "worker_ingress_services" {
   security_group_id = openstack_networking_secgroup_v2.worker.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "worker_ingress_vrrp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = 112
+  security_group_id = openstack_networking_secgroup_v2.worker.id
+}
diff --git a/data/data/openstack/topology/variables.tf b/data/data/openstack/topology/variables.tf
index b1f36b9b88a..b95744b2fba 100644
--- a/data/data/openstack/topology/variables.tf
+++ b/data/data/openstack/topology/variables.tf
@@ -6,6 +6,11 @@ variable "cluster_id" {
   type = string
 }
 
+variable "cluster_domain" {
+  type        = string
+  description = "The domain name of the cluster. All DNS records must be under this domain."
+}
+
 variable "external_network" {
   description = "Name of the external network providing Floating IP addresses."
   type        = string
@@ -36,6 +41,10 @@ variable "node_dns_ip" {
   type = string
 }
 
+variable "ingress_ip" {
+  type = string
+}
+
 variable "trunk_support" {
   type = string
 }
diff --git a/data/data/openstack/variables-openstack.tf b/data/data/openstack/variables-openstack.tf
index 373f753a0db..43e6efcc991 100644
--- a/data/data/openstack/variables-openstack.tf
+++ b/data/data/openstack/variables-openstack.tf
@@ -240,7 +240,7 @@ variable "openstack_extra_tags" {
   default = {}
 
   description = <<EOF
-(optional) Extra AWS tags to be applied to created resources.
+(optional) Extra tags to be applied to created resources.
 
 Example: `{ "key" = "value", "foo" = "bar" }`
 EOF
@@ -279,6 +279,11 @@ variable "openstack_node_dns_ip" {
   description = "IP on the nodes subnet reserved for node dns VIP."
 }
 
+variable "openstack_ingress_ip" {
+  type        = string
+  description = "IP on the nodes subnet reserved for the ingress VIP."
+}
+
 variable "openstack_master_flavor_name" {
   type        = string
   description = "Instance size for the master node(s). Example: `m1.medium`."
diff --git a/pkg/asset/cluster/tfvars.go b/pkg/asset/cluster/tfvars.go
index 5d5547d1973..0f002e58438 100644
--- a/pkg/asset/cluster/tfvars.go
+++ b/pkg/asset/cluster/tfvars.go
@@ -250,6 +250,7 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 			installConfig.Config.Platform.OpenStack.LbFloatingIP,
 			installConfig.Config.Platform.OpenStack.APIVIP,
 			installConfig.Config.Platform.OpenStack.DNSVIP,
+			installConfig.Config.Platform.OpenStack.IngressVIP,
 			installConfig.Config.Platform.OpenStack.TrunkSupport,
 			installConfig.Config.Platform.OpenStack.OctaviaSupport,
 		)
diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go
index cf5c040a7d5..bbb47891c0b 100644
--- a/pkg/asset/ignition/bootstrap/bootstrap.go
+++ b/pkg/asset/ignition/bootstrap/bootstrap.go
@@ -290,7 +290,7 @@ func (a *Bootstrap) addSystemdUnits(uri string, templateData *bootstrapTemplateD
 		"chown-gatewayd-key.service":      {},
 		"systemd-journal-gatewayd.socket": {},
 		"approve-csr.service":             {},
-		// baremetal platform services
+		// baremetal & openstack platform services
 		"keepalived.service": {},
 		"coredns.service":    {},
 	}
diff --git a/pkg/asset/ignition/machine/node.go b/pkg/asset/ignition/machine/node.go
index 681851c5c40..571ed87fef5 100644
--- a/pkg/asset/ignition/machine/node.go
+++ b/pkg/asset/ignition/machine/node.go
@@ -22,10 +22,7 @@ func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, ro
 		// way to configure DNS before Ignition runs.
 		ignitionHost = fmt.Sprintf("%s:22623", installConfig.BareMetal.APIVIP)
 	case openstacktypes.Name:
-		// We can't actually set this to the VIP until we have keepalived patches
-		// merged to machine-config-operator
-		// ignitionHost = fmt.Sprintf("%s:22623", installConfig.Config.OpenStack.APIVIP)
-		ignitionHost = fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain())
+		ignitionHost = fmt.Sprintf("%s:22623", installConfig.OpenStack.APIVIP)
 	default:
 		ignitionHost = fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain())
 	}
diff --git a/pkg/asset/manifests/infrastructure.go b/pkg/asset/manifests/infrastructure.go
index 5f38001b01f..b86e4e71e8b 100644
--- a/pkg/asset/manifests/infrastructure.go
+++ b/pkg/asset/manifests/infrastructure.go
@@ -117,6 +117,11 @@ func (i *Infrastructure) Generate(dependencies asset.Parents) error {
 		config.Status.PlatformStatus.Type = configv1.NonePlatformType
 	case openstack.Name:
 		config.Status.PlatformStatus.Type = configv1.OpenStackPlatformType
+		config.Status.PlatformStatus.OpenStack = &configv1.OpenStackPlatformStatus{
+			APIServerInternalIP: installConfig.Config.Platform.OpenStack.APIVIP,
+			NodeDNSIP:           installConfig.Config.Platform.OpenStack.DNSVIP,
+			IngressIP:           installConfig.Config.Platform.OpenStack.IngressVIP,
+		}
 	case vsphere.Name:
 		config.Status.PlatformStatus.Type = configv1.VSpherePlatformType
 	default:
diff --git a/pkg/tfvars/openstack/openstack.go b/pkg/tfvars/openstack/openstack.go
index 8bb3ae85a09..409f503cba4 100644
--- a/pkg/tfvars/openstack/openstack.go
+++ b/pkg/tfvars/openstack/openstack.go
@@ -16,12 +16,13 @@ type config struct {
 	LbFloatingIP    string `json:"openstack_lb_floating_ip,omitempty"`
 	APIVIP          string `json:"openstack_api_int_ip,omitempty"`
 	DNSVIP          string `json:"openstack_node_dns_ip,omitempty"`
+	IngressVIP      string `json:"openstack_ingress_ip,omitempty"`
 	TrunkSupport    string `json:"openstack_trunk_support,omitempty"`
 	OctaviaSupport  string `json:"openstack_octavia_support,omitempty"`
 }
 
 // TFVars generates OpenStack-specific Terraform variables.
-func TFVars(masterConfig *v1alpha1.OpenstackProviderSpec, region string, externalNetwork string, lbFloatingIP string, apiVIP string, dnsVIP string, trunkSupport string, octaviaSupport string) ([]byte, error) {
+func TFVars(masterConfig *v1alpha1.OpenstackProviderSpec, region string, externalNetwork string, lbFloatingIP string, apiVIP string, dnsVIP string, ingressVIP string, trunkSupport string, octaviaSupport string) ([]byte, error) {
 	cfg := &config{
 		Region:          region,
 		BaseImage:       masterConfig.Image,
@@ -31,6 +32,7 @@ func TFVars(masterConfig *v1alpha1.OpenstackProviderSpec, region string, externa
 		LbFloatingIP:    lbFloatingIP,
 		APIVIP:          apiVIP,
 		DNSVIP:          dnsVIP,
+		IngressVIP:      ingressVIP,
 		TrunkSupport:    trunkSupport,
 		OctaviaSupport:  octaviaSupport,
 	}
diff --git a/pkg/types/openstack/defaults/platform.go b/pkg/types/openstack/defaults/platform.go
index f7b72f7ecc6..6e1cee2cf16 100644
--- a/pkg/types/openstack/defaults/platform.go
+++ b/pkg/types/openstack/defaults/platform.go
@@ -11,8 +11,9 @@ import (
 
 // Defaults for the openstack platform.
 const (
-	APIVIP = ""
-	DNSVIP = ""
+	APIVIP     = ""
+	DNSVIP     = ""
+	IngressVIP = ""
 )
 
 // SetPlatformDefaults sets the defaults for the platform.
@@ -34,4 +35,13 @@ func SetPlatformDefaults(p *openstack.Platform, c *types.InstallConfig) {
 			p.DNSVIP = vip.String()
 		}
 	}
+
+	if p.IngressVIP == "" {
+		vip, err := cidr.Host(&c.Networking.MachineCIDR.IPNet, 7)
+		if err != nil {
+			p.IngressVIP = fmt.Sprintf("failed to get IngressVIP from MachineCIDR: %s", err.Error())
+		} else {
+			p.IngressVIP = vip.String()
+		}
+	}
 }
diff --git a/pkg/types/openstack/platform.go b/pkg/types/openstack/platform.go
index a996db2d6c8..72dca3d7376 100644
--- a/pkg/types/openstack/platform.go
+++ b/pkg/types/openstack/platform.go
@@ -36,6 +36,9 @@ type Platform struct {
 	// IP in the machineCIDR to use for simulated route53.
 	DNSVIP string `json:"dnsVIP"`
 
+	// IngressVIP is the VIP to use for ingress traffic
+	IngressVIP string `json:"ingressVIP"`
+
 	// TrunkSupport
 	// Whether OpenStack ports can be trunked
 	TrunkSupport string `json:"trunkSupport"`
diff --git a/pkg/types/openstack/validation/platform.go b/pkg/types/openstack/validation/platform.go
index c5be6eb1abf..68ac810965f 100644
--- a/pkg/types/openstack/validation/platform.go
+++ b/pkg/types/openstack/validation/platform.go
@@ -6,6 +6,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	"github.com/openshift/installer/pkg/types/openstack"
+	"github.com/openshift/installer/pkg/validate"
 )
 
 // ValidatePlatform checks that the specified platform is valid.
@@ -59,6 +60,20 @@ func ValidatePlatform(p *openstack.Platform, fldPath *field.Path, fetcher ValidV
 	if p.DefaultMachinePlatform != nil {
 		allErrs = append(allErrs, ValidateMachinePool(p.DefaultMachinePlatform, fldPath.Child("defaultMachinePlatform"))...)
 	}
+
+	// Validate VIP Values
+	if err := validate.IP(p.APIVIP); err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("apiVIP"), p.APIVIP, err.Error()))
+	}
+
+	if err := validate.IP(p.IngressVIP); err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("ingressVIP"), p.IngressVIP, err.Error()))
+	}
+
+	if err := validate.IP(p.DNSVIP); err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("dnsVIP"), p.DNSVIP, err.Error()))
+	}
+
 	return allErrs
 }