diff --git a/manifests/profile/pacemaker/ovn_dbs_bundle.pp b/manifests/profile/pacemaker/ovn_dbs_bundle.pp
index 743039a5f..ab7054006 100644
--- a/manifests/profile/pacemaker/ovn_dbs_bundle.pp
+++ b/manifests/profile/pacemaker/ovn_dbs_bundle.pp
@@ -52,6 +52,14 @@
 #   The TCP port in which the OVN Southbound DB listens to.
 #   Defaults to 6642
 #
+# [*meta_params*]
+#   (optional) Additional meta parameters to pass to "pcs resource create" for the VIP
+#   Defaults to ''
+#
+# [*op_params*]
+#   (optional) Additional op parameters to pass to "pcs resource create" for the VIP
+#   Defaults to ''
+#
 # [*container_backend*]
 #   (optional) Container backend to use when creating the bundle
 #   Defaults to 'docker'
@@ -79,6 +87,8 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
   $ovn_dbs_vip          = hiera('ovn_dbs_vip'),
   $nb_db_port           = 6641,
   $sb_db_port           = 6642,
+  $meta_params          = '',
+  $op_params            = '',
   $container_backend    = 'docker',
   $tls_priorities       = hiera('tripleo::pacemaker::tls_priorities', undef),
   $enable_internal_tls  = hiera('enable_internal_tls', false),
@@ -201,6 +211,45 @@ nb_master_protocol=ssl sb_master_protocol=ssl"
         bundle          => 'ovn-dbs-bundle',
       }
 
+      # This code tells us if ovn_dbs is using a separate ip or is using a the per-network VIP
+      $ovn_dbs_network = hiera('ovn_dbs_network', undef)
+      $net_vip_map = hiera('network_virtual_ips', undef)
+      if $ovn_dbs_network != undef and $net_vip_map != undef and $ovn_dbs_network in $net_vip_map {
+        $old_vip = $net_vip_map[$ovn_dbs_network]['ip_address']
+        if $old_vip != $ovn_dbs_vip {
+          $ovn_separate_vip = true
+        } else {
+          $ovn_separate_vip = false
+        }
+      } else {
+          $ovn_separate_vip = false
+      }
+
+      # We create a separate VIP only in case OVN has been configured so via THT
+      # in the non-separate case it will be created in the haproxy vip manifests
+      if $ovn_separate_vip {
+        if is_ipv6_address($ovn_dbs_vip) {
+          $netmask        = '128'
+          $nic            = interface_for_ip($ovn_dbs_vip)
+          $ipv6_addrlabel = '99'
+        } else {
+          $netmask        = '32'
+          $nic            = ''
+          $ipv6_addrlabel = ''
+        }
+
+        pacemaker::resource::ip { "${ovndb_vip_resource_name}":
+          ip_address     => $ovn_dbs_vip,
+          cidr_netmask   => $netmask,
+          nic            => $nic,
+          ipv6_addrlabel => $ipv6_addrlabel,
+          location_rule  => $ovn_dbs_location_rule,
+          meta_params    => "resource-stickiness=INFINITY ${meta_params}",
+          op_params      => $op_params,
+          tries          => $pcs_tries,
+        }
+      }
+
       pacemaker::constraint::colocation { "${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}":
         source       => "${ovndb_vip_resource_name}",
         target       => 'ovn-dbs-bundle',
@@ -218,10 +267,42 @@ nb_master_protocol=ssl sb_master_protocol=ssl"
         tries             => $pcs_tries,
       }
 
-      Pacemaker::Resource::Bundle['ovn-dbs-bundle']
-        -> Pacemaker::Resource::Ocf["${ovndb_servers_resource_name}"]
-          -> Pacemaker::Constraint::Order["${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}"]
-            -> Pacemaker::Constraint::Colocation["${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}"]
+      # (bandini) we can remove this old constraint removal piece once queens is out of support
+      # If we do a minor update or a redeploy against a cloud that did not already have the
+      # separate OVN VIP, we want to be sure that the old constraints are gone. At this
+      # point we cannot use the ovndb_resource_name because that is now the new IP
+      # To be on the safe side, we fetch the network that ovn_dbs is supposed to listen on
+      # hiera('ovn_dbs_network') and find out the VIP on that network
+      # NB: we cannot use ensure -> absent and a pacmeaker constraint resource because we would
+      # get duplicate resource errors, hence the exec usage
+      if hiera('stack_action') == 'UPDATE' and $ovn_separate_vip {
+        # We only remove these constraints if we're sure the ovn_dbs VIP is different
+        # from the old VIP
+        $old_vip_name = "ip-${old_vip}"
+        $old_order_constraint = "order-ovn-dbs-bundle-${old_vip_name}-Optional"
+        exec { "remove-old-${old_vip_name}-order-${ovndb_servers_resource_name}":
+          command => "pcs constraint remove ${old_order_constraint}",
+          onlyif  => "pcs constraint order --full | egrep -q 'id:${old_order_constraint}'",
+          tries   => $pcs_tries,
+          path    => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],
+          tag     => 'ovn_dbs_remove_old_cruft',
+        }
+        $old_colocation_constraint = "colocation-${old_vip_name}-ovn-dbs-bundle-INFINITY"
+        exec { "remove-old-${old_vip_name}-colocation-${ovndb_servers_resource_name}":
+          command => "pcs constraint remove ${old_colocation_constraint}",
+          onlyif  => "pcs constraint colocation --full | egrep -q 'id:${old_colocation_constraint}'",
+          tries   => $pcs_tries,
+          path    => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],
+          tag     => 'ovn_dbs_remove_old_cruft',
+        }
+      }
+      # End of constraint removal section
+
+      Pcmk_bundle<| title == 'ovn-dbs-bundle' |>
+      -> Pcmk_resource<| title == "${ovndb_servers_resource_name}" |>
+        -> Pcmk_resource<| title == "${ovndb_vip_resource_name}" |>
+          -> Pcmk_constraint<| title == "${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}" |>
+            -> Pcmk_constraint<| title == "${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}" |>
     }
   }
 }