diff --git a/.typos.toml b/.typos.toml
index ee031846e..7c8b2e0c5 100644
--- a/.typos.toml
+++ b/.typos.toml
@@ -8,6 +8,11 @@ extend-exclude = [
     "containers/*/patches",
     "go.mod",
     "ansible/roles/statuses/defaults/main.yaml",
+    "apps/infra/*.yaml",
+    "apps/operators/*.yaml",
+    "apps/global/*.yaml",
+    "apps/site/*.yaml",
+    "apps/openstack/*.yaml",
 ]
 
 [default]
diff --git a/apps/openstack/cinder.yaml b/apps/openstack/cinder.yaml
new file mode 100644
index 000000000..d3d251785
--- /dev/null
+++ b/apps/openstack/cinder.yaml
@@ -0,0 +1,4 @@
+---
+component: cinder
+repoURL: https://tarballs.opendev.org/openstack/openstack-helm
+chartVersion: 2025.1.3+abd55b4a7
diff --git a/components/cinder/README.md b/components/cinder/README.md
new file mode 100644
index 000000000..e3ba42968
--- /dev/null
+++ b/components/cinder/README.md
@@ -0,0 +1 @@
+# OpenStack Cinder
diff --git a/components/cinder/cinder-mariadb-db.yaml b/components/cinder/cinder-mariadb-db.yaml
new file mode 100644
index 000000000..5558acfec
--- /dev/null
+++ b/components/cinder/cinder-mariadb-db.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: cinder
+  namespace: openstack
+spec:
+  # If you want the database to be created with a different name than the resource name
+  # name: data-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  characterSet: utf8
+  collate: utf8_general_ci
+  retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: cinder
+  namespace: openstack
+spec:
+  # If you want the user to be created with a different name than the resource name
+  # name: user-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  passwordSecretKeyRef:
+    name: cinder-db-password
+    key: password
+  # This field is immutable and defaults to 10, 0 means unlimited.
+  maxUserConnections: 0
+  host: "%"
+  retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: cinder-grant
+  namespace: openstack
+spec:
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  privileges:
+    - "ALL"
+  database: "cinder"
+  table: "*"
+  username: cinder
+  grantOption: true
+  host: "%"
+  retryInterval: 5s
diff --git a/components/cinder/cinder-rabbitmq-queue.yaml b/components/cinder/cinder-rabbitmq-queue.yaml
new file mode 100644
index 000000000..724c54c7e
--- /dev/null
+++ b/components/cinder/cinder-rabbitmq-queue.yaml
@@ -0,0 +1,61 @@
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: User
+metadata:
+  name: cinder
+  namespace: openstack
+spec:
+  tags:
+  - management  # available tags are 'management', 'policymaker', 'monitoring' and 'administrator'
+  - policymaker
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+  importCredentialsSecret:
+    name: cinder-rabbitmq-password
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Vhost
+metadata:
+  name: cinder-vhost
+  namespace: openstack
+spec:
+  name: "cinder"  # vhost name; required and cannot be updated
+  defaultQueueType: quorum  # default queue type for this vhost; require RabbitMQ version 3.11.12 or above
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: cinder-permission
+  namespace: openstack
+spec:
+  vhost: "cinder"  # name of a vhost
+  userReference:
+    name: "cinder"  # name of a user.rabbitmq.com in the same namespace; must specify either spec.userReference or spec.user
+  permissions:
+    write: ".*"
+    configure: ".*"
+    read: ".*"
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Policy
+metadata:
+  name: cinder-notifications-ttl
+  namespace: openstack
+spec:
+  name: cinder-notifications-ttl  # name of the policy
+  vhost: "cinder"  # default to '/' if not provided
+  pattern: "^notifications.*"  # regex used to match queues and exchanges
+  applyTo: "queues"  # set to 'queues', 'exchanges', or 'all'
+  priority: 1  # defaults to 0
+  definition:  # policy definition
+    message-ttl: 86400000
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
diff --git a/components/cinder/kustomization.yaml b/components/cinder/kustomization.yaml
new file mode 100644
index 000000000..2c03b4709
--- /dev/null
+++ b/components/cinder/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cinder-mariadb-db.yaml
+  - cinder-rabbitmq-queue.yaml
diff --git a/components/cinder/values.yaml b/components/cinder/values.yaml
new file mode 100644
index 000000000..10e2e68d4
--- /dev/null
+++ b/components/cinder/values.yaml
@@ -0,0 +1,163 @@
+---
+release_group: null
+
+conf:
+  backends:
+    # disable the hardcoded one in the OpenStack Helm values.yaml
+    rbd1: null
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  oslo_messaging:
+    statefulset:
+      replicas: 3
+      name: rabbitmq-server
+    hosts:
+      default: rabbitmq-nodes
+  volumev3:
+    port:
+      api:
+        public: 443
+    scheme:
+      public: https
+    path:
+      # since the Yoga release it is not necessary to include the tenant_id
+      # in the URL
+      default: '/v3'
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: cinder-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
+
+
+network:
+  # configure OpenStack Helm to use Undercloud's ingress
+  # instead of expecting the ingress controller provided
+  # by OpenStack Helm
+  use_external_ingress_controller: true
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
+
+pod:
+  mounts:
+    cinder_volume:
+      cinder_volume:
+        # necessary because the netapp driver requires this for scratch space
+        # and even makes sure its writeable a better approach should go upstream
+        volumeMounts:
+          - mountPath: /var/lib/cinder
+            name: var-lib-cinder
+        volumes:
+          - name: var-lib-cinder
+            emptyDir: {}
+  lifecycle:
+    disruption_budget:
+      deployments:
+        # this should be set to no more than (pod.replicas.server - 1)
+        # usually set on per-deployment basis.
+        min_available: 0
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs: null
+  static:
+    api:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+    db_sync:
+      jobs:
+    backup:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+    db_purge:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+    scheduler:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+    volume:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+    volume_usage_audit:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+
+manifests:
+  secret_keystone: true
+  job_backup_storage_init: false
+  job_bootstrap: false
+  job_db_init: false
+  job_db_drop: false
+  job_rabbit_init: false
+  job_storage_init: false
+  pod_rally_test: false
+  secret_db: false
+  secret_ingress_tls: false
+  secret_rabbitmq: false
+  secret_registry: false
+  service_ingress_api: false
+  deployment_backup: false
+
+# We don't want to enable OpenStack Helm's
+# helm.sh/hooks because they set them as
+# post-install,post-upgrade which in ArgoCD
+# maps to PostSync. However the deployments
+# and statefulsets in OpenStack Helm
+# depend on the jobs to complete to become
+# healthy. Which they cannot because they are in
+# the post step and not in the main step.
+# Turning this on results in the keys jobs
+# editing the annotation which deletes the item
+# and wipes our keys.
+helm3_hook: false
+
+annotations:
+  job:
+    cinder_db_sync:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    cinder_ks_service:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    cinder_ks_user:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    cinder_ks_endpoints:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    cinder_image_repo_sync:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    cinder_clean:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    cinder_create_internal_tenant:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
diff --git a/components/openstack-secrets.tpl.yaml b/components/openstack-secrets.tpl.yaml
index f6d5099f2..574d465c0 100644
--- a/components/openstack-secrets.tpl.yaml
+++ b/components/openstack-secrets.tpl.yaml
@@ -28,6 +28,9 @@ endpoints:
       # this user is the service account that placement uses
       placement:
         password: "${PLACEMENT_KEYSTONE_PASSWORD}"
+      # this user is the service account that cinder uses
+      cinder:
+        password: "${CINDER_KEYSTONE_PASSWORD}"
 
     # set our public facing URL
     host_fqdn_override:
@@ -64,6 +67,9 @@ endpoints:
       # this is what the horizon dashboard service uses to connect to MariaDB
       horizon:
         password: "${HORIZON_DB_PASSWORD}"
+      # this is what the cinder service uses to connect to MariaDB
+      cinder:
+        password: "${CINDER_DB_PASSWORD}"
 
   # 'oslo_db_api' is for MariaDB specific for nova
   oslo_db_api:
@@ -95,6 +101,9 @@ endpoints:
       # this is what the nova service uses to connect to RabbitMQ
       nova:
         password: "${NOVA_RABBITMQ_PASSWORD}"
+      # this is what the cinder service uses to connect to RabbitMQ
+      cinder:
+        password: "${CINDER_RABBITMQ_PASSWORD}"
 
   # 'baremetal' is the ironic service
   baremetal:
@@ -137,4 +146,11 @@ endpoints:
     host_fqdn_override:
       public:
         host: horizon.${DNS_ZONE}
+
+  # 'volumev3' is the cinder service
+  volumev3:
+    # set our public facing URL
+    host_fqdn_override:
+      public:
+        host: cinder.${DNS_ZONE}
 ...
diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh
index 6c613775a..93653b35a 100755
--- a/scripts/gitops-secrets-gen.sh
+++ b/scripts/gitops-secrets-gen.sh
@@ -299,7 +299,7 @@ create_os_secret() {
 ## OpenStack component secret generation
 ## each openstack component is very similar to collapse this
 ## into a loop to generate the same thing for each
-for component in keystone ironic placement neutron nova glance; do
+for component in keystone ironic placement neutron nova glance cinder; do
     echo "Checking ${component}"
     mkdir -p "${DEST_DIR}/${component}/"
     # keystone service account username