diff --git a/.github/workflows/build-container-reuse.yaml b/.github/workflows/build-container-reuse.yaml
index 05ae3e2e1..787eb2c86 100644
--- a/.github/workflows/build-container-reuse.yaml
+++ b/.github/workflows/build-container-reuse.yaml
@@ -27,6 +27,19 @@ on:
         type: string
         default: 'latest'
         description: 'Tag name to use for latest (e.g., "latest" or "2025.2")'
+      context_path:
+        required: false
+        type: string
+        default: '{{ defaultContext }}'
+        description: 'Path to docker context'
+      prebuild_script:
+        required: false
+        type: string
+        description: 'path to shell script to run before building the containers'
+      prebuild_script_working_dir:
+        type: string
+        default: "."
+        description: 'directory which the prebuild_script will run'
 
 jobs:
   build:
@@ -66,11 +79,18 @@ jobs:
           # that are arch specific so populate them at the index as well.
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
+      - uses: actions/checkout@v4
+      - name: Run prebuild script
+        if: ${{ inputs.prebuild_script != '' }}
+        run: "${{ inputs.prebuild_script }}"
+        working-directory: ${{ inputs.prebuild_script_working_dir }}
+
       - name: build and push container image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           file: ${{ inputs.dockerfile_path }}
           build-args: ${{ inputs.build_args }}
+          context: ${{ inputs.context_path }}
           pull: true
           push: true
           tags: ${{ steps.meta.outputs.tags }}
diff --git a/.github/workflows/containers-openstack.yaml b/.github/workflows/containers-openstack.yaml
index 9437117b2..d429e7657 100644
--- a/.github/workflows/containers-openstack.yaml
+++ b/.github/workflows/containers-openstack.yaml
@@ -6,18 +6,23 @@ on:
       - v*
     branches:
       - main
-    paths:
-      - "containers/**"
+    paths: &triggerpaths
+      - "containers/cinder/**"
+      - "containers/glance/**"
+      - "containers/horizon/**"
+      - "containers/ironic/**"
+      - "containers/keystone/**"
+      - "containers/neutron/**"
+      - "containers/nova/**"
+      - "containers/octavia/**"
+      - "containers/openstack-client/**"
+      - "containers/placement/**"
       - ".github/workflows/containers-openstack.yaml"
       - ".github/workflows/build-container-reuse.yaml"
       - "python/**"
   pull_request:
     types: [opened, synchronize, reopened, closed]
-    paths:
-      - "containers/**"
-      - ".github/workflows/containers-openstack.yaml"
-      - ".github/workflows/build-container-reuse.yaml"
-      - "python/**"
+    paths: *triggerpaths
   workflow_dispatch:
   merge_group:
     types: [checks_requested]
diff --git a/.github/workflows/containers.yaml b/.github/workflows/containers.yaml
index 3720a9468..33014bf1d 100644
--- a/.github/workflows/containers.yaml
+++ b/.github/workflows/containers.yaml
@@ -6,18 +6,18 @@ on:
       - v*
     branches:
       - main
-    paths:
+    paths: &triggerpaths
       - "ansible/**"
-      - "containers/**"
+      - "containers/ansible/**"
+      - "containers/dnsmasq/**"
+      - "containers/ironic-nautobot-client/**"
+      - "containers/ironic-vnc-client/**"
+      - "containers/understack-tests/**"
       - ".github/workflows/containers.yaml"
       - ".github/workflows/build-container-reuse.yaml"
   pull_request:
     types: [opened, synchronize, reopened, closed]
-    paths:
-      - "ansible/**"
-      - "containers/**"
-      - ".github/workflows/containers.yaml"
-      - ".github/workflows/build-container-reuse.yaml"
+    paths: *triggerpaths
   workflow_dispatch:
   merge_group:
     types: [checks_requested]
@@ -27,13 +27,26 @@ jobs:
     strategy:
       matrix:
         container:
-          - ansible
-          - dnsmasq
-          - ironic-nautobot-client
-          - understack-tests
+          - name: ansible
+            target: prod
+          - name: dnsmasq
+            target: prod
+          - name: ironic-nautobot-client
+            target: prod
+          - name: understack-tests
+            target: prod
+          - name: ironic-vnc-container
+            target: ''
+            dockerfile_path: ./containers/ironic-vnc-container/Dockerfile
+            context_path: "./containers/ironic-vnc-container/"
+            prebuild_script: ./sync_from_upstream.sh
+            prebuild_script_working_dir: containers/ironic-vnc-container/
     uses: ./.github/workflows/build-container-reuse.yaml
     secrets: inherit
     with:
-      container_name: ${{ matrix.container }}
-      dockerfile_path: containers/${{ matrix.container }}/Dockerfile
-      target: prod
+      container_name: ${{ matrix.container.name }}
+      dockerfile_path: ${{ matrix.container.dockerfile_path || format('containers/{0}/Dockerfile', matrix.container.name) }}
+      target: ${{ matrix.container.target }}
+      context_path: ${{ matrix.container.context_path || '{{defaultContext}}' }}
+      prebuild_script: ${{ matrix.container.prebuild_script }}
+      prebuild_script_working_dir: ${{ matrix.container.prebuild_script_working_dir }}
diff --git a/components/ironic/kustomization.yaml b/components/ironic/kustomization.yaml
index 892c74827..6a62a390d 100644
--- a/components/ironic/kustomization.yaml
+++ b/components/ironic/kustomization.yaml
@@ -12,3 +12,6 @@ resources:
   # working due to the way the chart hardcodes the config-file parameter which then
   # takes precedence over the directory
   - configmap-ironic-bin.yaml
+  # Graphical consoles
+  - role-ironic-graphical-console.yaml
+  - role-binding-ironic-graphical-console.yaml
diff --git a/components/ironic/role-binding-ironic-graphical-console.yaml b/components/ironic/role-binding-ironic-graphical-console.yaml
new file mode 100644
index 000000000..ea6765515
--- /dev/null
+++ b/components/ironic/role-binding-ironic-graphical-console.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: openstack-ironic-graphical-console
+  namespace: openstack
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ironic-graphical-console
+subjects:
+  - kind: ServiceAccount
+    name: ironic-conductor
+    namespace: namespace
diff --git a/components/ironic/role-ironic-graphical-console.yaml b/components/ironic/role-ironic-graphical-console.yaml
new file mode 100644
index 000000000..53242c25e
--- /dev/null
+++ b/components/ironic/role-ironic-graphical-console.yaml
@@ -0,0 +1,23 @@
+# Allows Ironic conductor to appropriately manage resources required to provide
+# graphical console functionality.
+# At the moment, these are console container Pods and Secrets.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ironic-console-provider
+  namespace: metadata
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - create
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
diff --git a/components/ironic/values.yaml b/components/ironic/values.yaml
index 9fe31b8d6..e96c07166 100644
--- a/components/ironic/values.yaml
+++ b/components/ironic/values.yaml
@@ -105,6 +105,11 @@ conf:
       use_web_server_for_images: true
     nova:
       auth_type: password
+    vnc:
+      enable: true
+      container_provider: kubernetes
+      console_image: ghcr.io/understack/ironic-console-image:latest
+      #  kubernetes_container_template: $pybasedir/console/container/ironic-console-pod.yaml.template
 
 endpoints:
   oslo_messaging:
diff --git a/containers/ironic-vnc-container/sync_from_upstream.sh b/containers/ironic-vnc-container/sync_from_upstream.sh
new file mode 100755
index 000000000..a2600cf99
--- /dev/null
+++ b/containers/ironic-vnc-container/sync_from_upstream.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+set -ex
+UPSTREAM_COMMIT="856238c56acb669c8e10cf1f0e0f4e0c9467c7e9"
+
+if ! [[ -f sync_from_upstream.sh ]]; then
+  echo "Run ./sync_from_upstream.sh only from the containers/ironic-vnc-console folder."
+  exit 1
+fi
+
+DST=$(mktemp -d)
+
+git clone https://opendev.org/openstack/ironic.git "$DST" --depth 1 --revision "$UPSTREAM_COMMIT"
+
+for folder in bin drivers extension; do
+  rm -rf "$folder"
+  cp -r "$DST/tools/vnc-container/$folder" "$folder"
+done
+
+cp "$DST/tools/vnc-container/Containerfile.ubuntu" Dockerfile
+cp "$DST/LICENSE" LICENSE
+rm -rf "$DST"
+
+echo "# Attribution" > NOTICE
+echo "Obtained from https://opendev.org/openstack/ironic.git /tools/vnc-container" >> NOTICE
+echo "Upstream commit: $UPSTREAM_COMMIT" >> NOTICE
diff --git a/containers/ironic/Dockerfile b/containers/ironic/Dockerfile
index aecd33c7a..86c301c24 100644
--- a/containers/ironic/Dockerfile
+++ b/containers/ironic/Dockerfile
@@ -29,10 +29,17 @@ RUN cd /var/lib/openstack/lib/python3.12/site-packages && \
 ARG OPENSTACK_VERSION="required_argument"
 FROM quay.io/airshipit/ironic:${OPENSTACK_VERSION}-ubuntu_noble AS final
 
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN wget -qO- https://pkgs.k8s.io/core:/stable:/v1.35/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg && \
+    chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg && \
+    echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.35/deb/ /' > /etc/apt/sources.list.d/kubernetes.list && \
+    chmod 644 /etc/apt/sources.list.d/kubernetes.list
+
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         genisoimage \
         isolinux \
+        kubectl \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 COPY --from=build --link /var/lib/openstack /var/lib/openstack