diff --git a/sysinv/sysinv/sysinv/sysinv/helm/nova.py b/sysinv/sysinv/sysinv/sysinv/helm/nova.py
index 73333cca37..c3303021d3 100644
--- a/sysinv/sysinv/sysinv/sysinv/helm/nova.py
+++ b/sysinv/sysinv/sysinv/sysinv/helm/nova.py
@@ -52,6 +52,8 @@ class NovaHelm(openstack.OpenstackBaseHelm):
     def get_overrides(self, namespace=None):
         scheduler_filters = SCHEDULER_FILTERS_COMMON
 
+        ssh_privatekey, ssh_publickey = \
+            self._get_or_generate_ssh_keys(self.SERVICE_NAME, common.HELM_NS_OPENSTACK)
         overrides = {
             common.HELM_NS_OPENSTACK: {
                 'pod': {
@@ -156,10 +158,18 @@ class NovaHelm(openstack.OpenstackBaseHelm):
                         'nova_compute': {
                             'hosts': self._get_per_host_overrides()
                         }
-                    }
+                    },
+                    'ssh_private': ssh_privatekey,
+                    'ssh_public': ssh_publickey,
                 },
                 'endpoints': self._get_endpoints_overrides(),
                 'images': self._get_images_overrides(),
+                'network': {
+                    'sshd': {
+                        'enabled': True,
+                        'from_subnet': self._get_ssh_subnet(),
+                    }
+                }
             }
         }
 
@@ -357,6 +367,12 @@ class NovaHelm(openstack.OpenstackBaseHelm):
         libvirt_config.update({'live_migration_inbound_addr': cluster_host_ip})
         vnc_config.update({'vncserver_proxyclient_address': cluster_host_ip})
 
+    def _get_ssh_subnet(self):
+        cluster_host_network = self.dbapi.network_get_by_type(
+            constants.NETWORK_TYPE_CLUSTER_HOST)
+        address_pool = self.dbapi.address_pool_get(cluster_host_network.pool_uuid)
+        return '%s/%s' % (str(address_pool.network), str(address_pool.prefix))
+
     def _update_host_memory(self, host, default_config):
         vswitch_2M_pages = []
         vswitch_1G_pages = []
diff --git a/sysinv/sysinv/sysinv/sysinv/helm/openstack.py b/sysinv/sysinv/sysinv/sysinv/helm/openstack.py
index dd22efa65e..26624e774c 100644
--- a/sysinv/sysinv/sysinv/sysinv/helm/openstack.py
+++ b/sysinv/sysinv/sysinv/sysinv/helm/openstack.py
@@ -7,6 +7,7 @@
 import keyring
 import subprocess
 
+from Crypto.PublicKey import RSA
 from sysinv.helm import base
 from sysinv.helm import common
 
@@ -227,3 +228,34 @@ class OpenstackBaseHelm(base.BaseHelm):
                 service, user, pw_format=common.PASSWORD_FORMAT_CEPH)
 
         return passwords[service][user]
+
+    def _get_or_generate_ssh_keys(self, chart, namespace):
+        try:
+            override = self.dbapi.helm_override_get(name=chart,
+                                                    namespace=namespace)
+        except exception.HelmOverrideNotFound:
+            # Override for this chart not found, so create one
+            values = {
+                'name': chart,
+                'namespace': namespace,
+            }
+            override = self.dbapi.helm_override_create(values=values)
+
+        privatekey = override.system_overrides.get('privatekey', None)
+        publickey = override.system_overrides.get('publickey', None)
+
+        if privatekey and publickey:
+            return str(privatekey), str(publickey)
+
+        # ssh keys are not set so generate them and store in overrides
+        key = RSA.generate(2048)
+        pubkey = key.publickey()
+        newprivatekey = key.exportKey('PEM')
+        newpublickey = pubkey.exportKey('OpenSSH')
+        values = {'system_overrides': override.system_overrides}
+        values['system_overrides'].update({'privatekey': newprivatekey,
+                                           'publickey': newpublickey})
+        self.dbapi.helm_override_update(
+            name=chart, namespace=namespace, values=values)
+
+        return newprivatekey, newpublickey