diff --git a/.releasenotes/notes/kqueen-port-change-8b34593966336e27.yaml b/.releasenotes/notes/kqueen-port-change-8b34593966336e27.yaml
new file mode 100644
index 0000000..1021b5e
--- /dev/null
+++ b/.releasenotes/notes/kqueen-port-change-8b34593966336e27.yaml
@@ -0,0 +1,14 @@
+---
+
+summary: >
+  Changed default port for KQueen API service.
+
+upgrades:
+
+  .. code-block:: yaml
+
+     -    haproxy_kqueen_api_exposed_port: 15000
+     +    haproxy_kqueen_api_exposed_port: 15001
+
+fixes:
+  - https://mirantis.jira.com/browse/PROD-19571
diff --git a/billometer/server/single.yml b/billometer/server/single.yml
index be13be2..8152202 100644
--- a/billometer/server/single.yml
+++ b/billometer/server/single.yml
@@ -22,7 +22,7 @@
       database:
         billometer:
           encoding: UTF8
-          locale: cs_CZ
+          locale: en_US
           users:
           - name: billometer
             createdb: true
diff --git a/ceilometer/agent/telemetry/cluster.yml b/ceilometer/agent/telemetry/cluster.yml
new file mode 100644
index 0000000..bc67493
--- /dev/null
+++ b/ceilometer/agent/telemetry/cluster.yml
@@ -0,0 +1,31 @@
+classes:
+- service.ceilometer.agent.cluster.common
+parameters:
+  ceilometer:
+    agent:
+      region: ${_param:openstack_region}
+      enabled: true
+      version: ${_param:ceilometer_version}
+      secret: ${_param:ceilometer_secret_key}
+      identity:
+        engine: keystone
+        host: ${_param:keystone_service_host}
+        port: 35357
+        tenant: service
+        user: ceilometer
+        password: ${_param:keystone_ceilometer_password}
+        region: ${_param:openstack_region}
+      message_queue:
+        engine: rabbitmq
+        members:
+          - host: ${_param:openstack_message_queue_node01_address}
+          - host: ${_param:openstack_message_queue_node02_address}
+          - host: ${_param:openstack_message_queue_node03_address}
+        user: openstack
+        password: ${_param:rabbitmq_openstack_password}
+        virtual_host: '/openstack'
+        ha_queues: true
+  nova:
+    compute:
+      notification:
+        driver: messagingv2
diff --git a/ceilometer/agent/telemetry/single.yml b/ceilometer/agent/telemetry/single.yml
new file mode 100644
index 0000000..6b42537
--- /dev/null
+++ b/ceilometer/agent/telemetry/single.yml
@@ -0,0 +1,2 @@
+classes:
+- service.ceilometer.agent.single.common
diff --git a/ceilometer/server/cluster.yml b/ceilometer/server/cluster.yml
index 19336b0..f965451 100644
--- a/ceilometer/server/cluster.yml
+++ b/ceilometer/server/cluster.yml
@@ -1,3 +1,4 @@
+# This class is deprecated since Openstack Pike
 classes:
 - service.ceilometer.server.cluster
 - service.haproxy.proxy.single
diff --git a/ceilometer/server/telemetry/cluster.yml b/ceilometer/server/telemetry/cluster.yml
new file mode 100644
index 0000000..d1c28ef
--- /dev/null
+++ b/ceilometer/server/telemetry/cluster.yml
@@ -0,0 +1,36 @@
+# This class intended to be used since Openstack Pike release
+classes:
+- service.ceilometer.server.cluster.common
+- system.keepalived.cluster.instance.openstack_telemetry_vip
+parameters:
+  ceilometer:
+    server:
+      enabled: true
+      version: ${_param:ceilometer_version}
+      region: ${_param:openstack_region}
+      cluster: true
+      secret: ${_param:ceilometer_secret_key}
+      ttl: 86400
+      notification:
+        workload_partitioning: true
+        batch_timeout: 30
+      bind:
+        host: ${_param:cluster_local_address}
+        port: 8777
+      identity:
+        engine: keystone
+        host: ${_param:openstack_control_address}
+        port: 35357
+        tenant: service
+        user: ceilometer
+        password: ${_param:keystone_ceilometer_password}
+        region: ${_param:openstack_region}
+      message_queue:
+        engine: rabbitmq
+        members:
+          - host: ${_param:openstack_message_queue_node01_address}
+          - host: ${_param:openstack_message_queue_node02_address}
+          - host: ${_param:openstack_message_queue_node03_address}
+        user: openstack
+        password: ${_param:rabbitmq_openstack_password}
+        virtual_host: '/openstack'
diff --git a/ceilometer/server/telemetry/single.yml b/ceilometer/server/telemetry/single.yml
new file mode 100644
index 0000000..7a98b73
--- /dev/null
+++ b/ceilometer/server/telemetry/single.yml
@@ -0,0 +1,2 @@
+classes:
+- service.ceilometer.server.single.common
diff --git a/docker/swarm/stack/kqueen.yml b/docker/swarm/stack/kqueen.yml
index 430a344..0c61ed9 100644
--- a/docker/swarm/stack/kqueen.yml
+++ b/docker/swarm/stack/kqueen.yml
@@ -33,24 +33,45 @@
     client:
       stack:
         kqueen:
+          environment:
+            KQUEEN_DEBUG: ${_param:kqueen_api_debug}
+            KQUEEN_CONFIG_FILE: config/prod.py
+            KQUEEN_LDAP_URI: ${_param:kqueen_api_ldap_uri}
+            KQUEEN_LDAP_DN: ${_param:kqueen_api_ldap_dn}
+            KQUEEN_LDAP_PASSWORD: ${_param:kqueen_api_ldap_password}
+            KQUEEN_AUTH_MODULES: ${_param:kqueen_api_auth_modules}
+            KQUEEN_ETCD_HOST: ${_param:kqueen_api_db_host}
+            KQUEEN_PROMETHEUS_WHITELIST: ${_param:kqueen_api_prometheus_whitelist}
+            KQUEEN_SECRET_KEY: ${_param:kqueen_credentials:kqueen_api_secret_key}
+            BOOTSTRAP_ADMIN: ${_param:kqueen_credentials:kqueen_api_bootstrap_admin}
+            BOOTSTRAP_ADMIN_USERNAME: ${_param:kqueen_credentials:kqueen_api_admin_username}
+            BOOTSTRAP_ADMIN_PASSWORD: ${_param:kqueen_credentials:kqueen_api_admin_password}
+            BOOTSTRAP_ADMIN_ORGANIZATION: ${_param:kqueen_credentials:kqueen_api_admin_organization}
+            BOOTSTRAP_ADMIN_NAMESPACE: ${_param:kqueen_credentials:kqueen_api_admin_namespace}
+            KQUEENUI_PREFERRED_URL_SCHEME: https
+            KQUEENUI_DEBUG: ${_param:kqueen_ui_debug}
+            KQUEEN_UI_CONFIG_FILE: config/prod.py
+            KQUEENUI_SECRET_KEY: ${_param:kqueen_credentials:kqueen_ui_secret_key}
+            KQUEENUI_KQUEEN_API_URL: http://${_param:kqueen_api_bind_host}:${_param:kqueen_api_bind_port}/api/v1/
+            KQUEENUI_KQUEEN_AUTH_URL: http://${_param:kqueen_api_bind_host}:${_param:kqueen_api_bind_port}/api/v1/auth
+            KQUEENUI_KQUEEN_SERVICE_USER_USERNAME: ${_param:kqueen_credentials:kqueen_api_admin_username}
+            KQUEENUI_KQUEEN_SERVICE_USER_PASSWORD: ${_param:kqueen_credentials:kqueen_api_admin_password}
+            KQUEENUI_MAIL_SERVER: ${_param:kqueen_ui_mail_host}
+            KQUEENUI_MAIL_PORT: ${_param:kqueen_ui_mail_port}
+            KQUEENUI_ENABLE_PUBLIC_REGISTRATION: ${_param:kqueen_ui_enable_public_registration}
+            KQUEENUI_LDAP_AUTH_NOTIFY: ${_param:kqueen_ui_ldap_auth_notify}
+            KQUEENUI_LOCAL_AUTH_NOTIFY: ${_param:kqueen_ui_local_auth_notify}
+            STATIC_DIR: /mnt/static/
+            ETCD_NAME: 0
+            ETCD_INITIAL_ADVERTISE_PEER_URLS: http://etcd:2380
+            ETCD_INITIAL_CLUSTER_STATE: new
+            ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster-1
+            ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:${_param:haproxy_etcd_bind_port}
+            ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
+            ETCD_ADVERTISE_CLIENT_URLS: http://127.0.0.1:4001,http://etcd:${_param:haproxy_etcd_bind_port}
           service:
             kqueen-api:
               image: ${_param:docker_image_kqueen_api}
-              environment:
-                KQUEEN_DEBUG: ${_param:kqueen_api_debug}
-                KQUEEN_CONFIG_FILE: config/prod.py
-                KQUEEN_LDAP_URI: ${_param:kqueen_api_ldap_uri}
-                KQUEEN_LDAP_DN: ${_param:kqueen_api_ldap_dn}
-                KQUEEN_LDAP_PASSWORD: ${_param:kqueen_api_ldap_password}
-                KQUEEN_AUTH_MODULES: ${_param:kqueen_api_auth_modules}
-                KQUEEN_ETCD_HOST: ${_param:kqueen_api_db_host}
-                KQUEEN_PROMETHEUS_WHITELIST: ${_param:kqueen_api_prometheus_whitelist}
-                KQUEEN_SECRET_KEY: ${_param:kqueen_credentials:kqueen_api_secret_key}
-                BOOTSTRAP_ADMIN: ${_param:kqueen_credentials:kqueen_api_bootstrap_admin}
-                BOOTSTRAP_ADMIN_USERNAME: ${_param:kqueen_credentials:kqueen_api_admin_username}
-                BOOTSTRAP_ADMIN_PASSWORD: ${_param:kqueen_credentials:kqueen_api_admin_password}
-                BOOTSTRAP_ADMIN_ORGANIZATION: ${_param:kqueen_credentials:kqueen_api_admin_organization}
-                BOOTSTRAP_ADMIN_NAMESPACE: ${_param:kqueen_credentials:kqueen_api_admin_namespace}
               deploy:
                 replicas: ${_param:docker_kqueen_api_replicas}
                 restart_policy:
@@ -61,21 +82,6 @@
                 - /srv/volumes/kqueen/logs/:/var/log/kqueen-api
             kqueen-ui:
               image: ${_param:docker_image_kqueen_ui}
-              environment:
-                KQUEENUI_PREFERRED_URL_SCHEME: https
-                KQUEENUI_DEBUG: ${_param:kqueen_ui_debug}
-                KQUEEN_UI_CONFIG_FILE: config/prod.py
-                KQUEENUI_SECRET_KEY: ${_param:kqueen_credentials:kqueen_ui_secret_key}
-                KQUEENUI_KQUEEN_API_URL: http://${_param:kqueen_api_bind_host}:${_param:kqueen_api_bind_port}/api/v1/
-                KQUEENUI_KQUEEN_AUTH_URL: http://${_param:kqueen_api_bind_host}:${_param:kqueen_api_bind_port}/api/v1/auth
-                KQUEENUI_KQUEEN_SERVICE_USER_USERNAME: ${_param:kqueen_credentials:kqueen_api_admin_username}
-                KQUEENUI_KQUEEN_SERVICE_USER_PASSWORD: ${_param:kqueen_credentials:kqueen_api_admin_password}
-                KQUEENUI_MAIL_SERVER: ${_param:kqueen_ui_mail_host}
-                KQUEENUI_MAIL_PORT: ${_param:kqueen_ui_mail_port}
-                KQUEENUI_ENABLE_PUBLIC_REGISTRATION: ${_param:kqueen_ui_enable_public_registration}
-                KQUEENUI_LDAP_AUTH_NOTIFY: ${_param:kqueen_ui_ldap_auth_notify}
-                KQUEENUI_LOCAL_AUTH_NOTIFY: ${_param:kqueen_ui_local_auth_notify}
-                STATIC_DIR: /mnt/static/
               deploy:
                 replicas: ${_param:docker_kqueen_ui_replicas}
                 restart_policy:
@@ -86,14 +92,6 @@
                 - /srv/volumes/kqueen/logs/:/var/log/kqueen-ui
             etcd:
               image: quay.io/coreos/etcd:latest
-              environment:
-                ETCD_NAME: 0
-                ETCD_INITIAL_ADVERTISE_PEER_URLS: http://etcd:2380
-                ETCD_INITIAL_CLUSTER_STATE: new
-                ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster-1
-                ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:${_param:haproxy_etcd_bind_port}
-                ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
-                ETCD_ADVERTISE_CLIENT_URLS: http://127.0.0.1:4001,http://etcd:${_param:haproxy_etcd_bind_port}
               ports:
                 - ${_param:haproxy_etcd_exposed_port}:${_param:haproxy_etcd_bind_port}
               volumes:
diff --git a/docker/swarm/stack/monitoring/alerta.yml b/docker/swarm/stack/monitoring/alerta.yml
index c0da7d5..858eb38 100644
--- a/docker/swarm/stack/monitoring/alerta.yml
+++ b/docker/swarm/stack/monitoring/alerta.yml
@@ -27,4 +27,5 @@
                 - ${prometheus:alerta:config_dir}/alerta.conf:/web/config.js
               environment:
                 ADMIN_USERS: ${_param:alerta_admin_username}
-                MONGO_URI: ${_param:alerta_mongodb_uri}
\ No newline at end of file
+                ADMIN_PASSWORD: ${_param:alerta_admin_password}
+                MONGO_URI: ${_param:alerta_mongodb_uri}
diff --git a/gerrit/server/single.yml b/gerrit/server/single.yml
index c279f00..f0f6492 100644
--- a/gerrit/server/single.yml
+++ b/gerrit/server/single.yml
@@ -61,7 +61,7 @@
         gerrit:
           enabled: true
           encoding: 'UTF8'
-          locale: 'cs_CZ'
+          locale: 'en_US'
           users:
           - name: gerrit
             password: ${_param:postgresql_gerrit_password}
diff --git a/graphite/server/single.yml b/graphite/server/single.yml
index 364877e..237c65d 100644
--- a/graphite/server/single.yml
+++ b/graphite/server/single.yml
@@ -29,7 +29,7 @@
       database:
         graphite:
           encoding: UTF8
-          locale: cs_CZ
+          locale: en_US
           users:
           - name: graphite
             password: ${_param:postgresql_graphite_password}
diff --git a/haproxy/proxy/listen/cicd/kqueen.yml b/haproxy/proxy/listen/cicd/kqueen.yml
index 52b02d0..71b6f3c 100644
--- a/haproxy/proxy/listen/cicd/kqueen.yml
+++ b/haproxy/proxy/listen/cicd/kqueen.yml
@@ -2,7 +2,7 @@
   _param:
     haproxy_kqueen_api_bind_host: ${_param:haproxy_bind_address}
     haproxy_kqueen_api_bind_port: 5000
-    haproxy_kqueen_api_exposed_port: 15000
+    haproxy_kqueen_api_exposed_port: 15001
     haproxy_kqueen_ui_bind_host: ${_param:haproxy_bind_address}
     haproxy_kqueen_ui_bind_port: 5080
     haproxy_kqueen_ui_exposed_port: 15080
diff --git a/horizon/server/plugin/theme.yml b/horizon/server/plugin/theme.yml
index 85475d7..cf83739 100644
--- a/horizon/server/plugin/theme.yml
+++ b/horizon/server/plugin/theme.yml
@@ -10,3 +10,12 @@
           source:
             engine: pkg
             name: openstack-dashboard-${_param:horizon_dashboard_theme}-theme
+      themes:
+        default: "mirantis"
+        available:
+          mirantis:
+            name: "Mirantis"
+            description: "Mirantis theme"
+            enabled: True
+          material:
+            enabled: False
diff --git a/jenkins/client/init.yml b/jenkins/client/init.yml
index 633288c..409b3f3 100644
--- a/jenkins/client/init.yml
+++ b/jenkins/client/init.yml
@@ -22,6 +22,7 @@
         username: ${_param:jenkins_client_user}
         password: ${_param:jenkins_client_password}
       plugin:
+        antisamy-markup-formatter: {}
         artifactory: {}
         blueocean: {}
         build-blocker-plugin: {}
diff --git a/jenkins/client/job/ceph/remove-node.yml b/jenkins/client/job/ceph/remove-node.yml
index af678b5..901e319 100644
--- a/jenkins/client/job/ceph/remove-node.yml
+++ b/jenkins/client/job/ceph/remove-node.yml
@@ -43,5 +43,5 @@
               description: Only if removing OSD host. Set to true if crush map file should be updated. Enforce has to happen manually unless it is specifically set to be enforced in pillar.
             WAIT_FOR_HEALTHY:
               type: boolean
-              default: 'false'
+              default: 'true'
               description: Wait for healthy during pipeline
diff --git a/jenkins/client/job/ceph/remove-osd.yml b/jenkins/client/job/ceph/remove-osd.yml
index 0a5801d..99dcb37 100644
--- a/jenkins/client/job/ceph/remove-osd.yml
+++ b/jenkins/client/job/ceph/remove-osd.yml
@@ -41,5 +41,5 @@
               description: Flags to be aplied before pipeline and after pipeline (comma-separated list)
             WAIT_FOR_HEALTHY:
               type: boolean
-              default: 'false'
+              default: 'true'
               description: Wait for healthy during pipeline
diff --git a/jenkins/client/job/ceph/replace-failed-osd.yml b/jenkins/client/job/ceph/replace-failed-osd.yml
index 43c2f0b..a342ffb 100644
--- a/jenkins/client/job/ceph/replace-failed-osd.yml
+++ b/jenkins/client/job/ceph/replace-failed-osd.yml
@@ -34,6 +34,9 @@
             DEVICE:
               type: string
               description: Comma separated list of failed devices that will be replaced at HOST (/dev/sdb,/dev/sdc)
+            DATA_PARTITION:
+              type: string
+              description: (Optional) Comma separated list of mounted partitions of failed device. These partitions will be unmounted. For ex. /dev/sdb1,/dev/sdb3
             JOURNAL_BLOCKDB_BLOCKWAL_PARTITION:
               type: string
               description: Comma separated list of partitions where journal, block_db or block_wal for the failed devices on this HOST were stored (/dev/sdh2,/dev/sdh3)
@@ -43,7 +46,7 @@
               default: 'cmn01*'
             WAIT_FOR_HEALTHY:
               type: boolean
-              default: 'false'
+              default: 'true'
               description: Wait for healthy during pipeline
             DMCRYPT:
               type: boolean
diff --git a/jenkins/client/job/deploy/lab/deploy.yml b/jenkins/client/job/deploy/lab/deploy.yml
index a1df125..624e553 100644
--- a/jenkins/client/job/deploy/lab/deploy.yml
+++ b/jenkins/client/job/deploy/lab/deploy.yml
@@ -106,8 +106,8 @@
                 description: "YAML with overrides for Salt deployment"
               SALT_VERSION:
                 type: text
-                default: ""
-                description: "Version of Salt which is going to be installed i.e. 'stable 2016.3' or 'stable 2017.7' etc."
+                default: "stable 2017.7"
+                description: "Version of Salt which is going to be installed i.e. 'stable 2016.3' or 'stable 2017.7' etc. Warning: This value doesn't override salt_version parameter set in the pillar."
               BOOTSTRAP_EXTRA_REPO_PARAMS:
                 type: string
                 default: ""
diff --git a/jenkins/client/job/deploy/lab/init.yml b/jenkins/client/job/deploy/lab/init.yml
index 6d197a1..4953d19 100644
--- a/jenkins/client/job/deploy/lab/init.yml
+++ b/jenkins/client/job/deploy/lab/init.yml
@@ -12,6 +12,7 @@
   - system.jenkins.client.job.deploy.lab.component.openstack
   - system.jenkins.client.job.deploy.lab.component.stacklight
   - system.jenkins.client.job.deploy.lab.ironic
+  - system.jenkins.client.job.deploy.lab.mom_deploy
 
 parameters:
   jenkins:
diff --git a/kubernetes/common.yml b/kubernetes/common.yml
index f977997..0680c06 100644
--- a/kubernetes/common.yml
+++ b/kubernetes/common.yml
@@ -20,8 +20,8 @@
     # component docker images
     kubernetes_docker_package: docker-engine=1.13.1-0~ubuntu-xenial
     kubernetes_calico_calicoctl_image: ${_param:kubernetes_calico_calicoctl_repo}/ctl:v1.6.4
-    kubernetes_calico_image: ${_param:kubernetes_calico_repo}/node:v2.6.9
-    kubernetes_calico_cni_image: ${_param:kubernetes_calico_cni_repo}/cni:v1.11.5
+    kubernetes_calico_image: ${_param:kubernetes_calico_repo}/node:v2.6.10
+    kubernetes_calico_cni_image: ${_param:kubernetes_calico_cni_repo}/cni:v1.11.6
     kubernetes_hyperkube_image: ${_param:kubernetes_hyperkube_repo}/hyperkube-amd64:v1.10.4-4
     kubernetes_pause_image: ${_param:kubernetes_hyperkube_repo}/pause-amd64:v1.10.4-4
     kubernetes_contrail_cni_image: ${_param:kubernetes_contrail_cni_repo}/contrail-cni:v1.2.0
@@ -107,28 +107,6 @@
           criproxy_source: ${_param:kubernetes_criproxy_checksum}
         metallb:
           enabled: ${_param:kubernetes_metallb_enabled}
-    master:
-      enabled: false
-      kubelet:
-        fail_on_swap: ${_param:kubelet_fail_on_swap}
-      container: false
-      network:
-        genie:
-          enabled: ${_param:kubernetes_genie_enabled}
-          source: ${_param:kubernetes_genie_source}
-          source_hash: ${_param:kubernetes_genie_source_hash}
-        calico:
-          enabled: ${_param:kubernetes_calico_enabled}
-          image: ${_param:kubernetes_calico_image}
-          calicoctl_image: ${_param:kubernetes_calico_calicoctl_image}
-          cni_image: ${_param:kubernetes_calico_cni_image}
-        opencontrail:
-          enabled: ${_param:kubernetes_opencontrail_enabled}
-          cni_image: ${_param:kubernetes_contrail_cni_image}
-        sriov:
-          enabled: ${_param:kubernetes_sriov_enabled}
-          source: ${_param:kubernetes_sriov_source}
-          source_hash: ${_param:kubernetes_sriov_source_hash}
     pool:
       enabled: false
       kubelet:
diff --git a/kubernetes/master/cluster.yml b/kubernetes/master/cluster.yml
index 5d0933c..7cddd21 100644
--- a/kubernetes/master/cluster.yml
+++ b/kubernetes/master/cluster.yml
@@ -3,13 +3,10 @@
 - service.haproxy.proxy.single
 - system.haproxy.proxy.listen.kubernetes.apiserver
 - system.keepalived.cluster.instance.kube_api_server_vip
-- system.kubernetes.common
+- system.kubernetes.master.common
 parameters:
   kubernetes:
     master:
-      enabled: true
-      network:
         calico:
           prometheus:
             enabled: true
-
diff --git a/kubernetes/master/common.yml b/kubernetes/master/common.yml
new file mode 100644
index 0000000..0923286
--- /dev/null
+++ b/kubernetes/master/common.yml
@@ -0,0 +1,26 @@
+classes:
+- system.kubernetes.common
+parameters:
+  kubernetes:
+    master:
+      enabled: true
+      kubelet:
+        fail_on_swap: ${_param:kubelet_fail_on_swap}
+      container: false
+      network:
+        genie:
+          enabled: ${_param:kubernetes_genie_enabled}
+          source: ${_param:kubernetes_genie_source}
+          source_hash: ${_param:kubernetes_genie_source_hash}
+        calico:
+          enabled: ${_param:kubernetes_calico_enabled}
+          image: ${_param:kubernetes_calico_image}
+          calicoctl_image: ${_param:kubernetes_calico_calicoctl_image}
+          cni_image: ${_param:kubernetes_calico_cni_image}
+        opencontrail:
+          enabled: ${_param:kubernetes_opencontrail_enabled}
+          cni_image: ${_param:kubernetes_contrail_cni_image}
+        sriov:
+          enabled: ${_param:kubernetes_sriov_enabled}
+          source: ${_param:kubernetes_sriov_source}
+          source_hash: ${_param:kubernetes_sriov_source_hash}
\ No newline at end of file
diff --git a/kubernetes/master/single.yml b/kubernetes/master/single.yml
index 1898549..31cbc28 100644
--- a/kubernetes/master/single.yml
+++ b/kubernetes/master/single.yml
@@ -1,7 +1,3 @@
 classes:
 - service.kubernetes.master.single
-- system.kubernetes.common
-parameters:
-  kubernetes:
-    master:
-      enabled: true
+- system.kubernetes.master.common
diff --git a/linux/system/repo/glusterfs.yml b/linux/system/repo/glusterfs.yml
index 71d3cb9..d6f09da 100644
--- a/linux/system/repo/glusterfs.yml
+++ b/linux/system/repo/glusterfs.yml
@@ -2,4 +2,4 @@
 - system.linux.system.repo.mcp.apt_mirantis.glusterfs
 parameters:
   _param:
-    linux_system_repo_mcp_glusterfs_version_number: "3.8"
+    linux_system_repo_mcp_glusterfs_version_number: "3.10"
diff --git a/linux/system/repo_local/mcp/apt_mirantis/glusterfs.yml b/linux/system/repo_local/mcp/apt_mirantis/glusterfs.yml
index cb3444b..57625a3 100644
--- a/linux/system/repo_local/mcp/apt_mirantis/glusterfs.yml
+++ b/linux/system/repo_local/mcp/apt_mirantis/glusterfs.yml
@@ -1,3 +1,5 @@
+# DEPRECATED since 2018.7+ release.
+# Please use system/repo/mcp/apt_mirantis
 parameters:
   _param:
     apt_mk_version: stable
diff --git a/linux/system/repo_local/mcp/apt_mirantis/maas.yml b/linux/system/repo_local/mcp/apt_mirantis/maas.yml
index 63f82c2..f8bc651 100644
--- a/linux/system/repo_local/mcp/apt_mirantis/maas.yml
+++ b/linux/system/repo_local/mcp/apt_mirantis/maas.yml
@@ -1,3 +1,5 @@
+# DEPRECATED since 2018.7+ release.
+# Please use system/repo/mcp/apt_mirantis
 parameters:
   _param:
     apt_mk_version: stable
diff --git a/linux/system/single/init.yml b/linux/system/single/init.yml
index 4429a82..970184c 100644
--- a/linux/system/single/init.yml
+++ b/linux/system/single/init.yml
@@ -41,8 +41,6 @@
         en_US.UTF-8:
           enabled: true
           default: true
-        cs_CZ.UTF-8:
-          enabled: true
       limit:
         default:
           enabled: true
diff --git a/nova/compute/libvirt/ssl/vnc.yml b/nova/compute/libvirt/ssl/vnc.yml
new file mode 100644
index 0000000..f2c0ad4
--- /dev/null
+++ b/nova/compute/libvirt/ssl/vnc.yml
@@ -0,0 +1,12 @@
+classes:
+- system.salt.minion.cert.libvirtd.vnc_server
+parameters:
+  nova:
+    compute:
+      qemu:
+        vnc:
+          tls:
+            enabled: True
+            key_file: ${_param:qemu_vnc_server_ssl_key_file}
+            cert_file: ${_param:qemu_vnc_server_ssl_cert_file}
+            ca_file: ${_param:qemu_vnc_ssl_ca_file}
diff --git a/nova/control/novncproxy/init.yml b/nova/control/novncproxy/init.yml
new file mode 100644
index 0000000..3cd04b8
--- /dev/null
+++ b/nova/control/novncproxy/init.yml
@@ -0,0 +1,13 @@
+classes:
+- system.salt.minion.cert.vnc.novncproxy_client
+parameters:
+  nova:
+    controller:
+      novncproxy:
+        tls:
+          enabled: True
+          key_file: ${_param:novncproxy_client_ssl_key_file}
+          cert_file: ${_param:novncproxy_client_ssl_cert_file}
+          ca_file: ${_param:novncproxy_ssl_ca_file}
+          all_file: ${_param:nova_websocketproxy_ssl_all_file}
+
diff --git a/openssh/server/team/networking.yml b/openssh/server/team/networking.yml
index d912490..7e5f915 100644
--- a/openssh/server/team/networking.yml
+++ b/openssh/server/team/networking.yml
@@ -51,6 +51,13 @@
           full_name: Oleg Bondarev
           home: /home/obondarev
           email: obondarev@mirantis.com
+        akuznetsova:
+          enabled: true
+          name: akuznetsova
+          sudo: true
+          full_name: Anastasiia Kuznetcova
+          home: /home/akuznetsova
+          email: akuznetsova@mirantis.com
   openssh:
     server:
       enabled: true
@@ -85,6 +92,11 @@
           public_keys:
           - ${public_keys:obondarev}
           user: ${linux:system:user:obondarev}
+        akuznetsova:
+          enabled: true
+          public_keys:
+          - ${public_keys:akuznetsova}
+          user: ${linux:system:user:akuznetsova}
   public_keys:
     aignatov:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJFYznIFlCdxu5UXzThjYZlZfvXKCcDN0QxDEn7U7dNkK17SyzIJswQcxF7pTlvcuZ7XEskEqyXC8E6P5XyvBJO2xLGrFDJ4U3vf7MKsfwSFEj3NPUzV5bGTrKeKIHTL94L7lwMm1INE7lZzciiwvTxcKv//A+FgG8o1MDhefK56cBH4a9TSjEd+5ImcnCc5sf8B+csyWFPnksnv1zwu//T9aYXRITocdVzrfRHmEiZDpL3mNwpGT3O3XUTiMwdVpN2ImAqSF6XlQl0HlUkBT2idCIoXUR9lcGUx2Q+LSd62JgcVmQHCOmbUENj7NIDgWixgSJYLzsi//YNqJ9jccR aignatov@mirantis.com
@@ -98,3 +110,5 @@
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJk2ip+Rn73D4vt47pe/Hv42ylKJv6JIzeF0k3OflH+RyliVelvo05KMcozfsmmvOKhwgDokBj3KjQ10ewDwD7Fz5H3tosa8JFOs36cuHx9aHrsEmj1oIcIyThrIBwSZGFApqJqj27sLtReVLQJPlYR59RJGw61TogkA/QooOABi+KHzuwPFjAcA1SMfFT8LwiaNPkyUdRb5EQeKCOHniRAEPGNIwskA0sxz25qbB1EU2XBFjkxRE1b5GHfUYL+c2YhAwRWTJbD2JbbcHI6HpsmJutzkS6YIkEn1CK4JuA40OQTYFSEutCk2uPPR0G+77Fec2+vD/8H+ncPxPeDqNR ina@ina-ThinkPad-X240
     obondarev:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDca1gqXe14l9uho3t4mZT52lXmSuUxKVOCcSO9Dy+BAmtaVK39+t7la081S5c0H+oTPIXFb32/kO37+qpEgwyOv1zimWIqcR56xrr42gW/QzVLyY64qVnQ9QFiXlvXXBW4YgBuT//SE8upOshLYnznKHOi4IkoKrAE37K34Cz/DGQzFV6sKQSmP6fjJzli0Nzu+YPdBSZW9VH1m7IKxliGoZcjdIkJ+L92+h/mPuN95Bitfe+aoexBQq3u4WjYVVsCE/9TrwLoGlr3zd7VAyVdADJf6phfIMHGDxn8W8125r9UWp4X/36yAIudVC7kHLyr0AHTfYqCVH10nEJvUwRz obondarev@Olegs-MacBook-Pro.local
+    akuznetsova:
+      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD033EOpc2jeEYkKPzmJL4j081hmt3Ml5hlrfJWYY7RRoKBugT1gF9zggI9GaFGn5F29g+92dYfLLH4yfkL91dkNtbsutl7XiHZYW5NIL5n8kHtb8Bahclid8ERMpLYlctqW/4RM5wfMyzh71TxbutN9ZjcbtAQ0bIaCoTyWRrIDiMeW/+Btf7bPpe7zyQMjkQu+F2iYxd6nERiMnVLq080XAqwuSGMy9NFBLvG+VoJV1w49f2Hf19TD1ILev/pttPYem/15/zAnwwR+nye91jBtBBaFI6V4aaYjgsrjEinNy48tfhMpbuELW5Nn3o8c+3Xfi2rRxtkNcfdpc/yvFz/
diff --git a/salt/control/sizes/stacklight.yml b/salt/control/sizes/stacklight.yml
index 5b09c14..c7b1875 100644
--- a/salt/control/sizes/stacklight.yml
+++ b/salt/control/sizes/stacklight.yml
@@ -10,7 +10,7 @@
     salt_control_size_net_profile_stacklight_server: default
     salt_control_size_cpu_stacklight_telemetry: 12
     salt_control_size_ram_stacklight_telemetry: 98304
-    salt_control_size_disk_profile_stacklight_telemetryr: huge
+    salt_control_size_disk_profile_stacklight_telemetry: huge
     salt_control_size_net_profile_stacklight_telemetry: default
   salt:
     control:
diff --git a/salt/master/formula/git/saltstack.yml b/salt/master/formula/git/saltstack.yml
index d7dde48..b176a2e 100644
--- a/salt/master/formula/git/saltstack.yml
+++ b/salt/master/formula/git/saltstack.yml
@@ -60,6 +60,9 @@
               source: git
               address: '${_param:salt_master_environment_repository}/salt-formula-sphinx.git'
               revision: ${_param:salt_master_environment_revision}
+            watchdog:
+              source: git
+              address: '${_param:salt_master_environment_repository}/salt-formula-watchdog.git'
             xtrabackup:
               source: git
               address: '${_param:salt_master_environment_repository}/salt-formula-xtrabackup.git'
diff --git a/salt/master/formula/pkg/saltstack.yml b/salt/master/formula/pkg/saltstack.yml
index 963580c..a682f7f 100644
--- a/salt/master/formula/pkg/saltstack.yml
+++ b/salt/master/formula/pkg/saltstack.yml
@@ -39,6 +39,9 @@
             sphinx:
               source: pkg
               name: salt-formula-sphinx
+            watchdog:
+              source: pkg
+              name: salt-formula-watchdog
             xtrabackup:
               source: pkg
               name: salt-formula-xtrabackup
diff --git a/salt/master/pkg.yml b/salt/master/pkg.yml
index ac839f8..33c60d9 100644
--- a/salt/master/pkg.yml
+++ b/salt/master/pkg.yml
@@ -1,5 +1,6 @@
 classes:
 - system.salt.master.single
+- system.salt.master.formula.pkg.auditd
 - system.salt.master.formula.pkg.ccp
 - system.salt.master.formula.pkg.foundation
 - system.salt.master.formula.pkg.kubernetes
@@ -9,4 +10,4 @@
 - system.salt.master.formula.pkg.stacklight
 - system.salt.master.formula.pkg.monitoring
 - system.salt.master.formula.pkg.helm
-- system.salt.master.formula.pkg.ceph
\ No newline at end of file
+- system.salt.master.formula.pkg.ceph
diff --git a/salt/minion/ca/qemu-vnc_ca.yml b/salt/minion/ca/qemu-vnc_ca.yml
new file mode 100644
index 0000000..53778f1
--- /dev/null
+++ b/salt/minion/ca/qemu-vnc_ca.yml
@@ -0,0 +1,30 @@
+parameters:
+  _param:
+    qemu_vnc_ca_common_name: QEMU VNC CA
+    qemu_vnc_ca_country: cz
+    qemu_vnc_ca_locality: Prague
+    qemu_vnc_ca_organization: Mirantis
+    qemu_vnc_ca_days_valid_authority: 3650
+    qemu_vnc_ca_days_valid_certificate: 365
+  salt:
+    minion:
+      ca:
+        qemu_vnc_ca:
+          # We recommend using a dedicated certificate authority solely for the VNC service.
+          # This authority may be a child of the master certificate authority used for the OpenStack deployment.
+          # This is because libvirt does not currently have a mechanism to restrict what certificates can be presented by the proxy server.
+          # https://docs.openstack.org/nova/queens/admin/remote-console-access.html
+          common_name: ${_param:qemu_vnc_ca_common_name}
+          country: ${_param:qemu_vnc_ca_country}
+          locality: ${_param:qemu_vnc_ca_locality}
+          organization: ${_param:qemu_vnc_ca_organization}
+          signing_policy:
+            cert_server:
+              type: v3_edge_cert_server
+              minions: 'cmp*'
+            cert_client:
+              type: v3_edge_cert_client
+              minions: 'ctl*'
+          days_valid:
+            authority: ${_param:qemu_vnc_ca_days_valid_authority}
+            certificate: ${_param:qemu_vnc_ca_days_valid_certificate}
diff --git a/salt/minion/cert/libvirtd/vnc_server.yml b/salt/minion/cert/libvirtd/vnc_server.yml
new file mode 100644
index 0000000..c49852e
--- /dev/null
+++ b/salt/minion/cert/libvirtd/vnc_server.yml
@@ -0,0 +1,27 @@
+parameters:
+  _param:
+    qemu_vnc_server_ssl_key_file: /etc/pki/libvirt-vnc/server-key.pem
+    qemu_vnc_server_ssl_cert_file: /etc/pki/libvirt-vnc/server-cert.pem
+    qemu_vnc_ssl_ca_file: /etc/pki/libvirt-vnc/ca-cert.pem
+    salt_minion_ca_host: cfg01.${_param:cluster_domain}
+    qemu_vnc_ca_authority: qemu_vnc_ca
+  salt:
+    minion:
+      cert:
+        qemu_vnc_server:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:qemu_vnc_ca_authority}
+          common_name: ${linux:system:name}.${_param:cluster_domain}
+          signing_policy: cert_server
+          alternative_names: >
+            IP:${_param:cluster_local_address},
+            DNS:${_param:cluster_local_address},
+            DNS:${linux:system:name},
+            DNS:${linux:network:fqdn}
+          key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+          key_file: ${_param:qemu_vnc_server_ssl_key_file}
+          cert_file: ${_param:qemu_vnc_server_ssl_cert_file}
+          ca_file: ${_param:qemu_vnc_ssl_ca_file}
+          user: libvirt-qemu
+          group: libvirt-qemu
+          mode: 640
diff --git a/salt/minion/cert/vnc/init.yml b/salt/minion/cert/vnc/init.yml
new file mode 100644
index 0000000..6f7f6ee
--- /dev/null
+++ b/salt/minion/cert/vnc/init.yml
@@ -0,0 +1,4 @@
+parameters:
+  _param:
+    salt_minion_ca_host: cfg01.${_param:cluster_domain}
+    qemu_vnc_ca_authority: qemu_vnc_ca
diff --git a/salt/minion/cert/vnc/novncproxy_client.yml b/salt/minion/cert/vnc/novncproxy_client.yml
new file mode 100644
index 0000000..7f695eb
--- /dev/null
+++ b/salt/minion/cert/vnc/novncproxy_client.yml
@@ -0,0 +1,29 @@
+classes:
+- system.salt.minion.cert.vnc
+parameters:
+  _param:
+    novncproxy_client_ssl_key_file: /etc/pki/nova-novncproxy/client-key.pem
+    novncproxy_client_ssl_cert_file: /etc/pki/nova-novncproxy/client-cert.pem
+    novncproxy_ssl_ca_file: /etc/pki/nova-novncproxy/ca-cert.pem
+    nova_websocketproxy_ssl_all_file: /var/lib/nova/self.pem
+  salt:
+    minion:
+      cert:
+        libvirt_novnc_client:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:qemu_vnc_ca_authority}
+          common_name: ${linux:system:name}.${_param:cluster_domain}
+          signing_policy: cert_client
+          alternative_names: >
+            IP:${_param:cluster_local_address},
+            DNS:${_param:cluster_local_address},
+            DNS:${linux:system:name},
+            DNS:${linux:network:fqdn}
+          key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+          key_file: ${_param:novncproxy_client_ssl_key_file}
+          cert_file: ${_param:novncproxy_client_ssl_cert_file}
+          ca_file: ${_param:novncproxy_ssl_ca_file}
+          all_file: ${_param:nova_websocketproxy_ssl_all_file}
+          user: nova
+          group: nova
+          mode: 640