diff --git a/classes/cluster/aaa-ha-freeipa/README.adoc b/classes/cluster/aaa-ha-freeipa/README.adoc
new file mode 100644
index 0000000..95f60d4
--- /dev/null
+++ b/classes/cluster/aaa-ha-freeipa/README.adoc
@@ -0,0 +1,49 @@
+
+
+== AAA / Identity virtual lab
+
+The purpose of the this lab is to develop full featured AAA / Identity product
+that would ship side-by-side our MCP OpenStack / Kubernetes solution.
+
+We develop this independently to other our products. Expected use-cases for the
+final product:
+
+* integrate with MCP OpenSatack/K8s
+* sell/deploy independently as mature AAA/Identity solution
+
+=== Workproducts
+
+This lab, once implemented is expected to provide:
+
+* reclass-system (shared model) usable production defaults for apps.
+* core/base formulas to support identity features on Ubuntu/RHEL
+* updates in exsisting formulas/apps to support SSO, SSSD, SAML etc.
+* documentation to enable features for current deployments
+* test procedures for QA
+
+
+== Infrastructure
+
+Virtual lab:
+  1x cfg, SaltMaster (Ubuntu)
+  3x idm, FreeIPA (Centos)
+  2x prx, Nginx, Apps (Ubuntu)
+
+For production we should assume these types of delivery:
+
+1. physical/virtual deployment (current focus)
+2. kubernetes helm charts
+
+== Components
+
+TBD
+
+== Architecture
+
+TBD
+
+== Resources
+
+TBD
+
+
diff --git a/classes/cluster/os-ha-contrail-40/openstack/control.yml b/classes/cluster/os-ha-contrail-40/openstack/control.yml
index e3c086f..7fd147b 100644
--- a/classes/cluster/os-ha-contrail-40/openstack/control.yml
+++ b/classes/cluster/os-ha-contrail-40/openstack/control.yml
@@ -43,7 +43,6 @@
     cluster_node02_address: ${_param:openstack_control_node02_address}
     cluster_node03_hostname: ctl03
     cluster_node03_address: ${_param:openstack_control_node03_address}
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -164,4 +163,3 @@
       notification:
         driver: messagingv2
         topics: "notifications"
-
diff --git a/classes/cluster/os-ha-contrail/openstack/control.yml b/classes/cluster/os-ha-contrail/openstack/control.yml
index 1e9733a..ce6c800 100755
--- a/classes/cluster/os-ha-contrail/openstack/control.yml
+++ b/classes/cluster/os-ha-contrail/openstack/control.yml
@@ -46,7 +46,6 @@
     cluster_node02_address: ${_param:openstack_control_node02_address}
     cluster_node03_hostname: ctl03
     cluster_node03_address: ${_param:openstack_control_node03_address}
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -174,4 +173,3 @@
       notification:
         driver: messagingv2
         topics: "notifications"
-
diff --git a/classes/cluster/os-ha-ovs-syndic/openstack/control.yml b/classes/cluster/os-ha-ovs-syndic/openstack/control.yml
index 9bc0f6e..0b7f2a2 100644
--- a/classes/cluster/os-ha-ovs-syndic/openstack/control.yml
+++ b/classes/cluster/os-ha-ovs-syndic/openstack/control.yml
@@ -32,7 +32,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -100,4 +99,3 @@
       notification:
         driver: messagingv2
         topics: "notifications"
-
diff --git a/classes/cluster/os-ha-ovs/openstack/control.yml b/classes/cluster/os-ha-ovs/openstack/control.yml
index ee20aa0..a01afb8 100644
--- a/classes/cluster/os-ha-ovs/openstack/control.yml
+++ b/classes/cluster/os-ha-ovs/openstack/control.yml
@@ -35,7 +35,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -147,4 +146,3 @@
       notification:
         driver: messagingv2
         topics: "notifications"
-
diff --git a/classes/cluster/sl-os-ovs/infra/config.yml b/classes/cluster/sl-os-ovs/infra/config.yml
index 0903eaa..eac6a06 100644
--- a/classes/cluster/sl-os-ovs/infra/config.yml
+++ b/classes/cluster/sl-os-ovs/infra/config.yml
@@ -54,6 +54,7 @@
     salt_master_base_environment: prd
     salt_minion_ca_host: ${linux:network:fqdn}
     salt_api_password_hash: "$6$sGnRlxGf$al5jMCetLP.vfI/fTl3Z0N7Za1aeiexL487jAtyRABVfT3NlwZxQGVhO7S1N8OwS/34VHYwZQA8lkXwKMN/GS1"
+    openstack_control_system_codename: xenial
   linux:
     network:
       interface:
@@ -122,6 +123,19 @@
               value_template: <<node_tenant_ip>>
             external_address:
               value_template: <<node_external_ip>>
+        openstack_gateway:
+          expression: <<node_hostname>>__startswith__gtw
+          node_class:
+            value_template:
+              - cluster.<<node_cluster>>.openstack.gateway
+          node_param:
+            tenant_address:
+              value_template: <<node_tenant_ip>>
+            external_address:
+              value_template: <<node_external_ip>>
+          cluster_param:
+            openstack_gateway_node01_address:
+              value_template: <<node_control_ip>>
         stacklight_monitor_node01:
           expression: <<node_hostname>>__equals__mon01
           cluster_param:
diff --git a/classes/cluster/sl-os-ovs/openstack/control.yml b/classes/cluster/sl-os-ovs/openstack/control.yml
index 0c6cbeb..ea1cdd6 100644
--- a/classes/cluster/sl-os-ovs/openstack/control.yml
+++ b/classes/cluster/sl-os-ovs/openstack/control.yml
@@ -32,7 +32,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -103,4 +102,3 @@
       notification:
         driver: messagingv2
         topics: "notifications,${_param:stacklight_notification_topic}"
-
diff --git a/classes/cluster/virtual-mcp-ocata-cicd/openstack/control.yml b/classes/cluster/virtual-mcp-ocata-cicd/openstack/control.yml
index e10b2a0..8d2061d 100644
--- a/classes/cluster/virtual-mcp-ocata-cicd/openstack/control.yml
+++ b/classes/cluster/virtual-mcp-ocata-cicd/openstack/control.yml
@@ -39,7 +39,6 @@
   _param:
     glusterfs_service_host: ${_param:cluster_vip_address}
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_interface: ens4
     linux_system_codename: xenial
   linux:
     system:
@@ -152,4 +151,3 @@
       notification:
         driver: messagingv2
         topics: "notifications,${_param:stacklight_notification_topic}"
-
diff --git a/classes/cluster/virtual-mcp-ocata-dvr/openstack/control.yml b/classes/cluster/virtual-mcp-ocata-dvr/openstack/control.yml
index 8e756a2..650e02a 100644
--- a/classes/cluster/virtual-mcp-ocata-dvr/openstack/control.yml
+++ b/classes/cluster/virtual-mcp-ocata-dvr/openstack/control.yml
@@ -41,8 +41,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_address: 172.16.10.252
   linux:
     system:
       package:
diff --git a/classes/cluster/virtual-mcp-ocata-ovs/openstack/control.yml b/classes/cluster/virtual-mcp-ocata-ovs/openstack/control.yml
index c88b3f9..81d89f7 100644
--- a/classes/cluster/virtual-mcp-ocata-ovs/openstack/control.yml
+++ b/classes/cluster/virtual-mcp-ocata-ovs/openstack/control.yml
@@ -42,7 +42,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -154,4 +153,3 @@
       notification:
         driver: messagingv2
         topics: "notifications,${_param:stacklight_notification_topic}"
-
diff --git a/classes/cluster/virtual-mcp10-contrail/openstack/control.yml b/classes/cluster/virtual-mcp10-contrail/openstack/control.yml
index 46d5e14..3295d9c 100755
--- a/classes/cluster/virtual-mcp10-contrail/openstack/control.yml
+++ b/classes/cluster/virtual-mcp10-contrail/openstack/control.yml
@@ -47,7 +47,6 @@
 parameters:
   _param:
     keepalived_vip_interface: eth1
-    keepalived_openstack_telemetry_vip_address: 172.16.10.251
     cluster_vip_address: ${_param:openstack_control_address}
     cluster_local_address: ${_param:single_address}
     cluster_node01_hostname: ctl01
diff --git a/classes/cluster/virtual-mcp10-dvr/openstack/control.yml b/classes/cluster/virtual-mcp10-dvr/openstack/control.yml
index 515cb99..7a60877 100644
--- a/classes/cluster/virtual-mcp10-dvr/openstack/control.yml
+++ b/classes/cluster/virtual-mcp10-dvr/openstack/control.yml
@@ -33,7 +33,6 @@
 parameters:
   _param:
     keepalived_vip_interface: eth1
-    keepalived_openstack_telemetry_vip_address: 172.16.10.252
   linux:
     system:
       package:
diff --git a/classes/cluster/virtual-mcp10-ovs/openstack/control.yml b/classes/cluster/virtual-mcp10-ovs/openstack/control.yml
index 01358b1..62bb45c 100644
--- a/classes/cluster/virtual-mcp10-ovs/openstack/control.yml
+++ b/classes/cluster/virtual-mcp10-ovs/openstack/control.yml
@@ -32,7 +32,6 @@
 parameters:
   _param:
     keepalived_vip_interface: eth1
-    keepalived_openstack_telemetry_vip_address: 172.16.10.252
   linux:
     system:
       package:
@@ -100,4 +99,3 @@
       notification:
         driver: messagingv2
         topics: "notifications,${_param:stacklight_notification_topic}"
-
diff --git a/classes/cluster/virtual-mcp11-contrail-nfv/openstack/control.yml b/classes/cluster/virtual-mcp11-contrail-nfv/openstack/control.yml
index f319493..975d121 100755
--- a/classes/cluster/virtual-mcp11-contrail-nfv/openstack/control.yml
+++ b/classes/cluster/virtual-mcp11-contrail-nfv/openstack/control.yml
@@ -46,7 +46,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_address: 172.16.10.251
     cluster_vip_address: ${_param:openstack_control_address}
     cluster_local_address: ${_param:single_address}
     cluster_node01_hostname: ctl01
@@ -55,7 +54,6 @@
     cluster_node02_address: ${_param:openstack_control_node02_address}
     cluster_node03_hostname: ctl03
     cluster_node03_address: ${_param:openstack_control_node03_address}
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
diff --git a/classes/cluster/virtual-mcp11-contrail/openstack/control.yml b/classes/cluster/virtual-mcp11-contrail/openstack/control.yml
index 0415236..5cd7f19 100755
--- a/classes/cluster/virtual-mcp11-contrail/openstack/control.yml
+++ b/classes/cluster/virtual-mcp11-contrail/openstack/control.yml
@@ -44,7 +44,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_address: 172.16.10.251
     cluster_vip_address: ${_param:openstack_control_address}
     cluster_local_address: ${_param:single_address}
     cluster_node01_hostname: ctl01
@@ -53,7 +52,6 @@
     cluster_node02_address: ${_param:openstack_control_node02_address}
     cluster_node03_hostname: ctl03
     cluster_node03_address: ${_param:openstack_control_node03_address}
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
diff --git a/classes/cluster/virtual-mcp11-dvr/openstack/control.yml b/classes/cluster/virtual-mcp11-dvr/openstack/control.yml
index 12431c9..ee9785b 100644
--- a/classes/cluster/virtual-mcp11-dvr/openstack/control.yml
+++ b/classes/cluster/virtual-mcp11-dvr/openstack/control.yml
@@ -38,8 +38,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_address: 172.16.10.252
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
diff --git a/classes/cluster/virtual-mcp11-ovs-dpdk/openstack/control.yml b/classes/cluster/virtual-mcp11-ovs-dpdk/openstack/control.yml
index 8d86179..2e2ec97 100644
--- a/classes/cluster/virtual-mcp11-ovs-dpdk/openstack/control.yml
+++ b/classes/cluster/virtual-mcp11-ovs-dpdk/openstack/control.yml
@@ -36,8 +36,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_address: 172.16.10.252
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -149,4 +147,3 @@
       notification:
         driver: messagingv2
         topics: "notifications,${_param:stacklight_notification_topic}"
-
diff --git a/classes/cluster/virtual-mcp11-ovs-ironic/openstack/control.yml b/classes/cluster/virtual-mcp11-ovs-ironic/openstack/control.yml
index c2b5b99..0a88de2 100644
--- a/classes/cluster/virtual-mcp11-ovs-ironic/openstack/control.yml
+++ b/classes/cluster/virtual-mcp11-ovs-ironic/openstack/control.yml
@@ -38,10 +38,8 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_interface: ens4
     cluster_vip_address: ${_param:openstack_control_address}
     cluster_local_address: ${_param:single_address}
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -109,4 +107,3 @@
       notification:
         driver: messagingv2
         topics: "notifications,${_param:stacklight_notification_topic}"
-
diff --git a/classes/cluster/virtual-mcp11-ovs/openstack/control.yml b/classes/cluster/virtual-mcp11-ovs/openstack/control.yml
index 9f0477a..7617480 100644
--- a/classes/cluster/virtual-mcp11-ovs/openstack/control.yml
+++ b/classes/cluster/virtual-mcp11-ovs/openstack/control.yml
@@ -33,8 +33,6 @@
 parameters:
   _param:
     keepalived_vip_interface: ens4
-    keepalived_openstack_telemetry_vip_address: 172.16.10.252
-    keepalived_openstack_telemetry_vip_interface: ens4
   linux:
     system:
       package:
@@ -102,4 +100,3 @@
       notification:
         driver: messagingv2
         topics: "notifications,${_param:stacklight_notification_topic}"
-
diff --git a/classes/system b/classes/system
index de47fb9..fe4aa38 160000
--- a/classes/system
+++ b/classes/system
@@ -1 +1 @@
-Subproject commit de47fb9ff49428ee30bb52d10dfc160641900715
+Subproject commit fe4aa384d17b441219c2f0da24d9cc3bb711ccef