Merge the tip of origin/release/proposed/2019.2.0 into origin/release/2019.2.0

523609cb Fix URL for openldap image
8fca068e Remove unnecessary parameter from ceph-upgrade pipeline
ece396bc Bump prometheus relay image
9932abc2 add additional parameters in ceph-remove-osd pipeline for cleaning orphan partitions
778f11a2 Add public key of mpolenchuk
eea6c07d Pin cvp-sanity-checks:2019.2.11 docker image
2dded631 Pass secrets to containers as files instead of env variables
28ed47eb Bump Alerta image with Docker Secrets and API token fix.
5cc2060a Openstack API check improvements
24e9fed5 Add default policy for Panko
ee64e0e4 Bump Contrail packages to 2019.2.11

Change-Id: Iaf7c9e1196cd80ef9e2f567aa4c6529f62ca6afe
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index 14f48ab..ad876e2 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -5,7 +5,7 @@
     # 2.6.2 version, from 12/18/2108, differ from latest 2.6.2 upstream - update next cycle
     docker_image_registry:   "${_param:mcp_docker_registry}/mirantis/external/registry:2019.2.6"
     docker_image_visualizer: "${_param:mcp_docker_registry}/mirantis/external/visualizer:2019.2.6"
-    docker_image_openldap: "${_param:mcp_docker_registry}/mirantis/external/osixia/openldap:1.2.2"
+    docker_image_openldap: "${_param:mcp_docker_registry}/mirantis/cicd/openldap:2019.2.11"
     docker_image_postgresql: "${_param:mcp_docker_registry}/mirantis/external/library/postgres:9.6.10"
     # 3.4.13, from Feb 15, differ from 3.4.13 upstream verison, from March 14 - update next cycle
     docker_image_mongodb: "${_param:mcp_docker_registry}/mirantis/external/mongo:2019.2.6"
@@ -13,31 +13,31 @@
     # phpldapadmin:0.6.12
     docker_image_phpldapadmin: "${_param:mcp_docker_registry}/mirantis/cicd/phpldapadmin:2019.2.9"
     # gerrit:2.15.18
-    docker_image_gerrit: "${_param:mcp_docker_registry}/mirantis/cicd/gerrit:2019.2.10"
+    docker_image_gerrit: "${_param:mcp_docker_registry}/mirantis/cicd/gerrit:2019.2.11"
     # mysql:5.6.48
     docker_image_mysql: "${_param:mcp_docker_registry}/mirantis/cicd/mysql:2019.2.10"
     # jenkins:2.204.3
     docker_image_jenkins: "${_param:mcp_docker_registry}/mirantis/cicd/jenkins:2019.2.9"
-    docker_image_jenkins_jnlp_slave: "${_param:mcp_docker_registry}/mirantis/cicd/jnlp-slave:2019.2.9"
+    docker_image_jenkins_jnlp_slave: "${_param:mcp_docker_registry}/mirantis/cicd/jnlp-slave:2019.2.11"
     # TODO: fix tag
     docker_image_jenkins_ssh_slave: "${_param:mcp_docker_registry}/mirantis/cicd/ssh-slave:2019.2.10"
     # model-generator
     docker_image_operations_api: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-api:2019.2.6"
     docker_image_operations_ui: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-ui:2019.2.6"
     # OpenContrail
-    opencontrail_docker_image_tag: "2019.2.10"
+    opencontrail_docker_image_tag: "2019.2.11"
     # stacklight
-    # 6.5.0 version, from 11/29/2018, differ from latest upstream 6.5.0 - update next cycle
-    docker_image_alerta: "${_param:mcp_docker_registry}/mirantis/external/alerta-web:2019.2.6"
+    # locally forked v7.4.4, updated 2020-08-06
+    docker_image_alerta: "${_param:mcp_docker_registry}/openstack-docker/alerta:2019.2.11"
     docker_image_alertmanager: "${_param:mcp_docker_registry}/openstack-docker/alertmanager:2019.2.4"
     docker_image_grafana: "${_param:mcp_docker_registry}/openstack-docker/grafana:2019.2.10"
     docker_image_prometheus_es_exporter: "${_param:mcp_docker_registry}/openstack-docker/prometheus-es-exporter:2019.2.6"
     docker_image_prometheus: "${_param:mcp_docker_registry}/openstack-docker/prometheus:2019.2.10"
     docker_image_prometheus_gainsight: "${_param:mcp_docker_registry}/openstack-docker/sf-reporter:2019.2.9"
     docker_image_prometheus_gainsight_elasticsearch: "${_param:mcp_docker_registry}/openstack-docker/gainsight_elasticsearch:2019.2.6"
-    docker_image_prometheus_relay: "${_param:mcp_docker_registry}/openstack-docker/prometheus-relay:2019.2.10"
+    docker_image_prometheus_relay: "${_param:mcp_docker_registry}/openstack-docker/prometheus-relay:2019.2.11"
     docker_image_pushgateway: "${_param:mcp_docker_registry}/openstack-docker/pushgateway:2019.2.6"
-    docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.10"
+    docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.11"
     docker_image_remote_collector: "${_param:mcp_docker_registry}/openstack-docker/heka:2019.2.6"
     docker_image_remote_storage_adapter: "${_param:mcp_docker_registry}/openstack-docker/remote_storage_adapter:2019.2.6"
     docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:2019.2.4"
@@ -47,7 +47,7 @@
     docker_image_keycloak_server: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:4.5.0.Final"
     docker_image_keycloak_proxy: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:3.4.2.Final"
     # CVP
-    docker_image_cvp_sanity_checks: "${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.10"
+    docker_image_cvp_sanity_checks: "${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.11"
     docker_image_cvp_tempest: "${_param:mcp_docker_registry}/mirantis/cicd/ci-tempest:${_param:openstack_version}"
     docker_image_cvp_shaker_checks: "${_param:mcp_docker_registry}/mirantis/cvp/cvp-shaker:2019.2.3"
     docker_image_cvp_rally: "${_param:mcp_docker_registry}/mirantis/cvp/cvp-rally:2019.2.5"
@@ -74,9 +74,9 @@
         - registry: ${_param:mcp_docker_registry}/mirantis/external/docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/docker
           name: compose:1.17.1
-        - registry: ${_param:mcp_docker_registry}/mirantis/external/osixia
-          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/osixia
-          name: openldap:1.2.2
+        - registry: ${_param:mcp_docker_registry}/mirantis/cicd
+          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cicd
+          name: openldap:2019.2.11
         - registry: ${_param:mcp_docker_registry}/mirantis/external/library
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/library
           name: postgres:9.6.10
@@ -96,7 +96,7 @@
 
         - registry: ${_param:mcp_docker_registry}/mirantis/cicd
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cicd
-          name: jnlp-slave:2019.2.9
+          name: jnlp-slave:2019.2.11
         - registry: ${_param:mcp_docker_registry}/mirantis/cicd
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cicd
           name: ssh-slave:2019.2.10
@@ -105,7 +105,7 @@
           name: jenkins:2019.2.9
         - registry: ${_param:mcp_docker_registry}/mirantis/cicd
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cicd
-          name: gerrit:2019.2.10
+          name: gerrit:2019.2.11
         - registry: ${_param:mcp_docker_registry}/mirantis/external/cockroach
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/cockroach
           name: cockroach:v2.1.1
@@ -119,9 +119,9 @@
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
           name: alertmanager:2019.2.4
-        - registry: ${_param:mcp_docker_registry}/mirantis/external
-          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external
-          name: alerta-web:2019.2.6
+        - registry: ${_param:mcp_docker_registry}/openstack-docker
+          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
+          name: alerta:2019.2.11
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
           name: pushgateway:2019.2.6
@@ -133,13 +133,13 @@
           name: sf-reporter:2019.2.9
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
-          name: telegraf:2019.2.10
+          name: telegraf:2019.2.11
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
           name: remote_storage_adapter:2019.2.6
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
-          name: prometheus-relay:2019.2.10
+          name: prometheus-relay:2019.2.11
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
           name: grafana:2019.2.10
@@ -182,7 +182,7 @@
           name: cvp-shaker:2019.2.3
         - registry: ${_param:mcp_docker_registry}/mirantis/cvp
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cvp
-          name: cvp-sanity-checks:2019.2.10
+          name: cvp-sanity-checks:2019.2.11
         - registry: ${_param:mcp_docker_registry}/mirantis/external/xrally
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/xrally
           name: xrally-openstack:0.11.2
diff --git a/defaults/openstack/policy/all.yml b/defaults/openstack/policy/all.yml
index 3e0975a..ccb81a4 100644
--- a/defaults/openstack/policy/all.yml
+++ b/defaults/openstack/policy/all.yml
@@ -1448,6 +1448,13 @@
       "load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
       "load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin"
       "os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"
+    panko_default_policy_ocata: {}
+    panko_default_policy_pike:
+      "context_is_admin": "role:admin"
+      "segregation": "rule:context_is_admin"
+      "telemetry:events:index": ""
+      "telemetry:events:show": ""
+    panko_default_policy_queens: ${_param:panko_default_policy_pike}
     telemetry_default_policy_ocata: {}
     telemetry_default_policy_pike:
       "context_is_admin": "role:admin"
diff --git a/defaults/openstack/policy/panko.yml b/defaults/openstack/policy/panko.yml
new file mode 100644
index 0000000..d2c88ae
--- /dev/null
+++ b/defaults/openstack/policy/panko.yml
@@ -0,0 +1,6 @@
+classes:
+- system.defaults.openstack.policy.all
+parameters:
+  panko:
+    server:
+      policy: ${_param:panko_default_policy_${_param:openstack_version}}
diff --git a/docker/swarm/stack/dashboard.yml b/docker/swarm/stack/dashboard.yml
index 7b0eac5..9dfc85f 100644
--- a/docker/swarm/stack/dashboard.yml
+++ b/docker/swarm/stack/dashboard.yml
@@ -10,6 +10,7 @@
     client:
       stack:
         dashboard:
+          version: '3.7'
           service:
             grafana:
               deploy:
@@ -23,6 +24,18 @@
                 GF_DATABASE_TYPE: ${_param:grafana_database_type}
                 GF_DATABASE_NAME: grafana
                 GF_DATABASE_USER: grafana
-                GF_DATABASE_PASSWORD: ${_param:grafana_database_password}
+                GF_DATABASE_PASSWORD__FILE: /run/secrets/grafana-database
                 GF_DATABASE_HOST: "${_param:grafana_database_host}:${_param:grafana_database_port}"
-                GF_SECURITY_ADMIN_PASSWORD: ${_param:grafana_admin_password}
+                GF_SECURITY_ADMIN_PASSWORD__FILE: /run/secrets/grafana-admin
+              secrets:
+                - grafana-database
+                - grafana-admin
+          secrets:
+            grafana-database:
+              external: true
+              value: ${_param:grafana_database_password}
+            grafana-admin:
+              external: true
+              value: ${_param:grafana_admin_password}
+
+
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index d1a5aa7..2ce9444 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -16,6 +16,7 @@
     client:
       stack:
         gerrit:
+          version: '3.7'
           service:
             server:
               deploy:
@@ -30,12 +31,15 @@
                 - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
               depends_on:
                 - db
+              secrets:
+                - mysql-gerrit
+                - ldap-gerrit
               environment:
                 #GERRIT_INIT_ARGS: ""
                 DATABASE_TYPE: "mysql"
                 DB_PORT_3306_TCP_ADDR: ${_param:cluster_vip_address}
                 DB_ENV_MYSQL_USER: gerrit
-                DB_ENV_MYSQL_PASSWORD: ${_param:mysql_gerrit_password}
+                DB_ENV_MYSQL_PASSWORD_FILE: "/run/secrets/mysql-gerrit"
                 DB_ENV_MYSQL_DB: gerrit
                 AUTH_TYPE: ${_param:gerrit_auth_type}
                 LDAP_SERVER: ${_param:gerrit_ldap_server}
@@ -43,13 +47,10 @@
                 LDAP_ACCOUNTBASE: ${_param:gerrit_ldap_account_base}
                 LDAP_GROUPBASE: ${_param:gerrit_ldap_group_base}
                 LDAP_USERNAME: ${_param:gerrit_ldap_bind_user}
-                LDAP_PASSWORD: ${_param:gerrit_ldap_bind_password}
+                LDAP_PASSWORD_FILE: "/run/secrets/ldap-gerrit"
                 WEBURL: ${_param:gerrit_public_host}
                 HTTPD_LISTENURL: ${_param:gerrit_http_listen_url}
                 HTTPD_REQUESTLOG: ${_param:gerrit_http_request_log}
-                GERRIT_ADMIN_SSH_PUBLIC: ${_param:gerrit_admin_public_key}
-                GERRIT_ADMIN_PWD: ${_param:gerrit_admin_password}
-                GERRIT_ADMIN_EMAIL: ${_param:gerrit_admin_email}
                 CANLOADINIFRAME: "true"
                 IGNORE_VERSIONCHECK: "false"
                 JAVA_OPTIONS: "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:gerrit_extra_opts}"
@@ -57,11 +58,14 @@
                 http_proxy: ${_param:docker_http_proxy}
                 no_proxy: ${_param:docker_no_proxy}
             db:
+              secrets:
+                - mysql-gerrit
+                - mysql-root
               environment:
                 MYSQL_USER: gerrit
-                MYSQL_PASSWORD: ${_param:mysql_gerrit_password}
                 MYSQL_DATABASE: gerrit
-                MYSQL_ROOT_PASSWORD: ${_param:mysql_admin_password}
+                MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/mysql-root"
+                MYSQL_PASSWORD_FILE: "/run/secrets/mysql-gerrit"
                 MYSQL_START_TIMEOUT: 300
               deploy:
                 restart_policy:
@@ -71,3 +75,13 @@
                 - ${_param:gerrit_db_publish_port}:3306
               volumes:
                 - /srv/volumes/mysql:/var/lib/mysql
+          secrets:
+            mysql-root:
+              external: true
+              value: ${_param:mysql_admin_password}
+            mysql-gerrit:
+              external: true
+              value: ${_param:mysql_gerrit_password}
+            ldap-gerrit:
+              external: true
+              value: ${_param:gerrit_ldap_bind_password}
diff --git a/docker/swarm/stack/jenkins/jnlp_slave_multi.yml b/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
index 3606bad..e7bf056 100644
--- a/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
+++ b/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
@@ -15,7 +15,7 @@
                 JENKINS_AGENT_NAME: slave02
                 JENKINS_UPDATE_SLAVE: 'true'
                 JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JENKINS_PASSWORD_FILE: /run/secrets/jenkins-admin
                 JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
@@ -35,13 +35,15 @@
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /usr/bin/docker:/usr/bin/docker:ro
                 - /var/lib/jenkins:/var/lib/jenkins
+              secrets:
+                - jenkins-admin
             slave03:
               environment:
                 JENKINS_URL: ${_param:jenkins_master_url}
                 JENKINS_AGENT_NAME: slave03
                 JENKINS_UPDATE_SLAVE: 'true'
                 JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JENKINS_PASSWORD_FILE: /run/secrets/jenkins-admin
                 JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
@@ -61,3 +63,9 @@
               - /var/run/docker.sock:/var/run/docker.sock
               - /usr/bin/docker:/usr/bin/docker:ro
               - /var/lib/jenkins:/var/lib/jenkins
+              secrets:
+                - jenkins-admin
+          secrets:
+            jenkins-admin:
+              external: true
+              value: ${_param:jenkins_client_password}
diff --git a/docker/swarm/stack/jenkins/jnlp_slave_single.yml b/docker/swarm/stack/jenkins/jnlp_slave_single.yml
index 956f918..6f9bff0 100644
--- a/docker/swarm/stack/jenkins/jnlp_slave_single.yml
+++ b/docker/swarm/stack/jenkins/jnlp_slave_single.yml
@@ -12,6 +12,7 @@
         - ${_param:docker_image_jenkins_jnlp_slave}
       stack:
         jenkins:
+          version: '3.7'
           service:
             slave01:
               environment:
@@ -19,7 +20,7 @@
                 JENKINS_AGENT_NAME: slave01
                 JENKINS_UPDATE_SLAVE: 'true'
                 JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JENKINS_PASSWORD_FILE: /run/secrets/jenkins-admin
                 JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
@@ -39,3 +40,9 @@
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /usr/bin/docker:/usr/bin/docker:ro
                 - /var/lib/jenkins:/var/lib/jenkins
+              secrets:
+                - jenkins-admin
+          secrets:
+            jenkins-admin:
+              external: true
+              value: ${_param:jenkins_client_password}
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index 3091983..71a646e 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -5,6 +5,7 @@
     client:
       stack:
         ldap:
+          version: '3.7'
           service:
             server:
               networks:
@@ -18,6 +19,9 @@
               ports:
                 - 1389:389
                 - 1636:636
+              secrets:
+                - openldap-admin
+                - openldap-config
               volumes:
                 - /srv/volumes/openldap/database:/var/lib/ldap
                 - /srv/volumes/openldap/config:/etc/ldap/slapd.d
@@ -31,8 +35,8 @@
                 HOSTNAME: ldap01.${_param:openldap_domain}
                 LDAP_ORGANISATION: "${_param:openldap_organisation}"
                 LDAP_DOMAIN: "${_param:openldap_domain}"
-                LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
-                LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
+                LDAP_ADMIN_PASSWORD_FILE: /run/secrets/openldap-admin
+                LDAP_CONFIG_PASSWORD_FILE: /run/secrets/openldap-config
                 LDAP_TLS: "true"
                 LDAP_TLS_VERIFY_CLIENT: try
                 LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
@@ -55,7 +59,6 @@
                 - ${_param:openldap_tls:certfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.crt:ro
                 - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/ldap-client/assets/certs/ca.crt:ro
               environment:
-                PHPLDAPADMIN_LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
                 PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'host': 'ldaps://${_param:cicd_control_address}', 'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
                 PHPLDAPADMIN_LDAP_CLIENT_TLS: "true"
                 PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: ca.crt
@@ -73,3 +76,11 @@
               driver: overlay
               driver_opts:
                 encrypted: 1
+          secrets:
+            openldap-admin:
+              external: true
+              value: ${_param:openldap_admin_password}
+            openldap-config:
+              external: true
+              value: ${_param:openldap_config_password}
+
diff --git a/docker/swarm/stack/monitoring/alerta.yml b/docker/swarm/stack/monitoring/alerta.yml
index acd4d70..ac16a2b 100644
--- a/docker/swarm/stack/monitoring/alerta.yml
+++ b/docker/swarm/stack/monitoring/alerta.yml
@@ -8,6 +8,7 @@
     client:
       stack:
         monitoring:
+          version: '3.7'
           service:
             alerta:
               networks:
@@ -27,6 +28,13 @@
                 - ${prometheus:alerta:config_dir}/alertad.conf:/app/alertad.conf
               environment:
                 ADMIN_USERS: ${_param:alerta_admin_username}
-                ADMIN_PASSWORD: ${_param:alerta_admin_password}
+                ADMIN_PASSWORD_FILE: "/run/secrets/alerta"
                 MONGO_URI: ${_param:alerta_mongodb_uri}
                 PLUGINS: ""
+              secrets:
+                - alerta
+          secrets:
+            alerta:
+              external: true
+              value: ${_param:alerta_admin_password}
+
diff --git a/jenkins/client/job/ceph/remove-osd.yml b/jenkins/client/job/ceph/remove-osd.yml
index bff0d75..ce2037b 100644
--- a/jenkins/client/job/ceph/remove-osd.yml
+++ b/jenkins/client/job/ceph/remove-osd.yml
@@ -47,4 +47,7 @@
               type: boolean
               default: 'false'
               description: Clean data/block partitions
-
+            CLEAN_ORPHANS:
+              type: boolean
+              default: 'false'
+              description: Clean data/block partitions
diff --git a/jenkins/client/job/ceph/upgrade.yml b/jenkins/client/job/ceph/upgrade.yml
index 013515b..e8b94a2 100644
--- a/jenkins/client/job/ceph/upgrade.yml
+++ b/jenkins/client/job/ceph/upgrade.yml
@@ -78,8 +78,4 @@
               type: string
               default: '/root'
               description: Select the target dir to backup to when BACKUP_ENABLED
-            RUNHIGHSTATE:
-              type: boolean
-              default: 'false'
-              description: Run HighStates on target nodes after upgrade
 
diff --git a/openssh/server/team/members/mpolenchuk.yml b/openssh/server/team/members/mpolenchuk.yml
new file mode 100644
index 0000000..eafbe84
--- /dev/null
+++ b/openssh/server/team/members/mpolenchuk.yml
@@ -0,0 +1,19 @@
+parameters:
+  linux:
+    system:
+      user:
+        mpolenchuk:
+          enabled: true
+          name: mpolenchuk
+          sudo: ${_param:linux_system_user_sudo}
+          full_name: Michael Polenchuk
+          home: /home/mpolenchuk
+          email: mpolenchuk@mirantis.com
+  openssh:
+    server:
+      user:
+        mpolenchuk:
+          enabled: true
+          public_keys:
+            - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC18NFHig4QQPBgFY7s3MOzGRYHOFY6Fzu1lBSYoH6Ie6u2AY7aS149uSUHJPuzTQ5uEsxXqSlfOOggwrB7sOb1w+sCUhUJN5SyvPl1tnQ5mQ96DvMGtFwuTQwQJ5SY/XXIKCKn59G0AMyOmajDsHdeUFhwj1u8CWnEM7QHxuAxDxbExNyWe0yytsdbIelI1xsyX3qWNsJz/9BSnD6IKKtB0ca0lG+qWmO8eQ/A/pqE28E6kh25mqsEk38gTvBgJsaociU75WTEQYcxhVy4+/ZoZeW/ASDC+Raaq8b7gbrOo8EKdgpWk1MAdomfGfoxJ2HEVI08vLR3xBd0IjbC0NFN root@desktop
+          user: ${linux:system:user:mpolenchuk}
diff --git a/openssh/server/team/oscore_devops.yml b/openssh/server/team/oscore_devops.yml
index b2ef7eb..a46f242 100644
--- a/openssh/server/team/oscore_devops.yml
+++ b/openssh/server/team/oscore_devops.yml
@@ -14,6 +14,7 @@
 - system.openssh.server.team.members.pshchelo
 - system.openssh.server.team.members.obryndzii
 - system.openssh.server.team.members.dteselkin
+- system.openssh.server.team.members.mpolenchuk
 parameters:
   _param:
     linux_system_user_sudo: true
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index 1eac4c3..daed58e 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -11,15 +11,14 @@
         instances: "'Instances','avg(sum(avg_over_time(openstack_nova_instances{state=\"active\"}[24h])) by (instance))'"
         compute_nodes: "'Compute Nodes','avg(sum(openstack_nova_services{binary=~\"nova.compute\"}) by (instance))'"
         tenants: "'Tenants','avg(sum(avg_over_time(openstack_keystone_tenants_total[24h])) by (instance))'"
-        cinder_api: "'Cinder API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"cinderv2\"}[24h]) * 100'"
-        nova_api: "'Nova API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"nova\"}[24h]) * 100'"
-        keystone_api: "'Keystone API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"keystone\"}[24h]) * 100'"
-        glance_api: "'Glance API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"glance\"}[24h]) * 100'"
-        neutron_api: "'Neutron API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"neutron\"}[24h]) * 100'"
+        cinder_api: "'Cinder API','avg_over_time(service_name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{service_name=\"cinderv2\"}[24h]) * 100'"
+        nova_api: "'Nova API','avg_over_time(service_name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{service_name=\"nova\"}[24h]) * 100'"
+        keystone_api: "'Keystone API','avg_over_time(service_name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{service_name=\"keystone\"}[24h]) * 100'"
+        glance_api: "'Glance API','avg_over_time(service_name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{service_name=\"glance\"}[24h]) * 100'"
+        neutron_api: "'Neutron API','avg_over_time(service_name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{service_name=\"neutron\"}[24h]) * 100'"
         nova_vm_all: "'Total VM number','avg_over_time(total:openstack_nova_instance_all[1d])'"
         nova_vm_failed: "'Failed VM number','avg_over_time(total:openstack_nova_instance_failed[1d])'"
         kpi_downtime: "'KPI Downtime','1 - avg_over_time(total:openstack_nova_instance_failed[1d]) / avg_over_time(total:openstack_nova_instance_all[1d])'"
         compute_instance_create_start: "'VM creation start','sum(compute_instance_create_start_event_doc_count)'"
         compute_instance_create_end: "'VM creation end','sum(compute_instance_create_end_event_doc_count)'"
         compute_instance_create_error: "'VM creation error','sum(compute_instance_create_error_event_doc_count)'"
-