diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index a4f7fc2..a3db781 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -11,14 +11,16 @@
     docker_image_mongodb: "${_param:mcp_docker_registry}/mirantis/external/library/mongo:${_param:mcp_version}"
     ###
     # phpldapadmin:0.6.12
-    docker_image_phpldapadmin: "${_param:mcp_docker_registry}/mirantis/cicd/phpldapadmin:${_param:mcp_version}"
+    docker_image_phpldapadmin: "${_param:mcp_docker_registry}/mirantis/cicd/phpldapadmin:2019.2.5"
     # gerrit:2.13.6
-    docker_image_gerrit: "${_param:mcp_docker_registry}/mirantis/cicd/gerrit:${_param:mcp_version}"
+    docker_image_gerrit: "${_param:mcp_docker_registry}/mirantis/cicd/gerrit:2019.2.5"
     # mysql:5.6
     docker_image_mysql: "${_param:mcp_docker_registry}/mirantis/cicd/mysql:${_param:mcp_version}"
     # jenkins:2.150.3
-    docker_image_jenkins: "${_param:mcp_docker_registry}/mirantis/cicd/jenkins:2019.2.3"
-    docker_image_jenkins_slave: "${_param:mcp_docker_registry}/mirantis/cicd/jnlp-slave:${_param:mcp_version}"
+    docker_image_jenkins: "${_param:mcp_docker_registry}/mirantis/cicd/jenkins:2019.2.5"
+    docker_image_jenkins_jnlp_slave: "${_param:mcp_docker_registry}/mirantis/cicd/jnlp-slave:${_param:mcp_version}"
+    # TODO: fix tag
+    docker_image_jenkins_ssh_slave: "${_param:mcp_docker_registry}/mirantis/cicd/ssh-slave:2019.2.5"
     # model-generator
     docker_image_operations_api: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-api:${_param:mcp_version}"
     docker_image_operations_ui: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-ui:${_param:mcp_version}"
@@ -45,7 +47,7 @@
     docker_image_keycloak_server: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:4.5.0.Final"
     docker_image_keycloak_proxy: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:3.4.2.Final"
     # CVP
-    docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.4
+    docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.5
     docker_image_cvp_shaker_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-shaker:2019.2.3
     # aptly
     docker_image_aptly:
diff --git a/docker/client/images/cicd.yml b/docker/client/images/cicd.yml
index 895bde3..003b131 100644
--- a/docker/client/images/cicd.yml
+++ b/docker/client/images/cicd.yml
@@ -1,6 +1,3 @@
-classes:
-- system.docker.client.images.jenkins_master
-- system.docker.client.images.jenkins_slave
 parameters:
   docker:
     client:
diff --git a/docker/client/images/jenkins_master.yml b/docker/client/images/jenkins_master.yml
index 929c76e..d74bb20 100644
--- a/docker/client/images/jenkins_master.yml
+++ b/docker/client/images/jenkins_master.yml
@@ -1,6 +1 @@
-parameters:
-  docker:
-    client:
-      enabled: true
-      images:
-      - ${_param:docker_image_jenkins}
\ No newline at end of file
+# Left for providing upgrade path
diff --git a/docker/client/images/jenkins_slave.yml b/docker/client/images/jenkins_slave.yml
index 46114d4..d74bb20 100644
--- a/docker/client/images/jenkins_slave.yml
+++ b/docker/client/images/jenkins_slave.yml
@@ -1,6 +1 @@
-parameters:
-  docker:
-    client:
-      enabled: true
-      images:
-      - ${_param:docker_image_jenkins_slave}
+# Left for providing upgrade path
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index c164d75..ed90acf 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -27,6 +27,7 @@
                 - ${_param:gerrit_ssh_publish_port}:29418
               volumes:
                 - /srv/volumes/gerrit:/var/gerrit/review_site
+                - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
               depends_on:
                 - db
               environment:
@@ -50,7 +51,7 @@
                 GERRIT_ADMIN_PWD: ${_param:gerrit_admin_password}
                 GERRIT_ADMIN_EMAIL: ${_param:gerrit_admin_email}
                 CANLOADINIFRAME: "true"
-                JAVA_OPTIONS: ${_param:gerrit_extra_opts}
+                JAVA_OPTIONS: "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:gerrit_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
                 no_proxy: ${_param:docker_no_proxy}
diff --git a/docker/swarm/stack/jenkins/jnlp_slave_multi.yml b/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
new file mode 100644
index 0000000..5246cb7
--- /dev/null
+++ b/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
@@ -0,0 +1,59 @@
+classes:
+- system.docker.swarm.stack.jenkins.jnlp_slave_single
+parameters:
+  _param:
+    jenkins_slave02_node_name: ${_param:cluster_node02_name}
+    jenkins_slave03_node_name: ${_param:cluster_node03_name}
+  docker:
+    client:
+      stack:
+        jenkins:
+          service:
+            slave02:
+              environment:
+                JENKINS_URL: ${_param:jenkins_master_url}
+                JENKINS_AGENT_NAME: slave02
+                JENKINS_UPDATE_SLAVE: 'true'
+                JENKINS_LOGIN: ${_param:jenkins_client_user}
+                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                    - "node.hostname == ${_param:jenkins_slave02_node_name}"
+              image: ${_param:docker_image_jenkins_jnlp_slave}
+              volumes:
+                - /etc/ssl/certs/:/etc/ssl/certs/:ro
+                - /dev/urandom:/dev/random:ro
+                - /var/run/docker.sock:/var/run/docker.sock
+                - /usr/bin/docker:/usr/bin/docker:ro
+                - /var/lib/jenkins:/var/lib/jenkins
+            slave03:
+              environment:
+                JENKINS_URL: ${_param:jenkins_master_url}
+                JENKINS_AGENT_NAME: slave03
+                JENKINS_UPDATE_SLAVE: 'true'
+                JENKINS_LOGIN: ${_param:jenkins_client_user}
+                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                  - "node.hostname == ${_param:jenkins_slave03_node_name}"
+              image: ${_param:docker_image_jenkins_jnlp_slave}
+              volumes:
+              - /etc/ssl/certs/:/etc/ssl/certs/:ro
+              - /dev/urandom:/dev/random:ro
+              - /var/run/docker.sock:/var/run/docker.sock
+              - /usr/bin/docker:/usr/bin/docker:ro
+              - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave01.yml b/docker/swarm/stack/jenkins/jnlp_slave_single.yml
similarity index 83%
rename from docker/swarm/stack/jenkins/slave01.yml
rename to docker/swarm/stack/jenkins/jnlp_slave_single.yml
index 73e8140..8b05c47 100644
--- a/docker/swarm/stack/jenkins/slave01.yml
+++ b/docker/swarm/stack/jenkins/jnlp_slave_single.yml
@@ -1,10 +1,15 @@
 classes:
-- system.docker.swarm.stack.jenkins.slave_base
+- system.docker
 parameters:
   _param:
+    jenkins_master_url: http://jenkins_master:8080
+    jenkins_slave_extra_opts: ""
     jenkins_slave01_node_name: ${_param:cluster_node01_name}
   docker:
     client:
+      enabled: true
+      images:
+        - ${_param:docker_image_jenkins_jnlp_slave}
       stack:
         jenkins:
           service:
@@ -25,7 +30,7 @@
                 placement:
                   constraints:
                     - "node.hostname == ${_param:jenkins_slave01_node_name}"
-              image: ${_param:docker_image_jenkins_slave}
+              image: ${_param:docker_image_jenkins_jnlp_slave}
               volumes:
                 - /etc/ssl/certs/:/etc/ssl/certs/:ro
                 - /dev/urandom:/dev/random:ro
diff --git a/docker/swarm/stack/jenkins/master.yml b/docker/swarm/stack/jenkins/master.yml
index 4647521..6ec6afb 100644
--- a/docker/swarm/stack/jenkins/master.yml
+++ b/docker/swarm/stack/jenkins/master.yml
@@ -1,6 +1,5 @@
 classes:
 - system.docker
-- system.docker.client.images.jenkins_master
 parameters:
   _param:
     jenkins_master_extra_opts: ""
@@ -9,13 +8,16 @@
     jenkins_home_dir_path: /var/jenkins_home
   docker:
     client:
+      enabled: true
+      images:
+        - ${_param:docker_image_jenkins}
       stack:
         jenkins:
           service:
             master:
               environment:
                 JENKINS_HOME: ${_param:jenkins_home_dir_path}
-                JAVA_OPTS: " -server -XX:+AlwaysPreTouch -Xloggc:${_param:jenkins_home_dir_path}/gc-%t.log -XX:NumberOfGCLogFiles=5 -XX:+UseGCLogFileRotation -XX:GCLogFileSize=20m -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintGCCause -XX:+PrintTenuringDistribution -XX:+PrintReferenceGC -XX:+PrintAdaptiveSizePolicy -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:+UseCGroupMemoryLimitForHeap -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1 -Djenkins.install.runSetupWizard=false -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -Dhudson.footerURL=https://www.mirantis.com ${_param:jenkins_master_extra_opts}"
+                JAVA_OPTS: " -server -XX:+AlwaysPreTouch -Xloggc:${_param:jenkins_home_dir_path}/gc-%t.log -XX:NumberOfGCLogFiles=5 -XX:+UseGCLogFileRotation -XX:GCLogFileSize=20m -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintGCCause -XX:+PrintTenuringDistribution -XX:+PrintReferenceGC -XX:+PrintAdaptiveSizePolicy -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:+UseCGroupMemoryLimitForHeap -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1 -Djenkins.install.runSetupWizard=false -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -Dhudson.footerURL=https://www.mirantis.com -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:jenkins_master_extra_opts}"
                 JENKINS_NUM_EXECUTORS: ${_param:jenkins_master_executors_num}
                 JENKINS_OPTS: " --handlerCountMax=${_param:jenkins_master_max_concurent_requests}"
                 https_proxy: ${_param:docker_https_proxy}
diff --git a/docker/swarm/stack/jenkins/slave.yml b/docker/swarm/stack/jenkins/slave.yml
index 204b29d..4454c5a 100644
--- a/docker/swarm/stack/jenkins/slave.yml
+++ b/docker/swarm/stack/jenkins/slave.yml
@@ -1,5 +1,3 @@
+# jnlp slave
 classes:
-- system.docker
-- system.docker.swarm.stack.jenkins.slave01
-- system.docker.swarm.stack.jenkins.slave02
-- system.docker.swarm.stack.jenkins.slave03
+- system.docker.swarm.stack.jenkins.jnlp_slave_multi
diff --git a/docker/swarm/stack/jenkins/slave02.yml b/docker/swarm/stack/jenkins/slave02.yml
deleted file mode 100644
index ee198cb..0000000
--- a/docker/swarm/stack/jenkins/slave02.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-classes:
-- system.docker.swarm.stack.jenkins.slave_base
-parameters:
-  _param:
-    jenkins_slave02_node_name: ${_param:cluster_node02_name}
-  docker:
-    client:
-      stack:
-        jenkins:
-          service:
-            slave02:
-              environment:
-                JENKINS_URL: ${_param:jenkins_master_url}
-                JENKINS_AGENT_NAME: slave02
-                JENKINS_UPDATE_SLAVE: 'true'
-                JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
-                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
-                https_proxy: ${_param:docker_https_proxy}
-                http_proxy: ${_param:docker_http_proxy}
-                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
-              deploy:
-                restart_policy:
-                  condition: any
-                placement:
-                  constraints:
-                    - "node.hostname == ${_param:jenkins_slave02_node_name}"
-              image: ${_param:docker_image_jenkins_slave}
-              volumes:
-                - /etc/ssl/certs/:/etc/ssl/certs/:ro
-                - /dev/urandom:/dev/random:ro
-                - /var/run/docker.sock:/var/run/docker.sock
-                - /usr/bin/docker:/usr/bin/docker:ro
-                - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave03.yml b/docker/swarm/stack/jenkins/slave03.yml
deleted file mode 100644
index b04ea2a..0000000
--- a/docker/swarm/stack/jenkins/slave03.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-classes:
-- system.docker.swarm.stack.jenkins.slave_base
-parameters:
-  _param:
-    jenkins_slave03_node_name: ${_param:cluster_node03_name}
-  docker:
-    client:
-      stack:
-        jenkins:
-          service:
-            slave03:
-              environment:
-                JENKINS_URL: ${_param:jenkins_master_url}
-                JENKINS_AGENT_NAME: slave03
-                JENKINS_UPDATE_SLAVE: 'true'
-                JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
-                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
-                https_proxy: ${_param:docker_https_proxy}
-                http_proxy: ${_param:docker_http_proxy}
-                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
-              deploy:
-                restart_policy:
-                  condition: any
-                placement:
-                  constraints:
-                    - "node.hostname == ${_param:jenkins_slave03_node_name}"
-              image: ${_param:docker_image_jenkins_slave}
-              volumes:
-                - /etc/ssl/certs/:/etc/ssl/certs/:ro
-                - /dev/urandom:/dev/random:ro
-                - /var/run/docker.sock:/var/run/docker.sock
-                - /usr/bin/docker:/usr/bin/docker:ro
-                - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave_base.yml b/docker/swarm/stack/jenkins/slave_base.yml
deleted file mode 100644
index 3de4765..0000000
--- a/docker/swarm/stack/jenkins/slave_base.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-classes:
-- system.docker
-- system.docker.client.images.jenkins_slave
-parameters:
-  _param:
-    jenkins_master_url: http://jenkins_master:8080
-    jenkins_slave_extra_opts: ""
diff --git a/docker/swarm/stack/jenkins/slave_single.yml b/docker/swarm/stack/jenkins/slave_single.yml
index 31406d1..ee2bfac 100644
--- a/docker/swarm/stack/jenkins/slave_single.yml
+++ b/docker/swarm/stack/jenkins/slave_single.yml
@@ -1,3 +1,3 @@
+# Left for providing upgrade path
 classes:
-- system.docker
-- system.docker.swarm.stack.jenkins.slave01
+- system.docker.swarm.stack.jenkins.jnlp_slave_single
diff --git a/docker/swarm/stack/jenkins/ssh_slave_multi.yml b/docker/swarm/stack/jenkins/ssh_slave_multi.yml
new file mode 100644
index 0000000..2959e4d
--- /dev/null
+++ b/docker/swarm/stack/jenkins/ssh_slave_multi.yml
@@ -0,0 +1,66 @@
+classes:
+- system.docker.swarm.stack.jenkins.ssh_slave_single
+parameters:
+  _param:
+    jenkins_slave02_node_name: ${_param:cluster_node02_name}
+    jenkins_slave03_node_name: ${_param:cluster_node03_name}
+  docker:
+    client:
+      stack:
+        jenkins:
+          service:
+            slave02:
+              environment:
+                JENKINS_SLAVE_SSH_PUBKEY: ${_param:jenkins_admin_public_key}
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                    - "node.hostname == ${_param:jenkins_slave02_node_name}"
+              image: ${_param:docker_image_jenkins_ssh_slave}
+              volumes:
+                - /etc/ssl/certs/:/etc/ssl/certs/:ro
+                - /dev/urandom:/dev/random:ro
+                - /var/run/docker.sock:/var/run/docker.sock
+                - /usr/bin/docker:/usr/bin/docker:ro
+                - /var/lib/jenkins:/var/lib/jenkins
+            slave03:
+              environment:
+                JENKINS_SLAVE_SSH_PUBKEY: ${_param:jenkins_admin_public_key}
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                  - "node.hostname == ${_param:jenkins_slave03_node_name}"
+              image: ${_param:docker_image_jenkins_ssh_slave}
+              volumes:
+              - /etc/ssl/certs/:/etc/ssl/certs/:ro
+              - /dev/urandom:/dev/random:ro
+              - /var/run/docker.sock:/var/run/docker.sock
+              - /usr/bin/docker:/usr/bin/docker:ro
+              - /var/lib/jenkins:/var/lib/jenkins
+  jenkins:
+    client:
+      node:
+        slave02:
+          launcher:
+            type: ssh
+            host: jenkins_slave02
+            port: 22
+            username: jenkins
+            credentials: ssh_slave
+        slave03:
+          launcher:
+            type: ssh
+            host: jenkins_slave03
+            port: 22
+            username: jenkins
+            credentials: ssh_slave
diff --git a/docker/swarm/stack/jenkins/ssh_slave_single.yml b/docker/swarm/stack/jenkins/ssh_slave_single.yml
new file mode 100644
index 0000000..dbdaf1d
--- /dev/null
+++ b/docker/swarm/stack/jenkins/ssh_slave_single.yml
@@ -0,0 +1,47 @@
+classes:
+- system.docker
+parameters:
+  _param:
+    jenkins_slave01_node_name: ${_param:cluster_node01_name}
+  docker:
+    client:
+      enabled: true
+      images:
+        - ${_param:docker_image_jenkins_ssh_slave}
+      stack:
+        jenkins:
+          service:
+            slave01:
+              environment:
+                JENKINS_SLAVE_SSH_PUBKEY: ${_param:jenkins_admin_public_key}
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                  - "node.hostname == ${_param:jenkins_slave01_node_name}"
+              image: ${_param:docker_image_jenkins_ssh_slave}
+              volumes:
+              - /etc/ssl/certs/:/etc/ssl/certs/:ro
+              - /dev/urandom:/dev/random:ro
+              - /var/run/docker.sock:/var/run/docker.sock
+              - /usr/bin/docker:/usr/bin/docker:ro
+              - /var/lib/jenkins:/var/lib/jenkins
+  jenkins:
+    client:
+      node:
+        slave01:
+          launcher:
+            type: ssh
+            host: jenkins_slave01
+            port: 22
+            username: jenkins
+            credentials: ssh_slave
+      credential:
+        ssh_slave:
+          username: jenkins
+          key: ${_param:jenkins_admin_private_key}
+
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index b785711..1e12a4a 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -21,13 +21,24 @@
               volumes:
                 - /srv/volumes/openldap/database:/var/lib/ldap
                 - /srv/volumes/openldap/config:/etc/ldap/slapd.d
+                - ${_param:openldap_tls:keyfile}:/container/service/slapd/assets/certs/drivetrain_ldap.key:ro
+                - ${_param:openldap_tls:certfile}:/container/service/slapd/assets/certs/drivetrain_ldap.crt:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/slapd/assets/certs/ca.crt:ro
+              # copy to /container/run/service to avoid issues with owning certs as openldap user
+              # https://github.com/osixia/docker-openldap/issues/59
+              command: --copy-service
               environment:
                 HOSTNAME: ldap01.${_param:openldap_domain}
                 LDAP_ORGANISATION: "${_param:openldap_organisation}"
                 LDAP_DOMAIN: "${_param:openldap_domain}"
                 LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
                 LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
-                LDAP_TLS: "false"
+                LDAP_TLS: "true"
+                LDAP_TLS_VERIFY_CLIENT: try
+                LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
+                LDAP_TLS_CRT_FILENAME: drivetrain_ldap.crt
+                LDAP_TLS_KEY_FILENAME: drivetrain_ldap.key
+                LDAP_TLS_CA_CRT_FILENAME: ca.crt
             admin:
               networks:
                 - ldap
@@ -38,9 +49,19 @@
               depends_on:
                 - server
               hostname: ldap
+              command: --copy-service
+              volumes:
+                - ${_param:openldap_tls:keyfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.key:ro
+                - ${_param:openldap_tls:certfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.crt:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/ldap-client/assets/certs/ca.crt:ro
               environment:
                 PHPLDAPADMIN_LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
-                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
+                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'host': 'ldaps://${_param:cicd_control_address}', 'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
+                PHPLDAPADMIN_LDAP_CLIENT_TLS: "true"
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: drivetrain_ldap.crt
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: drivetrain_ldap.key
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: ca.crt
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: 'try'
                 PHPLDAPADMIN_HTTPS: "false"
                 PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
                 PHPLDAPADMIN_SERVER_ADMIN: ${_param:admin_email}
diff --git a/haproxy/proxy/listen/phpldapadmin.yml b/haproxy/proxy/listen/phpldapadmin.yml
index b2b7f93..6bbb885 100644
--- a/haproxy/proxy/listen/phpldapadmin.yml
+++ b/haproxy/proxy/listen/phpldapadmin.yml
@@ -2,6 +2,9 @@
   _param:
     haproxy_phpldapadmin_bind_host: ${_param:haproxy_bind_address}
     haproxy_phpldapadmin_bind_port: 8089
+    haproxy_phpldapadmin_ssl:
+      enabled: true
+      pem_file: /etc/haproxy/ssl/drivetrain.pem
   haproxy:
     proxy:
       listen:
@@ -12,9 +15,13 @@
             - httpclose
             - httplog
           balance: source
+          http_request:
+            - action: "add-header X-Forwarded-Proto https"
+              condition: "if { ssl_fc }"
           binds:
             - address: ${_param:haproxy_phpldapadmin_bind_host}
               port: ${_param:haproxy_phpldapadmin_bind_port}
+              ssl: ${_param:haproxy_phpldapadmin_ssl}
           servers:
             - name: ${_param:cluster_node01_name}
               host: ${_param:cluster_node01_address}
diff --git a/jenkins/client/credential/source_git.yml b/jenkins/client/credential/source_git.yml
new file mode 100644
index 0000000..ec350f0
--- /dev/null
+++ b/jenkins/client/credential/source_git.yml
@@ -0,0 +1,10 @@
+parameters:
+  _param:
+    pipeline_library_source_credentials: source_git
+  jenkins:
+    client:
+      credential:
+        source_git:
+          desc: Credentials to source git repositories for pipelines
+          username: ${_param:source_git_username}
+          password: ${_param:source_git_password}
diff --git a/jenkins/client/job/deploy/backupninja_backup.yml b/jenkins/client/job/deploy/backupninja_backup.yml
index e798e64..ab5caf0 100644
--- a/jenkins/client/job/deploy/backupninja_backup.yml
+++ b/jenkins/client/job/deploy/backupninja_backup.yml
@@ -14,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: backupninja-backup-pipeline.groovy
           param:
             SALT_MASTER_CREDENTIALS:
diff --git a/jenkins/client/job/deploy/backupninja_restore.yml b/jenkins/client/job/deploy/backupninja_restore.yml
index 664aa26..192f5dc 100644
--- a/jenkins/client/job/deploy/backupninja_restore.yml
+++ b/jenkins/client/job/deploy/backupninja_restore.yml
@@ -15,7 +15,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: backupninja-restore-pipeline.groovy
           param:
             SALT_MASTER_CREDENTIALS:
diff --git a/jenkins/client/job/deploy/kqueen.yml b/jenkins/client/job/deploy/kqueen.yml
index 1935a43..ff4a35f 100644
--- a/jenkins/client/job/deploy/kqueen.yml
+++ b/jenkins/client/job/deploy/kqueen.yml
@@ -33,7 +33,7 @@
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: ${_param:jenkins_gerrit_credentials}
             STACK_TEMPLATE_BRANCH:
               type: string
               default: "master"
@@ -93,7 +93,7 @@
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: ${_param:jenkins_gerrit_credentials}
             STACK_TEMPLATE_BRANCH:
               type: string
               default: "master"
diff --git a/jenkins/client/job/deploy/lab/mom_deploy.yml b/jenkins/client/job/deploy/lab/mom_deploy.yml
index c6bbbc5..f03b485 100644
--- a/jenkins/client/job/deploy/lab/mom_deploy.yml
+++ b/jenkins/client/job/deploy/lab/mom_deploy.yml
@@ -100,7 +100,7 @@
               default: "master"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: "${_param:jenkins_gerrit_credentials}"
             STACK_TEMPLATE_URL:
               type: string
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
diff --git a/jenkins/client/job/git-mirrors/downstream/init.yml b/jenkins/client/job/git-mirrors/downstream/init.yml
index 5a6257c..92a3d6d 100644
--- a/jenkins/client/job/git-mirrors/downstream/init.yml
+++ b/jenkins/client/job/git-mirrors/downstream/init.yml
@@ -19,18 +19,21 @@
               type: git
               url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
               branch: "${_param:jenkins_pipelines_branch}"
-              credentials: ${_param:jenkins_gerrit_credentials}
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: git-mirror-pipeline.groovy
             param:
               SOURCE_URL:
                 type: string
                 default: "{{upstream}}"
+              SOURCE_CREDENTIALS:
+                type: string
+                default: "{{source_credentials}}"
               TARGET_URL:
                 type: string
                 default: "${_param:jenkins_gerrit_url}/{{downstream}}"
               CREDENTIALS_ID:
                 type: string
-                default: "gerrit"
+                default: ${_param:jenkins_gerrit_credentials}
               BRANCHES:
                 type: string
                 default: "{{branches}}"
diff --git a/jenkins/client/job/git-mirrors/downstream/pipelines.yml b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
index fbec27c..ea9cbe1 100644
--- a/jenkins/client/job/git-mirrors/downstream/pipelines.yml
+++ b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
@@ -4,12 +4,17 @@
   _param:
     gerrit_pipeline_library_repo: https://github.com/Mirantis/pipeline-library
     gerrit_mk_pipelines_repo: https://github.com/Mirantis/mk-pipelines
+    pipeline_library_source_credentials: ""
+    mk_pipelines_source_credentials: ${_param:pipeline_library_source_credentials}
+    vnf_onboaring_source_credentials: ${_param:pipeline_library_source_credentials}
     jenkins_git_mirror_downstream_jobs:
       - name: pipeline-library
         downstream: mcp-ci/pipeline-library
         upstream: "${_param:gerrit_pipeline_library_repo}"
         branches: "*"
+        source_credentials: "${_param:pipeline_library_source_credentials}"
       - name: mk-pipelines
         downstream: mk/mk-pipelines
         upstream: "${_param:gerrit_mk_pipelines_repo}"
-        branches: "*"
\ No newline at end of file
+        branches: "*"
+        source_credentials: "${_param:mk_pipelines_source_credentials}"
\ No newline at end of file
diff --git a/jenkins/client/ssh_node.yml b/jenkins/client/ssh_node.yml
new file mode 100644
index 0000000..4203e6b
--- /dev/null
+++ b/jenkins/client/ssh_node.yml
@@ -0,0 +1,13 @@
+parameters:
+  jenkins:
+    client:
+      node:
+        slave01:
+          launcher:
+            type: ssh
+        slave02:
+          launcher:
+            type: ssh
+        slave03:
+          launcher:
+            type: ssh
diff --git a/nginx/server/proxy/cicd/gerrit.yml b/nginx/server/proxy/cicd/gerrit.yml
index 0baf26c..72d0e12 100644
--- a/nginx/server/proxy/cicd/gerrit.yml
+++ b/nginx/server/proxy/cicd/gerrit.yml
@@ -15,7 +15,7 @@
           proxy:
             host: ${_param:nginx_proxy_gerrit_server_proxy_host}
             port: ${_param:nginx_proxy_gerrit_server_proxy_port}
-            protocol: http
+            protocol: https
           host:
             name: ${_param:nginx_proxy_gerrit_server_site_host}
             port: ${_param:nginx_proxy_gerrit_server_site_port}
diff --git a/nginx/server/proxy/cicd/jenkins.yml b/nginx/server/proxy/cicd/jenkins.yml
index bd270f2..b348f26 100644
--- a/nginx/server/proxy/cicd/jenkins.yml
+++ b/nginx/server/proxy/cicd/jenkins.yml
@@ -15,7 +15,7 @@
           proxy:
             host: ${_param:nginx_proxy_jenkins_server_proxy_host}
             port: ${_param:nginx_proxy_jenkins_server_proxy_port}
-            protocol: http
+            protocol: https
           host:
             name: ${_param:nginx_proxy_jenkins_server_site_host}
             port: ${_param:nginx_proxy_jenkins_server_site_port}
diff --git a/octavia/api/cluster.yml b/octavia/api/cluster.yml
index 31989b0..e698481 100644
--- a/octavia/api/cluster.yml
+++ b/octavia/api/cluster.yml
@@ -11,6 +11,7 @@
       bind:
         address: ${_param:cluster_local_address}
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -20,6 +21,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/api/single.yml b/octavia/api/single.yml
index c42009d..b359885 100644
--- a/octavia/api/single.yml
+++ b/octavia/api/single.yml
@@ -10,6 +10,7 @@
       bind:
         address: ${_param:single_address}
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -19,6 +20,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/manager/cluster.yml b/octavia/manager/cluster.yml
index f86dd80..c10e800 100644
--- a/octavia/manager/cluster.yml
+++ b/octavia/manager/cluster.yml
@@ -12,6 +12,7 @@
         user: octavia
         group: octavia
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -21,6 +22,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/manager/single.yml b/octavia/manager/single.yml
index e1e356b..51671eb 100644
--- a/octavia/manager/single.yml
+++ b/octavia/manager/single.yml
@@ -17,6 +17,7 @@
         user: octavia
         group: octavia
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -26,6 +27,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/opencontrail/control/analytics4_0.yml b/opencontrail/control/analytics4_0.yml
index 19fefcc..91868d3 100644
--- a/opencontrail/control/analytics4_0.yml
+++ b/opencontrail/control/analytics4_0.yml
@@ -94,6 +94,7 @@
                 - /var/crashes:/var/crashes
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -117,6 +118,7 @@
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/cluster4_0.yml b/opencontrail/control/cluster4_0.yml
index 6859b9c..bbba05c 100644
--- a/opencontrail/control/cluster4_0.yml
+++ b/opencontrail/control/cluster4_0.yml
@@ -162,6 +162,7 @@
                 - /var/log/journal/contrail-controller:/var/log/journal
                 - ${_param:opencontrail_host_configdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_configdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
@@ -178,6 +179,7 @@
                 - /etc/redis/redis.conf:/etc/redis/redis.conf
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -201,6 +203,7 @@
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index bc37f8e..67c91e2 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -120,6 +120,7 @@
                 - /var/log/journal/contrail-controller:/var/log/journal
                 - ${_param:opencontrail_host_configdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_configdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/single4_0.yml b/opencontrail/control/single4_0.yml
index 89768d3..7612638 100644
--- a/opencontrail/control/single4_0.yml
+++ b/opencontrail/control/single4_0.yml
@@ -173,6 +173,7 @@
                 - /etc/zookeeper/conf/log4j.properties:/etc/zookeeper/conf/log4j.properties
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-controller:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
@@ -189,6 +190,7 @@
                 - /etc/redis/redis.conf:/etc/redis/redis.conf
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -210,6 +212,7 @@
                 - /etc/zookeeper/conf/log4j.properties:/etc/zookeeper/conf/log4j.properties
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/openldap/client/init.yml b/openldap/client/init.yml
index 25812f6..c0c20a8 100644
--- a/openldap/client/init.yml
+++ b/openldap/client/init.yml
@@ -3,7 +3,10 @@
 parameters:
   _param:
     openldap_server: ${_param:cluster_vip_address}
-    openldap_tls: false
+    openldap_tls:
+      starttls: true
+      keyfile: /etc/haproxy/ssl/drivetrain.key
+      certfile: /etc/haproxy/ssl/drivetrain.crt
   openldap:
     client:
       server:
diff --git a/salt/control/cluster/infra_proxy_cluster.yml b/salt/control/cluster/infra_proxy_cluster.yml
index 6d4b25b..7d0454d 100644
--- a/salt/control/cluster/infra_proxy_cluster.yml
+++ b/salt/control/cluster/infra_proxy_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    infra_proxy_backend_image: ${_param:salt_control_trusty_image_backend}
+    infra_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_infra_proxy:
       user_data:
         write_files:
@@ -25,14 +25,14 @@
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:infra_proxy_backend_image}
               size: infra.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_infra_proxy}
             prx02:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:infra_proxy_backend_image}
               size: infra.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_infra_proxy}
diff --git a/salt/control/cluster/infra_proxy_single.yml b/salt/control/cluster/infra_proxy_single.yml
index fe6c710..c9110f8 100644
--- a/salt/control/cluster/infra_proxy_single.yml
+++ b/salt/control/cluster/infra_proxy_single.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    infra_proxy_backend_image: ${_param:salt_control_trusty_image_backend}
+    infra_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_infra_proxy:
       user_data:
         write_files:
@@ -25,7 +25,7 @@
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:infra_proxy_backend_image}
               size: infra.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_infra_proxy}
diff --git a/salt/control/cluster/opencontrail_analytics_cluster.yml b/salt/control/cluster/opencontrail_analytics_cluster.yml
index 4652ce2..f3de786 100644
--- a/salt/control/cluster/opencontrail_analytics_cluster.yml
+++ b/salt/control/cluster/opencontrail_analytics_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    opencontrail_analytics_backend_image: ${_param:salt_control_trusty_image_backend}
+    opencontrail_analytics_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_opencontrail_analytics:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             nal01:
               name: ${_param:opencontrail_analytics_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
             nal02:
               name: ${_param:opencontrail_analytics_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
             nal03:
               name: ${_param:opencontrail_analytics_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
diff --git a/salt/control/cluster/opencontrail_control_cluster.yml b/salt/control/cluster/opencontrail_control_cluster.yml
index 2f73d1f..2189738 100644
--- a/salt/control/cluster/opencontrail_control_cluster.yml
+++ b/salt/control/cluster/opencontrail_control_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    opencontrail_control_backend_image: ${_param:salt_control_trusty_image_backend}
+    opencontrail_control_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_opencontrail_control:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             ntw01:
               name: ${_param:opencontrail_control_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             ntw02:
               name: ${_param:opencontrail_control_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             ntw03:
               name: ${_param:opencontrail_control_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
diff --git a/salt/control/cluster/openstack_benchmark_single.yml b/salt/control/cluster/openstack_benchmark_single.yml
index 814f65a..3d2bacd 100644
--- a/salt/control/cluster/openstack_benchmark_single.yml
+++ b/salt/control/cluster/openstack_benchmark_single.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_benchmark_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_benchmark_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_benchmark:
       user_data:
         write_files:
@@ -25,7 +25,7 @@
             bmk01:
               name: ${_param:openstack_benchmark_node01_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_benchmark_backend_image}
               size: openstack.benchmark
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_benchmark}
diff --git a/salt/control/cluster/openstack_billing_single.yml b/salt/control/cluster/openstack_billing_single.yml
index 9853725..ae724e9 100644
--- a/salt/control/cluster/openstack_billing_single.yml
+++ b/salt/control/cluster/openstack_billing_single.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_billing_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_billing_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_billing:
       user_data:
         write_files:
@@ -24,7 +24,7 @@
           node:
             bil01:
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_billing_backend_image}
               size: openstack.billing
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_billing}
diff --git a/salt/control/cluster/openstack_control_cluster.yml b/salt/control/cluster/openstack_control_cluster.yml
index 367041a..8ed8a5e 100644
--- a/salt/control/cluster/openstack_control_cluster.yml
+++ b/salt/control/cluster/openstack_control_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_control_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_control_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_control:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             ctl01:
               name: ${_param:openstack_control_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_control_backend_image}
               size: openstack.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_control}
             ctl02:
               name: ${_param:openstack_control_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_control_backend_image}
               size: openstack.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_control}
             ctl03:
               name: ${_param:openstack_control_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_control_backend_image}
               size: openstack.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_control}
diff --git a/salt/control/cluster/openstack_database_cluster.yml b/salt/control/cluster/openstack_database_cluster.yml
index cee9ff8..56ecd2f 100644
--- a/salt/control/cluster/openstack_database_cluster.yml
+++ b/salt/control/cluster/openstack_database_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_database_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_database_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_database:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             dbs01:
               name: ${_param:openstack_database_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_database_backend_image}
               size: openstack.database
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_database}
             dbs02:
               name: ${_param:openstack_database_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_database_backend_image}
               size: openstack.database
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_database}
             dbs03:
               name: ${_param:openstack_database_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_database_backend_image}
               size: openstack.database
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_database}
diff --git a/salt/control/cluster/openstack_message_queue_cluster.yml b/salt/control/cluster/openstack_message_queue_cluster.yml
index 7a59a52..cccc408 100644
--- a/salt/control/cluster/openstack_message_queue_cluster.yml
+++ b/salt/control/cluster/openstack_message_queue_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_message_queue_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_message_queue_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_message_queue:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             msg01:
               name: ${_param:openstack_message_queue_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             msg02:
               name: ${_param:openstack_message_queue_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             msg03:
               name: ${_param:openstack_message_queue_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
diff --git a/salt/control/cluster/openstack_proxy_cluster.yml b/salt/control/cluster/openstack_proxy_cluster.yml
index 1f3f134..4027e00 100644
--- a/salt/control/cluster/openstack_proxy_cluster.yml
+++ b/salt/control/cluster/openstack_proxy_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_proxy_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_proxy:
       user_data:
         write_files:
@@ -25,14 +25,14 @@
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
             prx02:
               name: ${_param:openstack_proxy_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
diff --git a/salt/control/cluster/openstack_proxy_single.yml b/salt/control/cluster/openstack_proxy_single.yml
index 11771b0..386d024 100644
--- a/salt/control/cluster/openstack_proxy_single.yml
+++ b/salt/control/cluster/openstack_proxy_single.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_proxy_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_proxy:
       user_data:
         write_files:
@@ -25,7 +25,7 @@
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
diff --git a/salt/control/cluster/openstack_telemetry_cluster.yml b/salt/control/cluster/openstack_telemetry_cluster.yml
index 594d671..d53bb45 100644
--- a/salt/control/cluster/openstack_telemetry_cluster.yml
+++ b/salt/control/cluster/openstack_telemetry_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_telemetry_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_telemetry_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_telemetry:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             mdb01:
               name: ${_param:openstack_telemetry_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
             mdb02:
               name: ${_param:openstack_telemetry_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
             mdb03:
               name: ${_param:openstack_telemetry_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
diff --git a/salt/control/placement/opencontrail/medium.yml b/salt/control/placement/opencontrail/medium.yml
index e596bcb..f75e760 100644
--- a/salt/control/placement/opencontrail/medium.yml
+++ b/salt/control/placement/opencontrail/medium.yml
@@ -1,8 +1,8 @@
 parameters:
   _param:
-    infra_kvm07_hostname: kvm07
-    infra_kvm08_hostname: kvm08
-    infra_kvm09_hostname: kvm09
+    infra_kvm04_hostname: kvm04
+    infra_kvm05_hostname: kvm05
+    infra_kvm06_hostname: kvm06
     opencontrail_control_node01_hostname: ntw01
     opencontrail_control_node02_hostname: ntw02
     opencontrail_control_node03_hostname: ntw03
@@ -34,41 +34,41 @@
               name: ${_param:opencontrail_control_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
-              provider: ${_param:infra_kvm_node07_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             ntw02:
               name: ${_param:opencontrail_control_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
-              provider: ${_param:infra_kvm_node08_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             ntw03:
               name: ${_param:opencontrail_control_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
-              provider: ${_param:infra_kvm_node09_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             nal01:
               name: ${_param:opencontrail_analytics_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
-              provider: ${_param:infra_kvm_node07_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
             nal02:
               name: ${_param:opencontrail_analytics_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
-              provider: ${_param:infra_kvm_node08_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
             nal03:
               name: ${_param:opencontrail_analytics_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
-              provider: ${_param:infra_kvm_node09_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
diff --git a/salt/control/placement/openstack/medium.yml b/salt/control/placement/openstack/medium.yml
index 6867e3a..d2a8507 100644
--- a/salt/control/placement/openstack/medium.yml
+++ b/salt/control/placement/openstack/medium.yml
@@ -17,10 +17,17 @@
     openstack_message_queue_node03_hostname: msg03
     openstack_proxy_node01_hostname: prx01
     openstack_proxy_node02_hostname: prx02
+    openstack_dns_node01_hostname: dns01
+    openstack_dns_node02_hostname: dns02
+    openstack_barbican_node01_hostname: kmn01
+    openstack_barbican_node02_hostname: kmn02
+    openstack_barbican_node03_hostname: kmn03
     openstack_control_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_database_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_message_queue_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
+    openstack_barbican_backend_image: ${_param:salt_control_xenial_image_backend}
+    openstack_dns_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_control:
       user_data:
         write_files:
@@ -49,6 +56,20 @@
             ${salt:control:size:openstack.proxy:image_layout}
           owner: root:root
           path: /usr/share/growlvm/image-layout.yml
+    salt_control_cluster_node_cloud_init_openstack_dns:
+      user_data:
+        write_files:
+        - content: |
+            ${salt:control:size:openstack.dns:image_layout}
+          owner: root:root
+          path: /usr/share/growlvm/image-layout.yml
+    salt_control_cluster_node_cloud_init_openstack_barbican:
+      user_data:
+        write_files:
+        - content: |
+            ${salt:control:size:openstack.barbican:image_layout}
+          owner: root:root
+          path: /usr/share/growlvm/image-layout.yml
   salt:
     control:
       cluster:
@@ -100,34 +121,69 @@
               name: ${_param:openstack_message_queue_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
-              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             msg02:
               name: ${_param:openstack_message_queue_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
-              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             msg03:
               name: ${_param:openstack_message_queue_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
-              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
-              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
             prx02:
               name: ${_param:openstack_proxy_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
-              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
+            dns01:
+              name: ${_param:openstack_dns_node01_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_dns_backend_image}
+              provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
+              size: openstack.dns
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_dns}
+            dns02:
+              name: ${_param:openstack_dns_node02_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_dns_backend_image}
+              provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
+              size: openstack.dns
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_dns}
+            kmn01:
+              name: ${_param:openstack_barbican_node01_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_barbican_backend_image}
+              provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
+              size: openstack.barbican
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_barbican}
+            kmn02:
+              name: ${_param:openstack_barbican_node02_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_barbican_backend_image}
+              provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
+              size: openstack.barbican
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_barbican}
+            kmn03:
+              name: ${_param:openstack_barbican_node03_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_barbican_backend_image}
+              provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
+              size: openstack.barbican
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_barbican}
diff --git a/salt/control/placement/stacklight/medium.yml b/salt/control/placement/stacklight/medium.yml
index d8279c6..4bfd44c 100644
--- a/salt/control/placement/stacklight/medium.yml
+++ b/salt/control/placement/stacklight/medium.yml
@@ -1,8 +1,8 @@
 parameters:
   _param:
-    infra_kvm10_hostname: kvm10
-    infra_kvm11_hostname: kvm11
-    infra_kvm12_hostname: kvm12
+    infra_kvm04_hostname: kvm04
+    infra_kvm05_hostname: kvm05
+    infra_kvm06_hostname: kvm06
     stacklight_log_node01_hostname: log01
     stacklight_log_node02_hostname: log02
     stacklight_log_node03_hostname: log03
@@ -45,62 +45,62 @@
               name: ${_param:stacklight_telemetry_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_telemetry_backend_image}
-              provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: stacklight.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_telemetry}
             mtr02:
               name: ${_param:stacklight_telemetry_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_telemetry_backend_image}
-              provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: stacklight.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_telemetry}
             mtr03:
               name: ${_param:stacklight_telemetry_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_telemetry_backend_image}
-              provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: stacklight.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_telemetry}
             log01:
               name: ${_param:stacklight_log_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_log_backend_image}
-              provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: stacklight.log
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_log}
             log02:
               name: ${_param:stacklight_log_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_log_backend_image}
-              provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: stacklight.log
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_log}
             log03:
               name: ${_param:stacklight_log_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_log_backend_image}
-              provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: stacklight.log
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_log}
             mon01:
               name: ${_param:stacklight_monitor_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_monitor_backend_image}
-              provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: stacklight.server
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_server}
             mon02:
               name: ${_param:stacklight_monitor_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_monitor_backend_image}
-              provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: stacklight.server
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_server}
             mon03:
               name: ${_param:stacklight_monitor_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_monitor_backend_image}
-              provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: stacklight.server
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_server}
diff --git a/salt/control/sizes/opencontrail/medium.yml b/salt/control/sizes/opencontrail/medium.yml
index 3690a11..94a002a 100644
--- a/salt/control/sizes/opencontrail/medium.yml
+++ b/salt/control/sizes/opencontrail/medium.yml
@@ -1,12 +1,12 @@
 parameters:
   _param:
-    salt_control_size_cpu_opencontrail_control: 8
-    salt_control_size_ram_opencontrail_control: 65536
+    salt_control_size_cpu_opencontrail_control: 12
+    salt_control_size_ram_opencontrail_control: 32768
     salt_control_size_disk_profile_opencontrail_control: large
     salt_control_size_net_profile_opencontrail_control: default
-    salt_control_size_cpu_opencontrail_analytics: 16
-    salt_control_size_ram_opencontrail_analytics: 98304
-    salt_control_size_disk_profile_opencontrail_analytics: xhuge
+    salt_control_size_cpu_opencontrail_analytics: 12
+    salt_control_size_ram_opencontrail_analytics: 49152
+    salt_control_size_disk_profile_opencontrail_analytics: huge
     salt_control_size_net_profile_opencontrail_analytics: default
   salt:
     control:
diff --git a/salt/control/sizes/openstack/medium.yml b/salt/control/sizes/openstack/medium.yml
index cadaa79..d8a89b5 100644
--- a/salt/control/sizes/openstack/medium.yml
+++ b/salt/control/sizes/openstack/medium.yml
@@ -14,7 +14,7 @@
     salt_control_size_net_profile_openstack_message_queue: default
     salt_control_size_cpu_openstack_proxy: 4
     salt_control_size_ram_openstack_proxy: 16384
-    salt_control_size_disk_profile_openstack_proxy: small
+    salt_control_size_disk_profile_openstack_proxy: xxlarge
     salt_control_size_net_profile_openstack_proxy: default
     salt_control_size_cpu_openstack_upgrade: 8
     salt_control_size_ram_openstack_upgrade: 16384
@@ -24,8 +24,8 @@
     salt_control_size_ram_openstack_share: 4096
     salt_control_size_disk_profile_openstack_share: large
     salt_control_size_net_profile_openstack_share: default
-    salt_control_size_cpu_openstack_dns: 4
-    salt_control_size_ram_openstack_dns: 6144
+    salt_control_size_cpu_openstack_dns: 2
+    salt_control_size_ram_openstack_dns: 4096
     salt_control_size_disk_profile_openstack_dns: small
     salt_control_size_net_profile_openstack_dns: default
     salt_control_size_cpu_openstack_telemetry: 8
@@ -33,8 +33,8 @@
     salt_control_size_disk_profile_openstack_telemetry: large
     salt_control_size_net_profile_openstack_telemetry: default
     salt_control_size_cpu_openstack_barbican: 4
-    salt_control_size_ram_openstack_barbican: 16384
-    salt_control_size_disk_profile_openstack_barbican: large
+    salt_control_size_ram_openstack_barbican: 8192
+    salt_control_size_disk_profile_openstack_barbican: small
     salt_control_size_net_profile_openstack_barbican: default
     salt_control_size_cpu_openstack_baremetal: 16
     salt_control_size_ram_openstack_baremetal: 16384
@@ -67,18 +67,6 @@
           disk_profile: ${_param:salt_control_size_disk_profile_openstack_proxy}
           net_profile: ${_param:salt_control_size_net_profile_openstack_proxy}
           image_layout: ${_param:salt_control_size_image_layout_openstack_proxy}
-        openstack.upgrade:
-          cpu: ${_param:salt_control_size_cpu_openstack_upgrade}
-          ram: ${_param:salt_control_size_ram_openstack_upgrade}
-          disk_profile: ${_param:salt_control_size_disk_profile_openstack_upgrade}
-          net_profile: ${_param:salt_control_size_net_profile_openstack_upgrade}
-          image_layout: ${_param:salt_control_size_image_layout_openstack_upgrade}
-        openstack.share:
-          cpu: ${_param:salt_control_size_cpu_openstack_share}
-          ram: ${_param:salt_control_size_ram_openstack_share}
-          disk_profile: ${_param:salt_control_size_disk_profile_openstack_share}
-          net_profile: ${_param:salt_control_size_net_profile_openstack_share}
-          image_layout: ${_param:salt_control_size_image_layout_openstack_share}
         openstack.dns:
           cpu: ${_param:salt_control_size_cpu_openstack_dns}
           ram: ${_param:salt_control_size_ram_openstack_dns}
@@ -97,9 +85,3 @@
           disk_profile: ${_param:salt_control_size_disk_profile_openstack_barbican}
           net_profile: ${_param:salt_control_size_net_profile_openstack_barbican}
           image_layout: ${_param:salt_control_size_image_layout_openstack_barbican}
-        openstack.baremetal:
-          cpu: ${_param:salt_control_size_cpu_openstack_baremetal}
-          ram: ${_param:salt_control_size_ram_openstack_baremetal}
-          disk_profile: ${_param:salt_control_size_disk_profile_openstack_baremetal}
-          net_profile: ${_param:salt_control_size_net_profile_openstack_baremetal}
-          image_layout: ${_param:salt_control_size_image_layout_openstack_baremetal}
diff --git a/salt/control/sizes/stacklight/medium.yml b/salt/control/sizes/stacklight/medium.yml
index 16a19e1..a1793d4 100644
--- a/salt/control/sizes/stacklight/medium.yml
+++ b/salt/control/sizes/stacklight/medium.yml
@@ -1,15 +1,15 @@
 parameters:
   _param:
     salt_control_size_cpu_stacklight_log: 16
-    salt_control_size_ram_stacklight_log: 49152
+    salt_control_size_ram_stacklight_log: 32768
     salt_control_size_disk_profile_stacklight_log: xxhuge
     salt_control_size_net_profile_stacklight_log: default
     salt_control_size_cpu_stacklight_server: 12
-    salt_control_size_ram_stacklight_server: 65536
-    salt_control_size_disk_profile_stacklight_server: xxlarge
+    salt_control_size_ram_stacklight_server: 49152
+    salt_control_size_disk_profile_stacklight_server: huge
     salt_control_size_net_profile_stacklight_server: default
     salt_control_size_cpu_stacklight_telemetry: 12
-    salt_control_size_ram_stacklight_telemetry: 98304
+    salt_control_size_ram_stacklight_telemetry: 49152
     salt_control_size_disk_profile_stacklight_telemetry: xhuge
     salt_control_size_net_profile_stacklight_telemetry: default
   salt:
diff --git a/salt/master/single.yml b/salt/master/single.yml
index 8d36565..a4f25d4 100644
--- a/salt/master/single.yml
+++ b/salt/master/single.yml
@@ -4,11 +4,12 @@
 parameters:
   linux:
     system:
-      sysctl:
-        net.core.rmem_max: 16777216
-        net.core.wmem_max: 16777216
-        net.ipv4.tcp_rmem: 4096 87380 16777216
-        net.ipv4.tcp_wmem: 4096 87380 16777216
+      kernel:
+        sysctl:
+          net.core.rmem_max: 16777216
+          net.core.wmem_max: 16777216
+          net.ipv4.tcp_rmem: 4096 87380 16777216
+          net.ipv4.tcp_wmem: 4096 87380 16777216
   salt:
     master:
       accept_policy: auto_accept
diff --git a/salt/minion/cert/proxy/drivetrain_ssl.yml b/salt/minion/cert/proxy/drivetrain_ssl.yml
index aecb5fb..5e7cf5f 100644
--- a/salt/minion/cert/proxy/drivetrain_ssl.yml
+++ b/salt/minion/cert/proxy/drivetrain_ssl.yml
@@ -2,7 +2,7 @@
   salt:
     minion:
       cert:
-        gerrit:
+        drivetrain:
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
           common_name: drivetrain
diff --git a/vnf_onboarding/common/init.yml b/vnf_onboarding/common/init.yml
index f988897..88ade04 100644
--- a/vnf_onboarding/common/init.yml
+++ b/vnf_onboarding/common/init.yml
@@ -1,7 +1,6 @@
 parameters:
   _param:
     mcp_docker_registry: 'docker-dev-local.docker.mirantis.net'
-    vnf_gerrit_credentials: "gerrit"
     vnf_openstack_api_url: "${_param:cluster_public_protocol}://${_param:cluster_public_host}:5000/v2.0"
     vnf_openstack_api_credentials: "test-openstack"
     vnf_openstack_api_admin_credentials: "admin-openstack"
diff --git a/vnf_onboarding/common/jenkins_job.yml b/vnf_onboarding/common/jenkins_job.yml
index b63aa34..a928d2f 100644
--- a/vnf_onboarding/common/jenkins_job.yml
+++ b/vnf_onboarding/common/jenkins_job.yml
@@ -12,7 +12,7 @@
           scm:
             type: git
             url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-            credentials: "${_param:vnf_gerrit_credentials}"
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: deploy_cloudify.groovy
           param:
             OPENSTACK_API_URL:
@@ -33,7 +33,7 @@
               default: "master"
             NFV_PLATFORM_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             CFM_IMAGE:
               type: string
               default: "cloudify-manager-4.3.1ga"
diff --git a/vnf_onboarding/common/mirrors.yml b/vnf_onboarding/common/mirrors.yml
index 83d11c0..c830d85 100644
--- a/vnf_onboarding/common/mirrors.yml
+++ b/vnf_onboarding/common/mirrors.yml
@@ -9,7 +9,9 @@
         downstream: vnf-onboarding/pipelines
         upstream: ${_param:gerrit_vnf_onboaring_pipelines_repo}
         branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
       - name: nfv-platform
         downstream: vnf-onboarding/nfv-platform
         upstream: ${_param:gerrit_vnf_onboaring_nfv_platform_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml b/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
index 54d82fc..c4ad531 100644
--- a/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
+++ b/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
@@ -17,7 +17,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials: "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -59,7 +59,7 @@
                 default: "test-avi"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -75,7 +75,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
diff --git a/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml b/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
index c74bda3..0b47570 100644
--- a/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
+++ b/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
@@ -7,4 +7,5 @@
       - name: avi-loadbalancer
         downstream: vnf-onboarding/avi-loadbalancer
         upstream: ${_param:gerrit_vnf_onboaring_avi_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml b/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
index e480d46..709ab38 100644
--- a/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
+++ b/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
@@ -14,7 +14,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials:  "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -53,7 +53,7 @@
                 default: "test-metaswitch"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -70,7 +70,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
@@ -146,7 +146,7 @@
           scm:
             type: git
             url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-            credentials: "${_param:vnf_gerrit_credentials}"
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: test_platform.groovy
           param:
             OPENSTACK_API_CREDENTIALS:
@@ -202,7 +202,7 @@
               default: "master"
             VNF_PLATFORM_TESTS_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             TEMPEST_IMAGE_DOCKER_REGISTRY_PATH:
               type: string
               description: "Path for docker image with testing tool.  If empty, image will be build using VNF_PLATFORM_TESTS_* parameters."
@@ -221,7 +221,7 @@
               default: "${_param:jenkins_gerrit_url}/vnf-onboarding/nfv-platform"
             ELASTIC_TRANSFER_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             ELASTIC_TRANSFER_REPO_BRANCH:
               type: string
               default: "master"
diff --git a/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml b/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
index 0a0c300..f032fb4 100644
--- a/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
+++ b/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
@@ -9,7 +9,9 @@
         downstream: vnf-onboarding/metaswitch-vsbc
         upstream: ${_param:gerrit_vnf_onboaring_metaswitch_repo}
         branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
       - name: platform-tests
         downstream: vnf-onboarding/platform-tests
         upstream: ${_param:gerrit_vnf_onboaring_platform_tests_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml b/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
index e2f4cbd..b72994e 100644
--- a/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
+++ b/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
@@ -18,7 +18,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials: "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -60,7 +60,7 @@
                 default: "test-nginx"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -77,7 +77,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
diff --git a/vnf_onboarding/vnf/mock_nginx/mirrors.yml b/vnf_onboarding/vnf/mock_nginx/mirrors.yml
index 6aff50c..76ca94c 100644
--- a/vnf_onboarding/vnf/mock_nginx/mirrors.yml
+++ b/vnf_onboarding/vnf/mock_nginx/mirrors.yml
@@ -7,4 +7,5 @@
       - name: nginx-vnf
         downstream: vnf-onboarding/nginx-vnf
         upstream: ${_param:gerrit_vnf_onboaring_nginx_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file