Merge the tip of origin/release/proposed/2019.2.0 into origin/release/2019.2.0

610a2b9 Fixed Ironic transport_url set to rabbitmq VIP
f7e4708 Fix triggers for backup jobs
7955be5 Add missing default for xtrabackup incr_before_full
31c886b Add ASK_CONFIRMATION button for backupninja backup job
6b18957 Add PostgreSQL dir with socket to Docker container as a volume
517717f Disable backupninja client log output color by default
cc8d990 Add galera_database_backup to list of deploy jobs
c351af5 Add `max java.util.Collection` to jenkins approved scripts
d415963 [CVP] Several fixes for cvp job descriptions
1ef352c additional description for Ceph upgrade job
7069d15 Adding cron param for xtrabackup
d38e9be add galera_database_backup job
de93358 remove xtrabackup_remote_host from default
8591ade Set ssl cert for git in jenkins
b922501 [CVP] Add all cvp images to reclass
bc21ee8 Bump image versions
346fc6f [CVP] Unhardcode ci-tempest image in cvp-tempest
e57c204 Include sysstat package on xtrabackup nodes by default
c58fe54 Update ceph job: remove of unused param Related-Prod: #PROD-30065 (PROD:30065) Related-Prod: #PROD-29949 (PROD:29949)
365cb0c Add RESTORE_TYPE parameter to galera restoration pipeline
82bc440 Add ssl suport for opencontrail api service
62f8fd4 Add gerrit download.scheme and download.command default values
87007b1 Fix galera upgrade template
89f1441 Switch to 5m intervals for OpenstackAPI downtime reporting
a76b3ae Enable telegraf internal plugin everywhere
c200cd9 Remove extra quotes on cvp-spt job parameter
5e123c9 Add the pm-team group for ssh add member files for someara and gmani
b13e86c Bump OpenContrail docker images to 2019.2.5
ab72c27 Decrease Pushgateway replicas number
b845ada Add haproxy Heat API timeouts and set it '2m'.
15c751d Add octavia keystone and mysql random usernames
b378147 Switch phpldapadmin auth to LDAPS
3934972 OpenStack cluster size contrail
870e2dd Fix sysctl for salt-master optimization
bfd6403 Explicitly set by default javax.net.ssl.trustStore for Jenkins/Gerrit
5d5a1ca Mount ca-certificates.crt to opencontrail containers
682efeb Fix default vm images
b745fe3 Adjust backend protocol for gerrit and jenkins in nginx
5add892 Add galera-cluster-upgrade job template
8458f97 Mount java certs to Gerrit container
0e219a1 Enable TLS for OpenLDAP
5fb4bcc Update gerrit credentials value in vnf jobs
f3c493d Add ability to specify source credentials if required
667759c Update docker gerrit image (new log option added)
7012f6e Add support for ssh jenkins slaves
796a9ef Bump cvp-sanity-checks:2019.2.5 docker image
5c99f3d Add galera system level upgrade metadata
5f58dd7 Generate random keystone users
f4452ee Add haproxy to list of applications
e66f7d7 `cert_client` minion `signing_policy` list for VNC CA cert is un-hardcoded
5bb60dc Added `ceilometer_service_status` soft-param field
4cf87b9 Add to jenkins gerrit credentials with password
937868b Remove old deploy-update-{{name}} jenkins job template
5f09bf4 add job for backupninja restore
e5c0d6e Add job for backupninja backup
78e534e Add default params for backup
89c7e7a add getAt regex.Matcher to approved_scripts
0dc307b Disable auto trigger for backupninja
679709c Add postgresql to list of docker images to pull
74ffe1f Switch Jenkins DT on TLS/HTTPS scheme
39e0e7e Switch gerrit on TLS/HTTPS scheme
f5f1f36 Add os-ctl-vip address to ctl nodes
70348a9 Deny anonymous access to gerrit repos
9c30182 Gerrit request_log config option added

Change-Id: Idade260f1f13485eaac98ff30d2bbf3e8be735bb
diff --git a/aodh/server/cluster.yml b/aodh/server/cluster.yml
index c458c2c..53ec417 100644
--- a/aodh/server/cluster.yml
+++ b/aodh/server/cluster.yml
@@ -33,7 +33,7 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: aodh
-        user: aodh
+        user: ${_param:mysql_aodh_username}
         password: ${_param:mysql_aodh_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -50,7 +50,7 @@
         host: ${_param:keystone_service_host}
         port: 35357
         tenant: service
-        user: aodh
+        user: ${_param:keystone_aodh_username}
         password: ${_param:keystone_aodh_password}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/backupninja/client/single.yml b/backupninja/client/single.yml
index 6eecc33..62279fe 100644
--- a/backupninja/client/single.yml
+++ b/backupninja/client/single.yml
@@ -1,2 +1,12 @@
 classes:
 - service.backupninja.client.single
+parameters:
+  backupninja:
+    client:
+      extra_params:
+        PGSQLDUMP: /usr/lib/postgresql/${_param:postgresql_major_version}/bin/pg_dump
+      scheduling:
+        when:
+          - manual
+      log:
+        color: ${_param:backupninja_color_log}
diff --git a/barbican/server/cluster.yml b/barbican/server/cluster.yml
index 7b98c83..110ff29 100644
--- a/barbican/server/cluster.yml
+++ b/barbican/server/cluster.yml
@@ -8,8 +8,12 @@
     server:
       role: ${_param:openstack_node_role}
       identity:
+        user: ${_param:keystone_barbican_username}
+        password: ${_param:keystone_barbican_password}
         protocol: ${_param:cluster_internal_protocol}
       database:
+        user: ${_param:mysql_barbican_username}
+        password: ${_param:mysql_barbican_password}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
diff --git a/barbican/server/single.yml b/barbican/server/single.yml
index c1ef15e..1ee95f7 100644
--- a/barbican/server/single.yml
+++ b/barbican/server/single.yml
@@ -9,6 +9,8 @@
   barbican:
     server:
       database:
+        user: ${_param:mysql_barbican_username}
+        password: ${_param:mysql_barbican_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_barbican_ssl_ca_file}
@@ -18,6 +20,8 @@
           enabled: ${_param:galera_ssl_enabled}
       role: ${_param:openstack_node_role}
       identity:
+        user: ${_param:keystone_barbican_username}
+        password: ${_param:keystone_barbican_password}
         protocol: ${_param:internal_protocol}
       message_queue:
         port: ${_param:openstack_rabbitmq_port}
diff --git a/ceilometer/agent/cluster.yml b/ceilometer/agent/cluster.yml
index 6bb4e71..c24adf7 100644
--- a/ceilometer/agent/cluster.yml
+++ b/ceilometer/agent/cluster.yml
@@ -17,7 +17,7 @@
         host: ${_param:keystone_service_host}
         port: 35357
         tenant: service
-        user: ceilometer
+        user: ${_param:keystone_ceilometer_username}
         password: ${_param:keystone_ceilometer_password}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/ceilometer/agent/single.yml b/ceilometer/agent/single.yml
index 037bb4e..0bf079f 100644
--- a/ceilometer/agent/single.yml
+++ b/ceilometer/agent/single.yml
@@ -9,6 +9,8 @@
         ssl:
           enabled: ${_param:ceilometer_agent_ssl_enabled}
       identity:
+        user: ${_param:keystone_ceilometer_username}
+        password: ${_param:keystone_ceilometer_password}
         protocol: ${_param:internal_protocol}
       message_queue:
         port: ${_param:openstack_rabbitmq_port}
diff --git a/ceilometer/agent/telemetry/cluster.yml b/ceilometer/agent/telemetry/cluster.yml
index 26f9a68..8f9c996 100644
--- a/ceilometer/agent/telemetry/cluster.yml
+++ b/ceilometer/agent/telemetry/cluster.yml
@@ -17,7 +17,7 @@
         host: ${_param:keystone_service_host}
         port: 35357
         tenant: service
-        user: ceilometer
+        user: ${_param:keystone_ceilometer_username}
         password: ${_param:keystone_ceilometer_password}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/ceilometer/server/cluster.yml b/ceilometer/server/cluster.yml
index 0704a2b..485eda2 100644
--- a/ceilometer/server/cluster.yml
+++ b/ceilometer/server/cluster.yml
@@ -29,7 +29,7 @@
         host: ${_param:openstack_control_address}
         port: 35357
         tenant: service
-        user: ceilometer
+        user: ${_param:keystone_ceilometer_username}
         password: ${_param:keystone_ceilometer_password}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/ceilometer/server/telemetry/cluster.yml b/ceilometer/server/telemetry/cluster.yml
index c7d2686..9ee78ef 100644
--- a/ceilometer/server/telemetry/cluster.yml
+++ b/ceilometer/server/telemetry/cluster.yml
@@ -25,7 +25,7 @@
         host: ${_param:openstack_control_address}
         port: 35357
         tenant: service
-        user: ceilometer
+        user: ${_param:keystone_ceilometer_username}
         password: ${_param:keystone_ceilometer_password}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/cinder/control/cluster.yml b/cinder/control/cluster.yml
index 8aa97c4..cf5b84b 100644
--- a/cinder/control/cluster.yml
+++ b/cinder/control/cluster.yml
@@ -36,7 +36,7 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: cinder
-        user: cinder
+        user: ${_param:mysql_cinder_username}
         password: ${_param:mysql_cinder_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -51,7 +51,7 @@
         host: ${_param:cluster_vip_address}
         port: 35357
         tenant: service
-        user: cinder
+        user: ${_param:keystone_cinder_username}
         password: ${_param:keystone_cinder_password}
         protocol: ${_param:cluster_internal_protocol}
       glance:
diff --git a/cinder/control/single.yml b/cinder/control/single.yml
index bae7bfc..3ab34e2 100644
--- a/cinder/control/single.yml
+++ b/cinder/control/single.yml
@@ -22,6 +22,8 @@
       # set 'image_conversion_dir' option in case of ceph deployment volume and controller running on the same node
       image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
       database:
+        user: ${_param:mysql_cinder_username}
+        password: ${_param:mysql_cinder_password}
         host: ${_param:single_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -31,6 +33,8 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_cinder_username}
+        password: ${_param:keystone_cinder_password}
         protocol: ${_param:internal_protocol}
         region: ${_param:openstack_region}
       barbican:
diff --git a/cinder/volume/local.yml b/cinder/volume/local.yml
index cd07d4d..000de98 100644
--- a/cinder/volume/local.yml
+++ b/cinder/volume/local.yml
@@ -9,6 +9,8 @@
       enabled: True
       image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
       database:
+        user: ${_param:mysql_cinder_username}
+        password: ${_param:mysql_cinder_password}
         host: ${_param:single_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -32,6 +34,8 @@
         ssl:
           enabled: ${_param:rabbitmq_ssl_enabled}
       identity:
+        user: ${_param:keystone_cinder_username}
+        password: ${_param:keystone_cinder_password}
         host: ${_param:single_address}
         region: ${_param:openstack_region}
       cache:
diff --git a/cinder/volume/single.yml b/cinder/volume/single.yml
index 34f5744..8c62889 100644
--- a/cinder/volume/single.yml
+++ b/cinder/volume/single.yml
@@ -15,6 +15,8 @@
       enabled: True
       image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
       database:
+        user: ${_param:mysql_cinder_username}
+        password: ${_param:mysql_cinder_password}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -42,6 +44,8 @@
         ssl:
           enabled: ${_param:rabbitmq_ssl_enabled}
       identity:
+        user: ${_param:keystone_cinder_username}
+        password: ${_param:keystone_cinder_password}
         host: ${_param:openstack_control_address}
         protocol: ${_param:cluster_internal_protocol}
         region: ${_param:openstack_region}
diff --git a/defaults/backup.yml b/defaults/backup.yml
new file mode 100644
index 0000000..66e5173
--- /dev/null
+++ b/defaults/backup.yml
@@ -0,0 +1,7 @@
+parameters:
+  _param:
+    backup_min: "0"
+    backup_hour: "*/12"
+    backup_day_of_month: "*"
+    backup_month: "*"
+    backup_day_of_week: "*"
diff --git a/defaults/backupninja.yml b/defaults/backupninja.yml
index f827173..71e00bf 100644
--- a/defaults/backupninja.yml
+++ b/defaults/backupninja.yml
@@ -3,3 +3,4 @@
     backupninja_engine: rsync
     backupninja_backup_host: 127.0.0.1
     backupninja_public_key: no-key-provided
+    backupninja_color_log: false
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index a4f7fc2..909ef05 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -11,19 +11,21 @@
     docker_image_mongodb: "${_param:mcp_docker_registry}/mirantis/external/library/mongo:${_param:mcp_version}"
     ###
     # phpldapadmin:0.6.12
-    docker_image_phpldapadmin: "${_param:mcp_docker_registry}/mirantis/cicd/phpldapadmin:${_param:mcp_version}"
+    docker_image_phpldapadmin: "${_param:mcp_docker_registry}/mirantis/cicd/phpldapadmin:2019.2.5"
     # gerrit:2.13.6
-    docker_image_gerrit: "${_param:mcp_docker_registry}/mirantis/cicd/gerrit:${_param:mcp_version}"
+    docker_image_gerrit: "${_param:mcp_docker_registry}/mirantis/cicd/gerrit:2019.2.5"
     # mysql:5.6
     docker_image_mysql: "${_param:mcp_docker_registry}/mirantis/cicd/mysql:${_param:mcp_version}"
     # jenkins:2.150.3
-    docker_image_jenkins: "${_param:mcp_docker_registry}/mirantis/cicd/jenkins:2019.2.3"
-    docker_image_jenkins_slave: "${_param:mcp_docker_registry}/mirantis/cicd/jnlp-slave:${_param:mcp_version}"
+    docker_image_jenkins: "${_param:mcp_docker_registry}/mirantis/cicd/jenkins:2019.2.5"
+    docker_image_jenkins_jnlp_slave: "${_param:mcp_docker_registry}/mirantis/cicd/jnlp-slave:${_param:mcp_version}"
+    # TODO: fix tag
+    docker_image_jenkins_ssh_slave: "${_param:mcp_docker_registry}/mirantis/cicd/ssh-slave:2019.2.5"
     # model-generator
     docker_image_operations_api: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-api:${_param:mcp_version}"
     docker_image_operations_ui: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-ui:${_param:mcp_version}"
     # OpenContrail
-    opencontrail_docker_image_tag: "2019.2.4"
+    opencontrail_docker_image_tag: "2019.2.5"
     # stacklight
     # 6.5.0 version, from 11/29/2018, differ from latest upstream 6.5.0 - update next cycle
     docker_image_alerta: "${_param:mcp_docker_registry}/mirantis/external/alerta-web:${_param:mcp_version}"
@@ -33,9 +35,9 @@
     docker_image_prometheus: "${_param:mcp_docker_registry}/openstack-docker/prometheus:${_param:mcp_version}"
     docker_image_prometheus_gainsight: "${_param:mcp_docker_registry}/openstack-docker/gainsight:2019.2.4"
     docker_image_prometheus_gainsight_elasticsearch: "${_param:mcp_docker_registry}/openstack-docker/gainsight_elasticsearch:${_param:mcp_version}"
-    docker_image_prometheus_relay: "${_param:mcp_docker_registry}/openstack-docker/prometheus_relay:${_param:mcp_version}"
+    docker_image_prometheus_relay: "${_param:mcp_docker_registry}/openstack-docker/prometheus-relay:2019.2.5"
     docker_image_pushgateway: "${_param:mcp_docker_registry}/openstack-docker/pushgateway:${_param:mcp_version}"
-    docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.4"
+    docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.5"
     docker_image_remote_collector: "${_param:mcp_docker_registry}/openstack-docker/heka:${_param:mcp_version}"
     docker_image_remote_storage_adapter: "${_param:mcp_docker_registry}/openstack-docker/remote_storage_adapter:${_param:mcp_version}"
     docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:2019.2.4"
@@ -45,8 +47,11 @@
     docker_image_keycloak_server: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:4.5.0.Final"
     docker_image_keycloak_proxy: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:3.4.2.Final"
     # CVP
-    docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.4
+    docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.5
+    docker_image_cvp_tempest: "${_param:mcp_docker_registry}/mirantis/cicd/ci-tempest:${_param:openstack_version}"
     docker_image_cvp_shaker_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-shaker:2019.2.3
+    docker_image_cvp_rally: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-rally:2019.2.5
+    docker_image_cvp_xrally: xrally/xrally-openstack:0.11.2
     # aptly
     docker_image_aptly:
       base: "${_param:mcp_docker_registry}/mirantis/cicd/aptly:${_param:mcp_version}"
diff --git a/defaults/gerrit/init.yml b/defaults/gerrit/init.yml
index b2c59e0..2fd1bd7 100644
--- a/defaults/gerrit/init.yml
+++ b/defaults/gerrit/init.yml
@@ -3,4 +3,13 @@
     gerrit_pipeline_library_repo: https://github.com/Mirantis/pipeline-library
     gerrit_mk_pipelines_repo: https://github.com/Mirantis/mk-pipelines
     gerrit_mcp_common_scripts_repo: https://github.com/Mirantis/mcp-common-scripts
+    gerrit_config_download_command:
+      - checkout
+      - cherry-pick
+      - pull
+      - format_patch
+    gerrit_config_download_scheme:
+      - http
+      - ssh
+      - anon_http
 
diff --git a/defaults/haproxy/init.yml b/defaults/haproxy/init.yml
index 499e085..83147ea 100644
--- a/defaults/haproxy/init.yml
+++ b/defaults/haproxy/init.yml
@@ -1,2 +1,3 @@
 classes:
 - system.defaults.haproxy.elasticsearch
+- system.defaults.haproxy.opencontrail
diff --git a/defaults/haproxy/opencontrail.yml b/defaults/haproxy/opencontrail.yml
new file mode 100644
index 0000000..ee0756e
--- /dev/null
+++ b/defaults/haproxy/opencontrail.yml
@@ -0,0 +1,3 @@
+parameters:
+  _param:
+    haproxy_opencontrail_api_check_params: check inter 2000 rise 2 fall 3
diff --git a/defaults/init.yml b/defaults/init.yml
index c90c404..b7995d8 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -13,6 +13,7 @@
 - system.defaults.glusterfs
 - system.defaults.nginx
 - system.defaults.jenkins
+- system.defaults.postgresql
 - system.defaults.maas
 - system.defaults.opencontrail
 - system.defaults.openstack
@@ -26,6 +27,7 @@
 - system.defaults.secrets
 - system.defaults.stacklight
 - system.defaults.xtrabackup
+- system.defaults.backup
 - system.defaults.haproxy
 parameters:
   _param:
diff --git a/defaults/jenkins.yml b/defaults/jenkins.yml
index d01bf4e..68d843d 100644
--- a/defaults/jenkins.yml
+++ b/defaults/jenkins.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
     jenkins_master_port: 8081
-    jenkins_master_protocol: http
+    jenkins_master_protocol: https
     jenkins_pipelines_branch: "master"
     jenkins_salt_api_url: "https://${_param:salt_master_host}:${_param:nginx_proxy_salt_api_site_port}"
diff --git a/defaults/opencontrail/init.yml b/defaults/opencontrail/init.yml
index 24cd68e..1b0bf54 100644
--- a/defaults/opencontrail/init.yml
+++ b/defaults/opencontrail/init.yml
@@ -4,3 +4,9 @@
     opencontrail_identity_port: 35357
     opencontrail_identity_version: '2.0'
     opencontrail_admin_user: 'contrail'
+    opencontrail_api_protocol: http
+    opencontrail_api_ssl_enabled: False
+    opencontrail_api_certfile: /etc/contrail/ssl/opencontrail_api.crt
+    opencontrail_api_keyfile: /etc/contrail/ssl/opencontrail_api.key
+    opencontrail_api_cafile: /etc/contrail/ssl/ca-opencontrail_api.pem
+    opencontrail_api_all_pemfile: /etc/ssl/certs/opencontrail_api_with_chain.pem
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index cc62919..19b3fe8 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -26,6 +26,8 @@
     openstack_rabbitmq_x509_enabled: False
     # RabbitMQ
     rabbitmq_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    # Galera
+    galera_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     # Openstack memcache
     openstack_memcached_server_bind_address: 0.0.0.0
     openstack_memcache_security_enabled: False
@@ -41,6 +43,8 @@
       ignore_lockout_failure_attempts: True
       lock_password: False
     # Cinder
+    mysql_cinder_username: cinder
+    keystone_cinder_username: cinder
     cinder_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     cinder_memcache_secret_key: ''
     cinder_old_version: ${_param:openstack_old_version}
@@ -49,6 +53,8 @@
     cinder_service_user_enabled: ${_param:openstack_service_user_enabled}
     cinder_image_conversion_dir_path: /var/tmp/cinder/conversion
     # Nova
+    mysql_nova_username: nova
+    keystone_nova_username: nova
     nova_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     nova_memcache_secret_key: ''
     nova_old_version: ${_param:openstack_old_version}
@@ -56,6 +62,8 @@
     nova_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     nova_service_user_enabled: ${_param:openstack_service_user_enabled}
     # Glance
+    mysql_glance_username: glance
+    keystone_glance_username: glance
     glance_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     glance_memcache_secret_key: ''
     glance_old_version: ${_param:openstack_old_version}
@@ -64,12 +72,16 @@
     # Allow CORS from horizon, needed for direct upload
     glance_cors_allowed_origin: '${_param:horizon_public_protocol}://${_param:horizon_public_host}'
     # Heat
+    mysql_heat_username: heat
+    keystone_heat_username: heat
     heat_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     heat_memcache_secret_key: ''
     heat_old_version: ${_param:openstack_old_version}
     heat_version: ${_param:openstack_version}
     heat_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     # Aodh
+    mysql_aodh_username: aodh
+    keystone_aodh_username: aodh
     aodh_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     aodh_memcache_secret_key: ''
     aodh_old_version: ${_param:openstack_old_version}
@@ -78,12 +90,22 @@
     aodh_redis_db: ${_param:openstack_telemetry_redis_db}
     aodh_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
     # Ceilometer
+    mysql_ceilometer_username: ceilometer
+    keystone_ceilometer_username: ceilometer
     ceilometer_old_version: ${_param:openstack_old_version}
     ceilometer_version: ${_param:openstack_version}
     ceilometer_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     ceilometer_redis_db: ${_param:openstack_telemetry_redis_db}
     ceilometer_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
+    # Congress
+    keystone_congress_username: congress
+    # Grafana
+    mysql_grafana_username: grafana
+    # Graphite
+    mysql_graphite_username: graphite
     # Gnocchi
+    mysql_gnocchi_username: gnocchi
+    keystone_gnocchi_username: gnocchi
     gnocchi_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     gnocchi_memcache_secret_key: ''
     gnocchi_version: 4.0
@@ -92,25 +114,36 @@
     gnocchi_redis_db: ${_param:openstack_telemetry_redis_db}
     gnocchi_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
     # Panko
+    mysql_panko_username: panko
+    keystone_panko_username: panko
     panko_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     panko_memcache_secret_key: ''
     panko_old_version: ${_param:openstack_old_version}
     panko_version: ${_param:openstack_version}
     panko_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     # Barbican
+    mysql_barbican_username: barbican
+    keystone_barbican_username: barbican
     barbican_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     barbican_memcache_secret_key: ''
     barbican_old_version: ${_param:openstack_old_version}
     barbican_version: ${_param:openstack_version}
     barbican_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    # Billometer
+    keystone_billometer_username: billometer
     # Designate
+    mysql_designate_username: designate
+    keystone_designate_username: designate
     designate_old_version: ${_param:openstack_old_version}
     designate_version: ${_param:openstack_version}
     designate_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     # Ironic
+    mysql_ironic_username: ironic
+    keystone_ironic_username: ironic
     ironic_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     ironic_memcache_secret_key: ''
     # Keystone
+    mysql_keystone_username: keystone
     keystone_old_version: ${_param:openstack_old_version}
     keystone_version: ${_param:openstack_version}
     keystone_upgrade_enabled: ${_param:openstack_upgrade_enabled}
@@ -133,10 +166,17 @@
     keystone_fernet_rotate_rsync_minute: 0
     keystone_fernet_rotate_rsync_hour: '*'
     # Manila
+    mysql_manila_username: manila
+    keystone_manila_username: manila
     manila_old_version: ${_param:openstack_old_version}
     manila_version: ${_param:openstack_version}
     manila_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    # Murano
+    mysql_murano_username: murano
+    keystone_murano_username: murano
     # Neutron
+    mysql_neutron_username: neutron
+    keystone_neutron_username: neutron
     neutron_old_version: ${_param:openstack_old_version}
     neutron_version: ${_param:openstack_version}
     neutron_upgrade_enabled: ${_param:openstack_upgrade_enabled}
@@ -187,12 +227,22 @@
     horizon_version: ${_param:openstack_version}
     horizon_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     # Octavia
+    mysql_octavia_username: octavia
+    keystone_octavia_username: octavia
     octavia_health_manager_node01_address: 192.168.10.10
     octavia_health_manager_node02_address: 192.168.10.11
     octavia_health_manager_node03_address: 192.168.10.12
     #
     amphora_image_name: amphora-x64-haproxy
     amphora_image_url: "${_param:mcp_binary_registry}/mirantis/openstack/octavia/images/${_param:mcp_version}/${_param:openstack_version}/amphora-x64-haproxy.qcow2"
+    # Sahara
+    mysql_sahara_username: sahara
+    keystone_sahara_username: sahara
+    # Swift
+    keystone_swift_username: swift
+    # Tacker
+    mysql_tacker_username: tacker
+    keystone_tacker_username: tacker
     # HAproxy
     haproxy_openstack_web_bind_port: ${_param:horizon_public_port}
     #
diff --git a/defaults/postgresql/init.yml b/defaults/postgresql/init.yml
new file mode 100644
index 0000000..7ee5704
--- /dev/null
+++ b/defaults/postgresql/init.yml
@@ -0,0 +1,4 @@
+parameters:
+  _param:
+    postgresql_major_version: '9.6'
+
diff --git a/defaults/xtrabackup.yml b/defaults/xtrabackup.yml
index e2bf995..1485026 100644
--- a/defaults/xtrabackup.yml
+++ b/defaults/xtrabackup.yml
@@ -3,4 +3,4 @@
     xtrabackup_qpress_source: pkg
     xtrabackup_qpress_source_name: qpress
     xtrabackup_public_key: no-key-provided
-    xtrabackup_remote_server: cfg01
+    xtrabackup_client_incr_before_full: 3
\ No newline at end of file
diff --git a/designate/server/cluster/default.yml b/designate/server/cluster/default.yml
index a7d6bb2..cd0bc1d 100644
--- a/designate/server/cluster/default.yml
+++ b/designate/server/cluster/default.yml
@@ -36,7 +36,7 @@
         name:
           main_database: designate
           pool_manager: designate_pool_manager
-        user: designate
+        user: ${_param:mysql_designate_username}
         password: ${_param:mysql_designate_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -50,7 +50,7 @@
         host: ${_param:openstack_control_address}
         port: 35357
         tenant: service
-        user: designate
+        user: ${_param:keystone_designate_username}
         password: ${_param:keystone_designate_password}
         protocol: ${_param:cluster_internal_protocol}
       bind:
diff --git a/designate/server/cluster/simple.yml b/designate/server/cluster/simple.yml
index ecf34c1..55998d5 100644
--- a/designate/server/cluster/simple.yml
+++ b/designate/server/cluster/simple.yml
@@ -33,7 +33,7 @@
         name:
           main_database: designate
           pool_manager: designate_pool_manager
-        user: designate
+        user: ${_param:mysql_designate_username}
         password: ${_param:mysql_designate_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -47,7 +47,7 @@
         host: ${_param:openstack_control_address}
         port: 35357
         tenant: service
-        user: designate
+        user: ${_param:keystone_designate_username}
         password: ${_param:keystone_designate_password}
         protocol: ${_param:cluster_internal_protocol}
       bind:
diff --git a/designate/server/single.yml b/designate/server/single.yml
index f054b0c..8f07ffb 100644
--- a/designate/server/single.yml
+++ b/designate/server/single.yml
@@ -34,7 +34,7 @@
         name:
           main_database: designate
           pool_manager: designate_pool_manager
-        user: designate
+        user: ${_param:mysql_designate_username}
         password: ${_param:mysql_designate_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -48,7 +48,7 @@
         host: ${_param:single_address}
         port: 35357
         tenant: service
-        user: designate
+        user: ${_param:keystone_designate_username}
         password: ${_param:keystone_designate_password}
         protocol: ${_param:internal_protocol}
       message_queue:
diff --git a/docker/client/images/cicd.yml b/docker/client/images/cicd.yml
index 895bde3..003b131 100644
--- a/docker/client/images/cicd.yml
+++ b/docker/client/images/cicd.yml
@@ -1,6 +1,3 @@
-classes:
-- system.docker.client.images.jenkins_master
-- system.docker.client.images.jenkins_slave
 parameters:
   docker:
     client:
diff --git a/docker/client/images/cvp.yml b/docker/client/images/cvp.yml
new file mode 100644
index 0000000..64c99a5
--- /dev/null
+++ b/docker/client/images/cvp.yml
@@ -0,0 +1,12 @@
+parameters:
+  docker:
+    client:
+      enabled: true
+      images:
+      - ${_param:docker_image_cvp_sanity_checks}
+      - ${_param:docker_image_cvp_tempest}
+      - ${_param:docker_image_cvp_shaker_checks}
+      - ${_param:docker_image_cvp_rally}
+      # xrally is not required for offline,
+      # use cvp_rally instead
+      # - ${_param:docker_image_cvp_xrally}
diff --git a/docker/client/images/jenkins_master.yml b/docker/client/images/jenkins_master.yml
index 929c76e..d74bb20 100644
--- a/docker/client/images/jenkins_master.yml
+++ b/docker/client/images/jenkins_master.yml
@@ -1,6 +1 @@
-parameters:
-  docker:
-    client:
-      enabled: true
-      images:
-      - ${_param:docker_image_jenkins}
\ No newline at end of file
+# Left for providing upgrade path
diff --git a/docker/client/images/jenkins_slave.yml b/docker/client/images/jenkins_slave.yml
index 46114d4..d74bb20 100644
--- a/docker/client/images/jenkins_slave.yml
+++ b/docker/client/images/jenkins_slave.yml
@@ -1,6 +1 @@
-parameters:
-  docker:
-    client:
-      enabled: true
-      images:
-      - ${_param:docker_image_jenkins_slave}
+# Left for providing upgrade path
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index 42af606..ed90acf 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -11,6 +11,7 @@
     gerrit_db_publish_port: 13306
     gerrit_publish_port: 18083
     gerrit_ssh_publish_port: 29417
+    gerrit_http_request_log: ""
   docker:
     client:
       stack:
@@ -26,6 +27,7 @@
                 - ${_param:gerrit_ssh_publish_port}:29418
               volumes:
                 - /srv/volumes/gerrit:/var/gerrit/review_site
+                - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
               depends_on:
                 - db
               environment:
@@ -44,11 +46,12 @@
                 LDAP_PASSWORD: ${_param:gerrit_ldap_bind_password}
                 WEBURL: ${_param:gerrit_public_host}
                 HTTPD_LISTENURL: ${_param:gerrit_http_listen_url}
+                HTTPD_REQUESTLOG: ${_param:gerrit_http_request_log}
                 GERRIT_ADMIN_SSH_PUBLIC: ${_param:gerrit_admin_public_key}
                 GERRIT_ADMIN_PWD: ${_param:gerrit_admin_password}
                 GERRIT_ADMIN_EMAIL: ${_param:gerrit_admin_email}
                 CANLOADINIFRAME: "true"
-                JAVA_OPTIONS: ${_param:gerrit_extra_opts}
+                JAVA_OPTIONS: "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:gerrit_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
                 no_proxy: ${_param:docker_no_proxy}
diff --git a/docker/swarm/stack/jenkins/jnlp_slave_multi.yml b/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
new file mode 100644
index 0000000..3606bad
--- /dev/null
+++ b/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
@@ -0,0 +1,63 @@
+classes:
+- system.docker.swarm.stack.jenkins.jnlp_slave_single
+parameters:
+  _param:
+    jenkins_slave02_node_name: ${_param:cluster_node02_name}
+    jenkins_slave03_node_name: ${_param:cluster_node03_name}
+  docker:
+    client:
+      stack:
+        jenkins:
+          service:
+            slave02:
+              environment:
+                JENKINS_URL: ${_param:jenkins_master_url}
+                JENKINS_AGENT_NAME: slave02
+                JENKINS_UPDATE_SLAVE: 'true'
+                JENKINS_LOGIN: ${_param:jenkins_client_user}
+                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+                GIT_SSL_CAINFO: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                    - "node.hostname == ${_param:jenkins_slave02_node_name}"
+              image: ${_param:docker_image_jenkins_jnlp_slave}
+              volumes:
+                - /etc/ssl/certs/:/etc/ssl/certs/:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:ro
+                - /dev/urandom:/dev/random:ro
+                - /var/run/docker.sock:/var/run/docker.sock
+                - /usr/bin/docker:/usr/bin/docker:ro
+                - /var/lib/jenkins:/var/lib/jenkins
+            slave03:
+              environment:
+                JENKINS_URL: ${_param:jenkins_master_url}
+                JENKINS_AGENT_NAME: slave03
+                JENKINS_UPDATE_SLAVE: 'true'
+                JENKINS_LOGIN: ${_param:jenkins_client_user}
+                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+                GIT_SSL_CAINFO: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                  - "node.hostname == ${_param:jenkins_slave03_node_name}"
+              image: ${_param:docker_image_jenkins_jnlp_slave}
+              volumes:
+              - /etc/ssl/certs/:/etc/ssl/certs/:ro
+              - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:ro
+              - /dev/urandom:/dev/random:ro
+              - /var/run/docker.sock:/var/run/docker.sock
+              - /usr/bin/docker:/usr/bin/docker:ro
+              - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave01.yml b/docker/swarm/stack/jenkins/jnlp_slave_single.yml
similarity index 73%
rename from docker/swarm/stack/jenkins/slave01.yml
rename to docker/swarm/stack/jenkins/jnlp_slave_single.yml
index 73e8140..956f918 100644
--- a/docker/swarm/stack/jenkins/slave01.yml
+++ b/docker/swarm/stack/jenkins/jnlp_slave_single.yml
@@ -1,10 +1,15 @@
 classes:
-- system.docker.swarm.stack.jenkins.slave_base
+- system.docker
 parameters:
   _param:
+    jenkins_master_url: http://jenkins_master:8080
+    jenkins_slave_extra_opts: ""
     jenkins_slave01_node_name: ${_param:cluster_node01_name}
   docker:
     client:
+      enabled: true
+      images:
+        - ${_param:docker_image_jenkins_jnlp_slave}
       stack:
         jenkins:
           service:
@@ -19,15 +24,17 @@
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
                 no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+                GIT_SSL_CAINFO: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
               deploy:
                 restart_policy:
                   condition: any
                 placement:
                   constraints:
                     - "node.hostname == ${_param:jenkins_slave01_node_name}"
-              image: ${_param:docker_image_jenkins_slave}
+              image: ${_param:docker_image_jenkins_jnlp_slave}
               volumes:
                 - /etc/ssl/certs/:/etc/ssl/certs/:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:ro
                 - /dev/urandom:/dev/random:ro
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /usr/bin/docker:/usr/bin/docker:ro
diff --git a/docker/swarm/stack/jenkins/master.yml b/docker/swarm/stack/jenkins/master.yml
index 4647521..9f3f0c2 100644
--- a/docker/swarm/stack/jenkins/master.yml
+++ b/docker/swarm/stack/jenkins/master.yml
@@ -1,6 +1,5 @@
 classes:
 - system.docker
-- system.docker.client.images.jenkins_master
 parameters:
   _param:
     jenkins_master_extra_opts: ""
@@ -9,18 +8,22 @@
     jenkins_home_dir_path: /var/jenkins_home
   docker:
     client:
+      enabled: true
+      images:
+        - ${_param:docker_image_jenkins}
       stack:
         jenkins:
           service:
             master:
               environment:
                 JENKINS_HOME: ${_param:jenkins_home_dir_path}
-                JAVA_OPTS: " -server -XX:+AlwaysPreTouch -Xloggc:${_param:jenkins_home_dir_path}/gc-%t.log -XX:NumberOfGCLogFiles=5 -XX:+UseGCLogFileRotation -XX:GCLogFileSize=20m -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintGCCause -XX:+PrintTenuringDistribution -XX:+PrintReferenceGC -XX:+PrintAdaptiveSizePolicy -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:+UseCGroupMemoryLimitForHeap -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1 -Djenkins.install.runSetupWizard=false -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -Dhudson.footerURL=https://www.mirantis.com ${_param:jenkins_master_extra_opts}"
+                JAVA_OPTS: " -server -XX:+AlwaysPreTouch -Xloggc:${_param:jenkins_home_dir_path}/gc-%t.log -XX:NumberOfGCLogFiles=5 -XX:+UseGCLogFileRotation -XX:GCLogFileSize=20m -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintGCCause -XX:+PrintTenuringDistribution -XX:+PrintReferenceGC -XX:+PrintAdaptiveSizePolicy -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:+UseCGroupMemoryLimitForHeap -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1 -Djenkins.install.runSetupWizard=false -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -Dhudson.footerURL=https://www.mirantis.com -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:jenkins_master_extra_opts}"
                 JENKINS_NUM_EXECUTORS: ${_param:jenkins_master_executors_num}
                 JENKINS_OPTS: " --handlerCountMax=${_param:jenkins_master_max_concurent_requests}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
                 no_proxy: ${_param:docker_no_proxy}
+                GIT_SSL_CAINFO: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
               deploy:
                 restart_policy:
                   condition: any
@@ -31,3 +34,4 @@
               volumes:
                 - /srv/volumes/jenkins:/var/jenkins_home
                 - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:ro
diff --git a/docker/swarm/stack/jenkins/slave.yml b/docker/swarm/stack/jenkins/slave.yml
index 204b29d..4454c5a 100644
--- a/docker/swarm/stack/jenkins/slave.yml
+++ b/docker/swarm/stack/jenkins/slave.yml
@@ -1,5 +1,3 @@
+# jnlp slave
 classes:
-- system.docker
-- system.docker.swarm.stack.jenkins.slave01
-- system.docker.swarm.stack.jenkins.slave02
-- system.docker.swarm.stack.jenkins.slave03
+- system.docker.swarm.stack.jenkins.jnlp_slave_multi
diff --git a/docker/swarm/stack/jenkins/slave02.yml b/docker/swarm/stack/jenkins/slave02.yml
deleted file mode 100644
index ee198cb..0000000
--- a/docker/swarm/stack/jenkins/slave02.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-classes:
-- system.docker.swarm.stack.jenkins.slave_base
-parameters:
-  _param:
-    jenkins_slave02_node_name: ${_param:cluster_node02_name}
-  docker:
-    client:
-      stack:
-        jenkins:
-          service:
-            slave02:
-              environment:
-                JENKINS_URL: ${_param:jenkins_master_url}
-                JENKINS_AGENT_NAME: slave02
-                JENKINS_UPDATE_SLAVE: 'true'
-                JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
-                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
-                https_proxy: ${_param:docker_https_proxy}
-                http_proxy: ${_param:docker_http_proxy}
-                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
-              deploy:
-                restart_policy:
-                  condition: any
-                placement:
-                  constraints:
-                    - "node.hostname == ${_param:jenkins_slave02_node_name}"
-              image: ${_param:docker_image_jenkins_slave}
-              volumes:
-                - /etc/ssl/certs/:/etc/ssl/certs/:ro
-                - /dev/urandom:/dev/random:ro
-                - /var/run/docker.sock:/var/run/docker.sock
-                - /usr/bin/docker:/usr/bin/docker:ro
-                - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave03.yml b/docker/swarm/stack/jenkins/slave03.yml
deleted file mode 100644
index b04ea2a..0000000
--- a/docker/swarm/stack/jenkins/slave03.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-classes:
-- system.docker.swarm.stack.jenkins.slave_base
-parameters:
-  _param:
-    jenkins_slave03_node_name: ${_param:cluster_node03_name}
-  docker:
-    client:
-      stack:
-        jenkins:
-          service:
-            slave03:
-              environment:
-                JENKINS_URL: ${_param:jenkins_master_url}
-                JENKINS_AGENT_NAME: slave03
-                JENKINS_UPDATE_SLAVE: 'true'
-                JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
-                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
-                https_proxy: ${_param:docker_https_proxy}
-                http_proxy: ${_param:docker_http_proxy}
-                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
-              deploy:
-                restart_policy:
-                  condition: any
-                placement:
-                  constraints:
-                    - "node.hostname == ${_param:jenkins_slave03_node_name}"
-              image: ${_param:docker_image_jenkins_slave}
-              volumes:
-                - /etc/ssl/certs/:/etc/ssl/certs/:ro
-                - /dev/urandom:/dev/random:ro
-                - /var/run/docker.sock:/var/run/docker.sock
-                - /usr/bin/docker:/usr/bin/docker:ro
-                - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave_base.yml b/docker/swarm/stack/jenkins/slave_base.yml
deleted file mode 100644
index 3de4765..0000000
--- a/docker/swarm/stack/jenkins/slave_base.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-classes:
-- system.docker
-- system.docker.client.images.jenkins_slave
-parameters:
-  _param:
-    jenkins_master_url: http://jenkins_master:8080
-    jenkins_slave_extra_opts: ""
diff --git a/docker/swarm/stack/jenkins/slave_single.yml b/docker/swarm/stack/jenkins/slave_single.yml
index 31406d1..ee2bfac 100644
--- a/docker/swarm/stack/jenkins/slave_single.yml
+++ b/docker/swarm/stack/jenkins/slave_single.yml
@@ -1,3 +1,3 @@
+# Left for providing upgrade path
 classes:
-- system.docker
-- system.docker.swarm.stack.jenkins.slave01
+- system.docker.swarm.stack.jenkins.jnlp_slave_single
diff --git a/docker/swarm/stack/jenkins/ssh_slave_multi.yml b/docker/swarm/stack/jenkins/ssh_slave_multi.yml
new file mode 100644
index 0000000..5eafe44
--- /dev/null
+++ b/docker/swarm/stack/jenkins/ssh_slave_multi.yml
@@ -0,0 +1,70 @@
+classes:
+- system.docker.swarm.stack.jenkins.ssh_slave_single
+parameters:
+  _param:
+    jenkins_slave02_node_name: ${_param:cluster_node02_name}
+    jenkins_slave03_node_name: ${_param:cluster_node03_name}
+  docker:
+    client:
+      stack:
+        jenkins:
+          service:
+            slave02:
+              environment:
+                JENKINS_SLAVE_SSH_PUBKEY: ${_param:jenkins_admin_public_key}
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+                GIT_SSL_CAINFO: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                    - "node.hostname == ${_param:jenkins_slave02_node_name}"
+              image: ${_param:docker_image_jenkins_ssh_slave}
+              volumes:
+                - /etc/ssl/certs/:/etc/ssl/certs/:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:ro
+                - /dev/urandom:/dev/random:ro
+                - /var/run/docker.sock:/var/run/docker.sock
+                - /usr/bin/docker:/usr/bin/docker:ro
+                - /var/lib/jenkins:/var/lib/jenkins
+            slave03:
+              environment:
+                JENKINS_SLAVE_SSH_PUBKEY: ${_param:jenkins_admin_public_key}
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+                GIT_SSL_CAINFO: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                  - "node.hostname == ${_param:jenkins_slave03_node_name}"
+              image: ${_param:docker_image_jenkins_ssh_slave}
+              volumes:
+              - /etc/ssl/certs/:/etc/ssl/certs/:ro
+              - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:ro
+              - /dev/urandom:/dev/random:ro
+              - /var/run/docker.sock:/var/run/docker.sock
+              - /usr/bin/docker:/usr/bin/docker:ro
+              - /var/lib/jenkins:/var/lib/jenkins
+  jenkins:
+    client:
+      node:
+        slave02:
+          launcher:
+            type: ssh
+            host: jenkins_slave02
+            port: 22
+            username: jenkins
+            credentials: ssh_slave
+        slave03:
+          launcher:
+            type: ssh
+            host: jenkins_slave03
+            port: 22
+            username: jenkins
+            credentials: ssh_slave
diff --git a/docker/swarm/stack/jenkins/ssh_slave_single.yml b/docker/swarm/stack/jenkins/ssh_slave_single.yml
new file mode 100644
index 0000000..f4e16a2
--- /dev/null
+++ b/docker/swarm/stack/jenkins/ssh_slave_single.yml
@@ -0,0 +1,49 @@
+classes:
+- system.docker
+parameters:
+  _param:
+    jenkins_slave01_node_name: ${_param:cluster_node01_name}
+  docker:
+    client:
+      enabled: true
+      images:
+        - ${_param:docker_image_jenkins_ssh_slave}
+      stack:
+        jenkins:
+          service:
+            slave01:
+              environment:
+                JENKINS_SLAVE_SSH_PUBKEY: ${_param:jenkins_admin_public_key}
+                https_proxy: ${_param:docker_https_proxy}
+                http_proxy: ${_param:docker_http_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
+                GIT_SSL_CAINFO: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+              deploy:
+                restart_policy:
+                  condition: any
+                placement:
+                  constraints:
+                  - "node.hostname == ${_param:jenkins_slave01_node_name}"
+              image: ${_param:docker_image_jenkins_ssh_slave}
+              volumes:
+              - /etc/ssl/certs/:/etc/ssl/certs/:ro
+              - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:ro
+              - /dev/urandom:/dev/random:ro
+              - /var/run/docker.sock:/var/run/docker.sock
+              - /usr/bin/docker:/usr/bin/docker:ro
+              - /var/lib/jenkins:/var/lib/jenkins
+  jenkins:
+    client:
+      node:
+        slave01:
+          launcher:
+            type: ssh
+            host: jenkins_slave01
+            port: 22
+            username: jenkins
+            credentials: ssh_slave
+      credential:
+        ssh_slave:
+          username: jenkins
+          key: ${_param:jenkins_admin_private_key}
+
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index b785711..1e12a4a 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -21,13 +21,24 @@
               volumes:
                 - /srv/volumes/openldap/database:/var/lib/ldap
                 - /srv/volumes/openldap/config:/etc/ldap/slapd.d
+                - ${_param:openldap_tls:keyfile}:/container/service/slapd/assets/certs/drivetrain_ldap.key:ro
+                - ${_param:openldap_tls:certfile}:/container/service/slapd/assets/certs/drivetrain_ldap.crt:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/slapd/assets/certs/ca.crt:ro
+              # copy to /container/run/service to avoid issues with owning certs as openldap user
+              # https://github.com/osixia/docker-openldap/issues/59
+              command: --copy-service
               environment:
                 HOSTNAME: ldap01.${_param:openldap_domain}
                 LDAP_ORGANISATION: "${_param:openldap_organisation}"
                 LDAP_DOMAIN: "${_param:openldap_domain}"
                 LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
                 LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
-                LDAP_TLS: "false"
+                LDAP_TLS: "true"
+                LDAP_TLS_VERIFY_CLIENT: try
+                LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
+                LDAP_TLS_CRT_FILENAME: drivetrain_ldap.crt
+                LDAP_TLS_KEY_FILENAME: drivetrain_ldap.key
+                LDAP_TLS_CA_CRT_FILENAME: ca.crt
             admin:
               networks:
                 - ldap
@@ -38,9 +49,19 @@
               depends_on:
                 - server
               hostname: ldap
+              command: --copy-service
+              volumes:
+                - ${_param:openldap_tls:keyfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.key:ro
+                - ${_param:openldap_tls:certfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.crt:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/ldap-client/assets/certs/ca.crt:ro
               environment:
                 PHPLDAPADMIN_LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
-                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
+                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'host': 'ldaps://${_param:cicd_control_address}', 'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
+                PHPLDAPADMIN_LDAP_CLIENT_TLS: "true"
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: drivetrain_ldap.crt
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: drivetrain_ldap.key
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: ca.crt
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: 'try'
                 PHPLDAPADMIN_HTTPS: "false"
                 PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
                 PHPLDAPADMIN_SERVER_ADMIN: ${_param:admin_email}
diff --git a/docker/swarm/stack/monitoring/pushgateway.yml b/docker/swarm/stack/monitoring/pushgateway.yml
index 461eb0b..582dc93 100644
--- a/docker/swarm/stack/monitoring/pushgateway.yml
+++ b/docker/swarm/stack/monitoring/pushgateway.yml
@@ -15,7 +15,7 @@
               networks:
                 - monitoring
               deploy:
-                replicas: 2
+                replicas: 1
                 labels:
                   com.mirantis.monitoring: "pushgateway"
                 restart_policy:
diff --git a/docker/swarm/stack/postgresql.yml b/docker/swarm/stack/postgresql.yml
index 619e0c2..2d6d7e7 100644
--- a/docker/swarm/stack/postgresql.yml
+++ b/docker/swarm/stack/postgresql.yml
@@ -9,6 +9,8 @@
     postgresql_admin_user: postgres
   docker:
     client:
+      images:
+        - ${_param:docker_image_postgresql}
       stack:
         postgresql:
           environment:
@@ -24,5 +26,6 @@
                   condition: any
               volumes:
                 - /srv/volumes/postgresql/data:/var/lib/postgresql/data
+                - /var/run/postgresql:/var/run/postgresql
               ports:
                 - ${_param:postgresql_exposed_port}:${_param:postgresql_bind_port}
diff --git a/galera/server/cluster.yml b/galera/server/cluster.yml
index e215910..a4b3f0a 100644
--- a/galera/server/cluster.yml
+++ b/galera/server/cluster.yml
@@ -2,3 +2,4 @@
 - service.haproxy.proxy.single
 - system.haproxy.proxy.listen.openstack.galera
 - system.keepalived.cluster.instance.galera_vip
+- system.galera.upgrade
diff --git a/galera/server/database/aodh.yml b/galera/server/database/aodh.yml
index c7cdfdc..d71a0ef 100644
--- a/galera/server/database/aodh.yml
+++ b/galera/server/database/aodh.yml
@@ -7,12 +7,12 @@
         aodh:
           encoding: utf8
           users:
-          - name: aodh
+          - name: ${_param:mysql_aodh_username}
             password: ${_param:mysql_aodh_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_aodh_ssl_option}
-          - name: aodh
+          - name: ${_param:mysql_aodh_username}
             password: ${_param:mysql_aodh_password}
             host: ${_param:cluster_vip_address}
             rights: all
diff --git a/galera/server/database/barbican.yml b/galera/server/database/barbican.yml
index a292660..21bd732 100644
--- a/galera/server/database/barbican.yml
+++ b/galera/server/database/barbican.yml
@@ -7,12 +7,12 @@
         barbican:
           encoding: utf8
           users:
-          - name: barbican
+          - name: ${_param:mysql_barbican_username}
             password: ${_param:mysql_barbican_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_barbican_ssl_option}
-          - name: barbican
+          - name: ${_param:mysql_barbican_username}
             password: ${_param:mysql_barbican_password}
             host: ${_param:cluster_vip_address}
             rights: all
diff --git a/galera/server/database/ceilometer.yml b/galera/server/database/ceilometer.yml
index 08a7f8b..586aae3 100644
--- a/galera/server/database/ceilometer.yml
+++ b/galera/server/database/ceilometer.yml
@@ -7,12 +7,12 @@
         ceilometer:
           encoding: utf8
           users:
-          - name: ceilometer
+          - name: ${_param:mysql_ceilometer_username}
             password: ${_param:mysql_ceilometer_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_ceilometer_ssl_option}
-          - name: ceilometer
+          - name: ${_param:mysql_ceilometer_username}
             password: ${_param:mysql_ceilometer_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/cinder.yml b/galera/server/database/cinder.yml
index 6478cb8..f1ae9a3 100644
--- a/galera/server/database/cinder.yml
+++ b/galera/server/database/cinder.yml
@@ -7,12 +7,12 @@
         cinder:
           encoding: utf8
           users:
-          - name: cinder
+          - name: ${_param:mysql_cinder_username}
             password: ${_param:mysql_cinder_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_cinder_ssl_option}
-          - name: cinder
+          - name: ${_param:mysql_cinder_username}
             password: ${_param:mysql_cinder_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/designate.yml b/galera/server/database/designate.yml
index 43a76f9..fef27ab 100644
--- a/galera/server/database/designate.yml
+++ b/galera/server/database/designate.yml
@@ -7,12 +7,12 @@
         designate:
           encoding: utf8
           users:
-          - name: designate
+          - name: ${_param:mysql_designate_username}
             password: ${_param:mysql_designate_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_designate_ssl_option}
-          - name: designate
+          - name: ${_param:mysql_designate_username}
             password: ${_param:mysql_designate_password}
             host: ${_param:cluster_vip_address}
             rights: all
@@ -20,12 +20,12 @@
         designate_pool_manager:
           encoding: utf8
           users:
-          - name: designate
+          - name: ${_param:mysql_designate_username}
             password: ${_param:mysql_designate_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_designate_ssl_option}
-          - name: designate
+          - name: ${_param:mysql_designate_username}
             password: ${_param:mysql_designate_password}
             host: ${_param:cluster_vip_address}
             rights: all
diff --git a/galera/server/database/glance.yml b/galera/server/database/glance.yml
index 7af81d8..0ca9f6b 100644
--- a/galera/server/database/glance.yml
+++ b/galera/server/database/glance.yml
@@ -7,12 +7,12 @@
         glance:
           encoding: utf8
           users:
-          - name: glance
+          - name: ${_param:mysql_glance_username}
             password: ${_param:mysql_glance_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_glance_ssl_option}
-          - name: glance
+          - name: ${_param:mysql_glance_username}
             password: ${_param:mysql_glance_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/gnocchi.yml b/galera/server/database/gnocchi.yml
index 1ee36da..71c468e 100644
--- a/galera/server/database/gnocchi.yml
+++ b/galera/server/database/gnocchi.yml
@@ -7,12 +7,12 @@
         gnocchi:
           encoding: utf8
           users:
-          - name: gnocchi
+          - name: ${_param:mysql_gnocchi_username}
             password: ${_param:mysql_gnocchi_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_gnocchi_ssl_option}
-          - name: gnocchi
+          - name: ${_param:mysql_gnocchi_username}
             password: ${_param:mysql_gnocchi_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/grafana.yml b/galera/server/database/grafana.yml
index 3bfee87..3afb436 100644
--- a/galera/server/database/grafana.yml
+++ b/galera/server/database/grafana.yml
@@ -7,12 +7,12 @@
         grafana:
           encoding: utf8
           users:
-          - name: grafana
+          - name: ${_param:mysql_grafana_username}
             password: ${_param:mysql_grafana_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_grafana_ssl_option}
-          - name: grafana
+          - name: ${_param:mysql_grafana_username}
             password: ${_param:mysql_grafana_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/graphite.yml b/galera/server/database/graphite.yml
index 595c16b..fb0582c 100644
--- a/galera/server/database/graphite.yml
+++ b/galera/server/database/graphite.yml
@@ -7,7 +7,7 @@
         graphite:
           encoding: 'utf8'
           users:
-          - name: 'graphite'
+          - name: '${_param:mysql_graphite_username}'
             password: '${_param:mysql_graphite_password}'
             host: '%'
             rights: 'all'
diff --git a/galera/server/database/heat.yml b/galera/server/database/heat.yml
index 31b3968..a17db4b 100644
--- a/galera/server/database/heat.yml
+++ b/galera/server/database/heat.yml
@@ -7,12 +7,12 @@
         heat:
           encoding: utf8
           users:
-          - name: heat
+          - name: ${_param:mysql_heat_username}
             password: ${_param:mysql_heat_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_heat_ssl_option}
-          - name: heat
+          - name: ${_param:mysql_heat_username}
             password: ${_param:mysql_heat_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/ironic.yml b/galera/server/database/ironic.yml
index a478aeb..10ea447 100644
--- a/galera/server/database/ironic.yml
+++ b/galera/server/database/ironic.yml
@@ -7,12 +7,12 @@
         ironic:
           encoding: utf8
           users:
-          - name: ironic
+          - name: ${_param:mysql_ironic_username}
             password: ${_param:mysql_ironic_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_ironic_ssl_option}
-          - name: ironic
+          - name: ${_param:mysql_ironic_username}
             password: ${_param:mysql_ironic_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/keystone.yml b/galera/server/database/keystone.yml
index d6483cd..2dc90ff 100644
--- a/galera/server/database/keystone.yml
+++ b/galera/server/database/keystone.yml
@@ -7,12 +7,12 @@
         keystone:
           encoding: utf8
           users:
-          - name: keystone
+          - name: ${_param:mysql_keystone_username}
             password: ${_param:mysql_keystone_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_keystone_ssl_option}
-          - name: keystone
+          - name: ${_param:mysql_keystone_username}
             password: ${_param:mysql_keystone_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/manila.yml b/galera/server/database/manila.yml
index d233ce9..dc6c415 100644
--- a/galera/server/database/manila.yml
+++ b/galera/server/database/manila.yml
@@ -7,12 +7,12 @@
         manila:
           encoding: utf8
           users:
-          - name: manila
+          - name: ${_param:mysql_manila_username}
             password: ${_param:mysql_manila_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_manila_ssl_option}
-          - name: manila
+          - name: ${_param:mysql_manila_username}
             password: ${_param:mysql_manila_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/neutron.yml b/galera/server/database/neutron.yml
index b5ee606..772a57d 100644
--- a/galera/server/database/neutron.yml
+++ b/galera/server/database/neutron.yml
@@ -7,12 +7,12 @@
         neutron:
           encoding: 'utf8'
           users:
-          - name: 'neutron'
+          - name: '${_param:mysql_neutron_username}'
             password: '${_param:mysql_neutron_password}'
             host: '%'
             rights: 'all'
             ssl_option: ${_param:mysql_neutron_ssl_option}
-          - name: 'neutron'
+          - name: '${_param:mysql_neutron_username}'
             password: '${_param:mysql_neutron_password}'
             host: '${_param:cluster_local_address}'
             rights: 'all'
diff --git a/galera/server/database/nova.yml b/galera/server/database/nova.yml
index d2ffc4a..44bfc95 100644
--- a/galera/server/database/nova.yml
+++ b/galera/server/database/nova.yml
@@ -7,12 +7,12 @@
         nova:
           encoding: utf8
           users:
-          - name: nova
+          - name: ${_param:mysql_nova_username}
             password: ${_param:mysql_nova_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_nova_ssl_option}
-          - name: nova
+          - name: ${_param:mysql_nova_username}
             password: ${_param:mysql_nova_password}
             host: ${_param:cluster_local_address}
             rights: all
@@ -20,12 +20,12 @@
         nova_api:
           encoding: utf8
           users:
-          - name: nova
+          - name: ${_param:mysql_nova_username}
             password: ${_param:mysql_nova_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_nova_ssl_option}
-          - name: nova
+          - name: ${_param:mysql_nova_username}
             password: ${_param:mysql_nova_password}
             host: ${_param:cluster_local_address}
             rights: all
@@ -33,12 +33,12 @@
         nova_cell0:
           encoding: utf8
           users:
-          - name: nova
+          - name: ${_param:mysql_nova_username}
             password: ${_param:mysql_nova_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_nova_ssl_option}
-          - name: nova
+          - name: ${_param:mysql_nova_username}
             password: ${_param:mysql_nova_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/octavia.yml b/galera/server/database/octavia.yml
index 7b4eaaf..893a738 100644
--- a/galera/server/database/octavia.yml
+++ b/galera/server/database/octavia.yml
@@ -7,12 +7,12 @@
         octavia:
           encoding: 'utf8'
           users:
-          - name: 'octavia'
+          - name: '${_param:mysql_octavia_username}'
             password: '${_param:mysql_octavia_password}'
             host: '%'
             rights: 'all'
             ssl_option: ${_param:mysql_octavia_ssl_option}
-          - name: 'octavia'
+          - name: '${_param:mysql_octavia_username}'
             password: '${_param:mysql_octavia_password}'
             host: '${_param:cluster_local_address}'
             rights: 'all'
diff --git a/galera/server/database/panko.yml b/galera/server/database/panko.yml
index c4c455a..3e00e5a 100644
--- a/galera/server/database/panko.yml
+++ b/galera/server/database/panko.yml
@@ -7,12 +7,12 @@
         panko:
           encoding: utf8
           users:
-          - name: panko
+          - name: ${_param:mysql_panko_username}
             password: ${_param:mysql_panko_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_panko_ssl_option}
-          - name: panko
+          - name: ${_param:mysql_panko_username}
             password: ${_param:mysql_panko_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/server/database/tacker.yml b/galera/server/database/tacker.yml
index 9cd76b5..d181450 100644
--- a/galera/server/database/tacker.yml
+++ b/galera/server/database/tacker.yml
@@ -7,12 +7,12 @@
         tacker:
           encoding: utf8
           users:
-          - name: tacker
+          - name: ${_param:mysql_tacker_username}
             password: ${_param:mysql_tacker_password}
             host: '%'
             rights: all
             ssl_option: ${_param:mysql_tacker_ssl_option}
-          - name: tacker
+          - name: ${_param:mysql_tacker_username}
             password: ${_param:mysql_tacker_password}
             host: ${_param:cluster_local_address}
             rights: all
diff --git a/galera/upgrade/init.yml b/galera/upgrade/init.yml
new file mode 100644
index 0000000..dd49ff2
--- /dev/null
+++ b/galera/upgrade/init.yml
@@ -0,0 +1,4 @@
+parameters:
+  galera:
+    upgrade:
+      enabled: ${_param:galera_upgrade_enabled}
diff --git a/gerrit/client/init.yml b/gerrit/client/init.yml
index 16e4231..6ff90e7 100644
--- a/gerrit/client/init.yml
+++ b/gerrit/client/init.yml
@@ -19,7 +19,7 @@
         auth_method: basic
         http_port: 8080
         ssh_port: 29418
-        protocol: http
+        protocol: https
         password: ${_param:gerrit_admin_password}
         key: ${_param:gerrit_admin_private_key}
       user:
@@ -39,6 +39,9 @@
           actions:
           - name: read
             group: Non-Interactive Users
+          - name: read
+            group: Anonymous Users
+            deny: true
         "refs/heads/*":
           actions:
           - name: abandon
diff --git a/gerrit/server/single.yml b/gerrit/server/single.yml
index f0f6492..21b0104 100644
--- a/gerrit/server/single.yml
+++ b/gerrit/server/single.yml
@@ -54,6 +54,9 @@
         pool_max_idle: 16
       change_cleanup:
         abandon_after: 3months
+      download:
+        command: ${_param:gerrit_config_download_command}
+        scheme: ${_param:gerrit_config_download_scheme}
   postgresql:
     server:
       version: "9.5"
diff --git a/glance/control/cluster.yml b/glance/control/cluster.yml
index 3eb7866..763ad09 100644
--- a/glance/control/cluster.yml
+++ b/glance/control/cluster.yml
@@ -28,7 +28,7 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: glance
-        user: glance
+        user: ${_param:mysql_glance_username}
         password: ${_param:mysql_glance_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -50,7 +50,7 @@
         engine: keystone
         host: ${_param:cluster_vip_address}
         port: 35357
-        user: glance
+        user: ${_param:keystone_glance_username}
         password: ${_param:keystone_glance_password}
         region: ${_param:openstack_region}
         tenant: service
diff --git a/gnocchi/common/cluster.yml b/gnocchi/common/cluster.yml
index b00ffa5..e1c58da 100644
--- a/gnocchi/common/cluster.yml
+++ b/gnocchi/common/cluster.yml
@@ -6,6 +6,8 @@
   gnocchi:
     common:
       database:
+        user: ${_param:mysql_gnocchi_username}
+        password: ${_param:mysql_gnocchi_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
diff --git a/gnocchi/common/single.yml b/gnocchi/common/single.yml
index 834db2f..614e85e 100644
--- a/gnocchi/common/single.yml
+++ b/gnocchi/common/single.yml
@@ -6,6 +6,8 @@
   gnocchi:
     common:
       database:
+        user: ${_param:mysql_gnocchi_username}
+        password: ${_param:mysql_gnocchi_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
diff --git a/gnocchi/server/cluster.yml b/gnocchi/server/cluster.yml
index 1ad5e44..8e3265e 100644
--- a/gnocchi/server/cluster.yml
+++ b/gnocchi/server/cluster.yml
@@ -17,6 +17,8 @@
         metric_processing_delay: 15
         metric_reporting_delay: 30
       identity:
+        user: ${_param:keystone_gnocchi_username}
+        password: ${_param:keystone_gnocchi_password}
         host: ${_param:openstack_control_address}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/gnocchi/server/single.yml b/gnocchi/server/single.yml
index 43a2c9d..cf6ebfa 100644
--- a/gnocchi/server/single.yml
+++ b/gnocchi/server/single.yml
@@ -5,6 +5,8 @@
     server:
       role: ${_param:openstack_node_role}
       identity:
+        user: ${_param:keystone_gnocchi_username}
+        password: ${_param:keystone_gnocchi_password}
         region: ${_param:openstack_region}
         protocol: ${_param:internal_protocol}
       metricd:
diff --git a/grafana/server/single.yml b/grafana/server/single.yml
index 6303430..c7aa8a9 100644
--- a/grafana/server/single.yml
+++ b/grafana/server/single.yml
@@ -15,7 +15,7 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: grafana
-        user: grafana
+        user: ${_param:mysql_grafana_username}
         password: ${_param:mysql_grafana_password}
       auth:
         basic:
diff --git a/haproxy/proxy/listen/cicd/gerrit.yml b/haproxy/proxy/listen/cicd/gerrit.yml
index f6ded20..9e11f03 100644
--- a/haproxy/proxy/listen/cicd/gerrit.yml
+++ b/haproxy/proxy/listen/cicd/gerrit.yml
@@ -1,3 +1,5 @@
+classes:
+  - system.salt.minion.cert.proxy.drivetrain_ssl
 parameters:
   _param:
     haproxy_gerrit_bind_host: ${_param:haproxy_bind_address}
@@ -5,7 +7,8 @@
     haproxy_gerrit_ssh_bind_host: ${_param:haproxy_gerrit_bind_host}
     haproxy_gerrit_ssh_bind_port: 29418
     haproxy_gerrit_ssl:
-      enabled: false
+      enabled: true
+      pem_file: /etc/haproxy/ssl/drivetrain.pem
   haproxy:
     proxy:
       listen:
diff --git a/haproxy/proxy/listen/cicd/jenkins.yml b/haproxy/proxy/listen/cicd/jenkins.yml
index d8c67d0..9f3bf07 100644
--- a/haproxy/proxy/listen/cicd/jenkins.yml
+++ b/haproxy/proxy/listen/cicd/jenkins.yml
@@ -1,3 +1,5 @@
+classes:
+  - system.salt.minion.cert.proxy.drivetrain_ssl
 parameters:
   _param:
     haproxy_jenkins_bind_host: ${_param:haproxy_bind_address}
@@ -5,7 +7,8 @@
     haproxy_jenkins_jnlp_bind_host: ${_param:haproxy_jenkins_bind_host}
     haproxy_jenkins_jnlp_bind_port: 50000
     haproxy_jenkins_ssl:
-      enabled: false
+      enabled: true
+      pem_file: /etc/haproxy/ssl/drivetrain.pem
   haproxy:
     proxy:
       listen:
diff --git a/haproxy/proxy/listen/opencontrail/control4_0.yml b/haproxy/proxy/listen/opencontrail/control4_0.yml
index 22623fd..c9f37c3 100644
--- a/haproxy/proxy/listen/opencontrail/control4_0.yml
+++ b/haproxy/proxy/listen/opencontrail/control4_0.yml
@@ -11,23 +11,26 @@
           binds:
           - address: ${_param:cluster_vip_address}
             port: 8082
+            ssl:
+              enabled: ${_param:opencontrail_api_ssl_enabled}
+              pem_file: ${_param:opencontrail_api_all_pemfile}
           servers:
           - name: ntw01
             host: ${_param:cluster_node01_address}
             port: 9100
-            params: check inter 2000 rise 2 fall 3
+            params: ${_param:haproxy_opencontrail_api_check_params}
             port_range_length: ${_param:opencontrail_api_workers_count}
             port_range_start_offset: ${_param:opencontrail_api_start_offset}
           - name: ntw02
             host: ${_param:cluster_node02_address}
             port: 9100
-            params: check inter 2000 rise 2 fall 3
+            params: ${_param:haproxy_opencontrail_api_check_params}
             port_range_length: ${_param:opencontrail_api_workers_count}
             port_range_start_offset: ${_param:opencontrail_api_start_offset}
           - name: ntw03
             host: ${_param:cluster_node03_address}
             port: 9100
-            params: check inter 2000 rise 2 fall 3
+            params: ${_param:haproxy_opencontrail_api_check_params}
             port_range_length: ${_param:opencontrail_api_workers_count}
             port_range_start_offset: ${_param:opencontrail_api_start_offset}
         contrail_config_stats:
diff --git a/haproxy/proxy/listen/openstack/heat.yml b/haproxy/proxy/listen/openstack/heat.yml
index 649ce99..708c97a 100644
--- a/haproxy/proxy/listen/openstack/heat.yml
+++ b/haproxy/proxy/listen/openstack/heat.yml
@@ -29,6 +29,9 @@
         heat_api:
           type: openstack-service
           service_name: heat
+          timeout:
+            client: '2m'
+            server: '2m'
           binds:
           - address: ${_param:cluster_vip_address}
             port: 8004
diff --git a/haproxy/proxy/listen/openstack/heat_large.yml b/haproxy/proxy/listen/openstack/heat_large.yml
index 899a691..d23947a 100644
--- a/haproxy/proxy/listen/openstack/heat_large.yml
+++ b/haproxy/proxy/listen/openstack/heat_large.yml
@@ -37,6 +37,9 @@
         heat_api:
           type: openstack-service
           service_name: heat
+          timeout:
+            client: '2m'
+            server: '2m'
           binds:
           - address: ${_param:cluster_vip_address}
             port: 8004
diff --git a/haproxy/proxy/listen/phpldapadmin.yml b/haproxy/proxy/listen/phpldapadmin.yml
index b2b7f93..6bbb885 100644
--- a/haproxy/proxy/listen/phpldapadmin.yml
+++ b/haproxy/proxy/listen/phpldapadmin.yml
@@ -2,6 +2,9 @@
   _param:
     haproxy_phpldapadmin_bind_host: ${_param:haproxy_bind_address}
     haproxy_phpldapadmin_bind_port: 8089
+    haproxy_phpldapadmin_ssl:
+      enabled: true
+      pem_file: /etc/haproxy/ssl/drivetrain.pem
   haproxy:
     proxy:
       listen:
@@ -12,9 +15,13 @@
             - httpclose
             - httplog
           balance: source
+          http_request:
+            - action: "add-header X-Forwarded-Proto https"
+              condition: "if { ssl_fc }"
           binds:
             - address: ${_param:haproxy_phpldapadmin_bind_host}
               port: ${_param:haproxy_phpldapadmin_bind_port}
+              ssl: ${_param:haproxy_phpldapadmin_ssl}
           servers:
             - name: ${_param:cluster_node01_name}
               host: ${_param:cluster_node01_address}
diff --git a/haproxy/proxy/single.yml b/haproxy/proxy/single.yml
index dc9c668..b470247 100644
--- a/haproxy/proxy/single.yml
+++ b/haproxy/proxy/single.yml
@@ -1,4 +1,2 @@
-parameters:
-  haproxy:
-    proxy:
-      enabled: true
+classes:
+- service.haproxy.proxy.single
diff --git a/heat/server/cluster.yml b/heat/server/cluster.yml
index be2f211..89a5885 100644
--- a/heat/server/cluster.yml
+++ b/heat/server/cluster.yml
@@ -34,7 +34,7 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: heat
-        user: heat
+        user: ${_param:mysql_heat_username}
         password: ${_param:mysql_heat_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -60,7 +60,7 @@
         host: ${_param:cluster_vip_address}
         port: 35357
         tenant: service
-        user: heat
+        user: ${_param:keystone_heat_username}
         password: ${_param:keystone_heat_password}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/ironic/api/cluster.yml b/ironic/api/cluster.yml
index aa45ec2..0d6587d 100644
--- a/ironic/api/cluster.yml
+++ b/ironic/api/cluster.yml
@@ -25,6 +25,10 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       message_queue:
+        members:
+          - host: ${_param:openstack_message_queue_node01_address}
+          - host: ${_param:openstack_message_queue_node02_address}
+          - host: ${_param:openstack_message_queue_node03_address}
         port: ${_param:openstack_rabbitmq_port}
         x509:
           enabled: ${_param:openstack_rabbitmq_x509_enabled}
diff --git a/ironic/conductor/cluster.yml b/ironic/conductor/cluster.yml
index 3478413..eb0b38f 100644
--- a/ironic/conductor/cluster.yml
+++ b/ironic/conductor/cluster.yml
@@ -21,6 +21,10 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       message_queue:
+        members:
+          - host: ${_param:openstack_message_queue_node01_address}
+          - host: ${_param:openstack_message_queue_node02_address}
+          - host: ${_param:openstack_message_queue_node03_address}
         port: ${_param:openstack_rabbitmq_port}
         x509:
           enabled: ${_param:openstack_rabbitmq_x509_enabled}
diff --git a/ironic/conductor/storage/cinder.yml b/ironic/conductor/storage/cinder.yml
index 33af09a..22dc687 100644
--- a/ironic/conductor/storage/cinder.yml
+++ b/ironic/conductor/storage/cinder.yml
@@ -11,5 +11,5 @@
         project_domain_id: default
         project_name: service
         user_domain_name: Default
-        username: cinder
+        username: ${_param:keystone_cinder_username}
         region: ${_param:openstack_region}
diff --git a/jenkins/client/approved_scripts.yml b/jenkins/client/approved_scripts.yml
index f15b370..eb6a5b8 100644
--- a/jenkins/client/approved_scripts.yml
+++ b/jenkins/client/approved_scripts.yml
@@ -138,6 +138,7 @@
         - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.lang.String int
         - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.Collection java.lang.String
         - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.List groovy.lang.Range
+        - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.regex.Matcher java.util.Collection
         - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getBytes java.io.File
         - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.io.InputStream
         - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods hasProperty java.lang.Object java.lang.String
@@ -164,3 +165,4 @@
         - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toSorted java.lang.Iterable
         - staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeBase64 byte[]
         - staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object
+        - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods max java.util.Collection
diff --git a/jenkins/client/credential/gerrit.yml b/jenkins/client/credential/gerrit.yml
index b42f5af..8557506 100644
--- a/jenkins/client/credential/gerrit.yml
+++ b/jenkins/client/credential/gerrit.yml
@@ -1,6 +1,8 @@
+# SSH credentials
 parameters:
   _param:
     gerrit_admin_user: admin
+    jenkins_gerrit_credentials: "gerrit"
   jenkins:
     client:
       credential:
diff --git a/jenkins/client/credential/gerrit_http.yml b/jenkins/client/credential/gerrit_http.yml
new file mode 100644
index 0000000..7c13186
--- /dev/null
+++ b/jenkins/client/credential/gerrit_http.yml
@@ -0,0 +1,11 @@
+# HTTP credentials
+parameters:
+  _param:
+    gerrit_admin_user: admin
+    jenkins_gerrit_credentials: "gerrit_http"
+  jenkins:
+    client:
+      credential:
+        gerrit_http:
+          username: ${_param:gerrit_admin_user}
+          password: ${_param:gerrit_admin_password}
diff --git a/jenkins/client/credential/source_git.yml b/jenkins/client/credential/source_git.yml
new file mode 100644
index 0000000..ec350f0
--- /dev/null
+++ b/jenkins/client/credential/source_git.yml
@@ -0,0 +1,10 @@
+parameters:
+  _param:
+    pipeline_library_source_credentials: source_git
+  jenkins:
+    client:
+      credential:
+        source_git:
+          desc: Credentials to source git repositories for pipelines
+          username: ${_param:source_git_username}
+          password: ${_param:source_git_password}
diff --git a/jenkins/client/init.yml b/jenkins/client/init.yml
index 11b5430..03406a3 100644
--- a/jenkins/client/init.yml
+++ b/jenkins/client/init.yml
@@ -10,6 +10,7 @@
     jenkins_master_host: ${_param:control_vip_address}
     jenkins_aptly_storages: "local"
     jenkins_offline_deployment: "false"
+    jenkins_gerrit_credentials: "gerrit"
   jenkins:
     client:
       globalenvprop:
@@ -18,13 +19,14 @@
       master:
         host: ${_param:jenkins_master_host}
         port: ${_param:jenkins_master_port}
+        proto: https
         username: ${_param:jenkins_client_user}
         password: ${_param:jenkins_client_password}
       lib:
         pipeline-library:
           enabled: true
           url: ${_param:jenkins_gerrit_url}/mcp-ci/pipeline-library
-          credential_id: gerrit
+          credential_id: ${_param:jenkins_gerrit_credentials}
           branch: ${_param:jenkins_pipelines_branch}
       theme:
         css_url: '/userContent/theme/mirantis.css'
diff --git a/jenkins/client/job/ceph/add-node.yml b/jenkins/client/job/ceph/add-node.yml
index 29af563..1c8f234 100644
--- a/jenkins/client/job/ceph/add-node.yml
+++ b/jenkins/client/job/ceph/add-node.yml
@@ -13,7 +13,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: ceph-add-node.groovy
           param:
             # general parameters
diff --git a/jenkins/client/job/ceph/add-osd-upmap.yml b/jenkins/client/job/ceph/add-osd-upmap.yml
index f6390a6..949154d 100644
--- a/jenkins/client/job/ceph/add-osd-upmap.yml
+++ b/jenkins/client/job/ceph/add-osd-upmap.yml
@@ -14,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: ceph-add-osd-upmap.groovy
           param:
             # general parameters
diff --git a/jenkins/client/job/ceph/backend-migration.yml b/jenkins/client/job/ceph/backend-migration.yml
index ab3f639..9289f3d 100644
--- a/jenkins/client/job/ceph/backend-migration.yml
+++ b/jenkins/client/job/ceph/backend-migration.yml
@@ -13,7 +13,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: ceph-backend-migration.groovy
           param:
             # general parameters
diff --git a/jenkins/client/job/ceph/remove-node.yml b/jenkins/client/job/ceph/remove-node.yml
index 901e319..db43faf 100644
--- a/jenkins/client/job/ceph/remove-node.yml
+++ b/jenkins/client/job/ceph/remove-node.yml
@@ -13,7 +13,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: ceph-remove-node.groovy
           param:
             # general parameters
diff --git a/jenkins/client/job/ceph/remove-osd.yml b/jenkins/client/job/ceph/remove-osd.yml
index 99dcb37..6f8452d 100644
--- a/jenkins/client/job/ceph/remove-osd.yml
+++ b/jenkins/client/job/ceph/remove-osd.yml
@@ -13,7 +13,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: ceph-remove-osd.groovy
           param:
             # general parameters
diff --git a/jenkins/client/job/ceph/replace-failed-osd.yml b/jenkins/client/job/ceph/replace-failed-osd.yml
index f5c9396..f76f07f 100644
--- a/jenkins/client/job/ceph/replace-failed-osd.yml
+++ b/jenkins/client/job/ceph/replace-failed-osd.yml
@@ -13,7 +13,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: ceph-replace-failed-osd.groovy
           param:
             # general parameters
diff --git a/jenkins/client/job/ceph/upgrade.yml b/jenkins/client/job/ceph/upgrade.yml
index d308845..7b9c3fb 100644
--- a/jenkins/client/job/ceph/upgrade.yml
+++ b/jenkins/client/job/ceph/upgrade.yml
@@ -6,6 +6,7 @@
           type: workflow-scm
           concurrent: true
           display_name: "Ceph - upgrade"
+          description: "Jewel-Luminous upgrade job"
           discard:
             build:
               keep_num: 50
@@ -13,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: ceph-upgrade.groovy
           param:
             # general parameters
diff --git a/jenkins/client/job/deploy/backupninja_backup.yml b/jenkins/client/job/deploy/backupninja_backup.yml
new file mode 100644
index 0000000..147b32b
--- /dev/null
+++ b/jenkins/client/job/deploy/backupninja_backup.yml
@@ -0,0 +1,32 @@
+parameters:
+  jenkins:
+    client:
+      job:
+        backupninja_backup:
+          type: workflow-scm
+          name: backupninja-backup
+          display_name: "Backupninja salt-master/MaaS backup"
+          discard:
+            build:
+              keep_num: 50
+          concurrent: true
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "${_param:jenkins_gerrit_credentials}"
+            script: backupninja-backup-pipeline.groovy
+          param:
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
+            ASK_CONFIRMATION:
+              type: boolean
+              default: 'true'
+          trigger:
+            timer:
+              enabled: true
+              spec: "${_param:backup_min} ${_param:backup_hour} ${_param:backup_day_of_month} ${_param:backup_month} ${_param:backup_day_of_week}"
diff --git a/jenkins/client/job/deploy/backupninja_restore.yml b/jenkins/client/job/deploy/backupninja_restore.yml
new file mode 100644
index 0000000..192f5dc
--- /dev/null
+++ b/jenkins/client/job/deploy/backupninja_restore.yml
@@ -0,0 +1,26 @@
+
+parameters:
+  jenkins:
+    client:
+      job:
+        backupninja_restore:
+          type: workflow-scm
+          name: backupninja-restore
+          display_name: "Backupninja restore salt-master/MaaS backup"
+          discard:
+            build:
+              keep_num: 50
+          concurrent: true
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "${_param:jenkins_gerrit_credentials}"
+            script: backupninja-restore-pipeline.groovy
+          param:
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
diff --git a/jenkins/client/job/deploy/galera_database_backup.yml b/jenkins/client/job/deploy/galera_database_backup.yml
new file mode 100644
index 0000000..6e917fa
--- /dev/null
+++ b/jenkins/client/job/deploy/galera_database_backup.yml
@@ -0,0 +1,35 @@
+parameters:
+  jenkins:
+    client:
+      job:
+        galera_backup_database:
+          type: workflow-scm
+          name: galera-database-backup
+          display_name: "Galera database backup"
+          discard:
+            build:
+              keep_num: 50
+          concurrent: true
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: galera-database-backup-pipeline.groovy
+          param:
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            OVERRIDE_BACKUP_NODE:
+              type: string
+              default: "none"
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
+            ASK_CONFIRMATION:
+              type: boolean
+              default: 'true'
+          trigger:
+            timer:
+              enabled: true
+              spec: "${_param:backup_min} ${_param:backup_hour} ${_param:backup_day_of_month} ${_param:backup_month} ${_param:backup_day_of_week}"
diff --git a/jenkins/client/job/deploy/galera_verify_restore.yml b/jenkins/client/job/deploy/galera_verify_restore.yml
index 73e312a..6f4c619 100644
--- a/jenkins/client/job/deploy/galera_verify_restore.yml
+++ b/jenkins/client/job/deploy/galera_verify_restore.yml
@@ -14,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: galera-cluster-verify-restore.groovy
           param:
             SALT_MASTER_CREDENTIALS:
@@ -32,3 +32,10 @@
             VERIFICATION_RETRIES:
               type: string
               default: 5
+            RESTORE_TYPE:
+              type: choice
+              choices:
+                - 'BACKUP_AND_RESTORE'
+                - 'ONLY_RESTORE'
+                - 'RESTART_CLUSTER'
+              description: "Choose required behavior. See documentation for more information."
diff --git a/jenkins/client/job/deploy/k8s_control.yml b/jenkins/client/job/deploy/k8s_control.yml
index 4dba2e7..2f55d0b 100644
--- a/jenkins/client/job/deploy/k8s_control.yml
+++ b/jenkins/client/job/deploy/k8s_control.yml
@@ -14,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: deploy-k8s-deployments.groovy
           param:
             # deployments and test settings
diff --git a/jenkins/client/job/deploy/kqueen.yml b/jenkins/client/job/deploy/kqueen.yml
index 9fc5394..ff4a35f 100644
--- a/jenkins/client/job/deploy/kqueen.yml
+++ b/jenkins/client/job/deploy/kqueen.yml
@@ -14,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: deploy-aws-k8s-kqueen-pipeline.groovy
           param:
             # deployments
@@ -33,7 +33,7 @@
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: ${_param:jenkins_gerrit_credentials}
             STACK_TEMPLATE_BRANCH:
               type: string
               default: "master"
@@ -74,7 +74,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: deploy-heat-k8s-kqueen-pipeline.groovy
           param:
             # deployments
@@ -93,7 +93,7 @@
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: ${_param:jenkins_gerrit_credentials}
             STACK_TEMPLATE_BRANCH:
               type: string
               default: "master"
diff --git a/jenkins/client/job/deploy/lab/mom_deploy.yml b/jenkins/client/job/deploy/lab/mom_deploy.yml
index 8ae8f53..f03b485 100644
--- a/jenkins/client/job/deploy/lab/mom_deploy.yml
+++ b/jenkins/client/job/deploy/lab/mom_deploy.yml
@@ -13,7 +13,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: deploy-virtual-edge-mom.groovy
           param:
             # general parameters
@@ -100,7 +100,7 @@
               default: "master"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: "${_param:jenkins_gerrit_credentials}"
             STACK_TEMPLATE_URL:
               type: string
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
diff --git a/jenkins/client/job/deploy/openstack.yml b/jenkins/client/job/deploy/openstack.yml
index 107b932..3734741 100644
--- a/jenkins/client/job/deploy/openstack.yml
+++ b/jenkins/client/job/deploy/openstack.yml
@@ -14,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cloud-deploy-pipeline.groovy
           param:
             # deployments and test settings
@@ -51,7 +51,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: openstack-compute-install.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/try_mcp.yml b/jenkins/client/job/deploy/try_mcp.yml
index 3ad2878..84ef6ea 100644
--- a/jenkins/client/job/deploy/try_mcp.yml
+++ b/jenkins/client/job/deploy/try_mcp.yml
@@ -14,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: deploy-try-mcp.groovy
           param:
             COOKIECUTTER_TEMPLATE_CONTEXT:
diff --git a/jenkins/client/job/deploy/update/cloud_update.yml b/jenkins/client/job/deploy/update/cloud_update.yml
index f3fe8ef..ba658b0 100644
--- a/jenkins/client/job/deploy/update/cloud_update.yml
+++ b/jenkins/client/job/deploy/update/cloud_update.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cloud-update.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/config.yml b/jenkins/client/job/deploy/update/config.yml
index 5eafd70..eb5da61 100644
--- a/jenkins/client/job/deploy/update/config.yml
+++ b/jenkins/client/job/deploy/update/config.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: change-config.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index be7e82e..7abffec 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -1,11 +1,11 @@
 classes:
   - system.jenkins.client.job.deploy.update.package
   - system.jenkins.client.job.deploy.update.config
-  - system.jenkins.client.job.deploy.update.saltenv
   - system.jenkins.client.job.deploy.update.update_mirror_image
   - system.jenkins.client.job.deploy.update.update_ceph
   - system.jenkins.client.job.deploy.update.upgrade
   - system.jenkins.client.job.deploy.update.upgrade_rabbitmq
+  - system.jenkins.client.job.deploy.update.upgrade_galera
   - system.jenkins.client.job.deploy.update.upgrade_compute
   - system.jenkins.client.job.deploy.update.upgrade_mcp_release
   - system.jenkins.client.job.deploy.update.upgrade_ovs_gateway
@@ -18,7 +18,10 @@
   - system.jenkins.client.job.deploy.update.virt_snapshot
   - system.jenkins.client.job.deploy.update.cloud_update
   - system.jenkins.client.job.deploy.update.kubernetes_update
+  - system.jenkins.client.job.deploy.galera_database_backup
   - system.jenkins.client.job.deploy.galera_verify_restore
+  - system.jenkins.client.job.deploy.backupninja_backup
+  - system.jenkins.client.job.deploy.backupninja_restore
   - system.jenkins.client.job.deploy.update.update_glusterfs
   - system.jenkins.client.job.deploy.update.update_glusterfs_servers
   - system.jenkins.client.job.deploy.update.update_glusterfs_clients
diff --git a/jenkins/client/job/deploy/update/kubernetes_update.yml b/jenkins/client/job/deploy/update/kubernetes_update.yml
index ee77583..419f969 100644
--- a/jenkins/client/job/deploy/update/kubernetes_update.yml
+++ b/jenkins/client/job/deploy/update/kubernetes_update.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: k8s-upgrade-pipeline.groovy
           param:
             KUBERNETES_HYPERKUBE_SOURCE:
diff --git a/jenkins/client/job/deploy/update/package.yml b/jenkins/client/job/deploy/update/package.yml
index 65a4ac3..7444bcc 100644
--- a/jenkins/client/job/deploy/update/package.yml
+++ b/jenkins/client/job/deploy/update/package.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-package.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/reclass_update_check.yml b/jenkins/client/job/deploy/update/reclass_update_check.yml
index dd279b3..d946d95 100644
--- a/jenkins/client/job/deploy/update/reclass_update_check.yml
+++ b/jenkins/client/job/deploy/update/reclass_update_check.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: test-reclass-package.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/restore_cassandra.yml b/jenkins/client/job/deploy/update/restore_cassandra.yml
index 8b18eb1..d67ba98 100644
--- a/jenkins/client/job/deploy/update/restore_cassandra.yml
+++ b/jenkins/client/job/deploy/update/restore_cassandra.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: restore-cassandra.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/restore_zookeeper.yml b/jenkins/client/job/deploy/update/restore_zookeeper.yml
index 3d0dc05..fe0c7ec 100644
--- a/jenkins/client/job/deploy/update/restore_zookeeper.yml
+++ b/jenkins/client/job/deploy/update/restore_zookeeper.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: restore-zookeeper.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/saltenv.yml b/jenkins/client/job/deploy/update/saltenv.yml
deleted file mode 100644
index f2b38d2..0000000
--- a/jenkins/client/job/deploy/update/saltenv.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-#
-# Following job is about to simply execute Jenkinsfile of given Reclass model
-#
-parameters:
-  _param:
-    jenkins_salt_model_name: "salt"
-    jenkins_salt_model_branch: "master"
-  jenkins:
-    client:
-      job_template:
-        update_salt_env:
-          name: deploy-update-{{name}}
-          jobs:
-            - name: ${_param:jenkins_salt_model_name}
-              salt_url: "${_param:jenkins_salt_api_url}"
-              salt_credentials: salt
-          template:
-            display_name: "Deploy - update {{name}} environment"
-            type: workflow-scm
-            concurrent: false
-            discard:
-              build:
-                keep_num: 10
-              artifact:
-                keep_num: 10
-            scm:
-              type: git
-              url: "${_param:jenkins_gerrit_url}/salt-models/{{name}}"
-              branch: ${_param:jenkins_salt_model_branch}
-              credentials: "gerrit"
-              script: Jenkinsfile
-            param:
-              SALT_MASTER_URL:
-                type: string
-                default: "{{salt_url}}"
-              SALT_MASTER_CREDENTIALS:
-                type: string
-                default: "{{salt_credentials}}"
-              UPDATE_FORMULAS:
-                type: boolean
-                default: "true"
diff --git a/jenkins/client/job/deploy/update/update_ceph.yml b/jenkins/client/job/deploy/update/update_ceph.yml
index 4b7603b..bb460a5 100644
--- a/jenkins/client/job/deploy/update/update_ceph.yml
+++ b/jenkins/client/job/deploy/update/update_ceph.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-ceph.groovy
           param:
             SALT_MASTER_URL:
@@ -28,8 +28,4 @@
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
-              description: Credentials to the Salt API.
-            TARGET_SERVERS:
-              type: string
-              default: "*"
-              description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+              description: Credentials to the Salt API.
\ No newline at end of file
diff --git a/jenkins/client/job/deploy/update/update_glusterfs.yml b/jenkins/client/job/deploy/update/update_glusterfs.yml
index dfdfc9e..500af76 100644
--- a/jenkins/client/job/deploy/update/update_glusterfs.yml
+++ b/jenkins/client/job/deploy/update/update_glusterfs.yml
@@ -19,7 +19,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-glusterfs.groovy
           param:
             DRIVE_TRAIN_PARAMS:
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_clients.yml b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
index 48a393c..c3f3abd 100644
--- a/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
+++ b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
@@ -19,7 +19,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-glusterfs-clients.groovy
           param:
             DRIVE_TRAIN_PARAMS:
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
index 24b1217..25fcc72 100644
--- a/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
+++ b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
@@ -19,7 +19,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-glusterfs-cluster-op-version.groovy
           param:
             DRIVE_TRAIN_PARAMS:
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_servers.yml b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
index 97f4e77..b6837d7 100644
--- a/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
+++ b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
@@ -19,7 +19,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-glusterfs-servers.groovy
           param:
             DRIVE_TRAIN_PARAMS:
diff --git a/jenkins/client/job/deploy/update/update_mirror_image.yml b/jenkins/client/job/deploy/update/update_mirror_image.yml
index 96e905c..63ea898 100644
--- a/jenkins/client/job/deploy/update/update_mirror_image.yml
+++ b/jenkins/client/job/deploy/update/update_mirror_image.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-mirror-image.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/update_opencontrail4.yml b/jenkins/client/job/deploy/update/update_opencontrail4.yml
index e89d622..98110cb 100644
--- a/jenkins/client/job/deploy/update/update_opencontrail4.yml
+++ b/jenkins/client/job/deploy/update/update_opencontrail4.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: opencontrail4-update.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index e3b60e1..fdbaab7 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: openstack-control-upgrade.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index ed5a222..14919d0 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: openstack-data-upgrade.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/upgrade_galera.yml b/jenkins/client/job/deploy/update/upgrade_galera.yml
new file mode 100644
index 0000000..8864529
--- /dev/null
+++ b/jenkins/client/job/deploy/update/upgrade_galera.yml
@@ -0,0 +1,49 @@
+#
+# Jobs to upgrade Galera packages on given Salt master environment
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        deploy-upgrade-galera:
+          type: workflow-scm
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Deploy - upgrade Galera cluster"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: ${_param:jenkins_gerrit_credentials}
+            script: openstack-galera-upgrade.groovy
+          param:
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            SHUTDOWN_CLUSTER:
+              type: boolean
+              default: 'false'
+              description: "Shutdown all mysql instances on target nodes during upgrade"
+            OS_DIST_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+            OS_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade all installed applications (apt-get upgrade)"
+            INTERACTIVE:
+              type: boolean
+              default: 'true'
+              description: "Ask interactive questions during pipeline run (bool)"
+            TARGET_SERVERS:
+              type: string
+              default: 'dbs*'
+              description: "Salt compound expression to get mysql servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
index 9d46def..091d169 100644
--- a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
+++ b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
@@ -20,7 +20,7 @@
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             script: upgrade-mcp-release.groovy
             type: git
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             branch: FETCH_HEAD
             wipe_workspace: True
           param:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
index 64c3aff..1530d86 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: opencontrail-upgrade.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
index 2d7ed69..97d151c 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: opencontrail40-upgrade.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index 9d31352..793dab8 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: openstack-data-upgrade.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml b/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
index 73c2f1f..aaf3e0a 100644
--- a/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
+++ b/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: openstack-rabbitmq-upgrade.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/upgrade_stacklight.yml b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
index 578fd28..57747e4 100644
--- a/jenkins/client/job/deploy/update/upgrade_stacklight.yml
+++ b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
@@ -16,7 +16,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: stacklight-upgrade.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/utils.yml b/jenkins/client/job/deploy/update/utils.yml
index ca669d4..aec0574 100644
--- a/jenkins/client/job/deploy/update/utils.yml
+++ b/jenkins/client/job/deploy/update/utils.yml
@@ -15,7 +15,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-reclass-metadata.groovy
           param:
             SALT_MASTER_URL:
@@ -43,7 +43,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-salt-master-formulas.groovy
           param:
             SALT_MASTER_URL:
@@ -71,7 +71,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: update-jenkins-master-jobs.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/deploy/update/virt_snapshot.yml b/jenkins/client/job/deploy/update/virt_snapshot.yml
index feada8a..d63c4f7 100644
--- a/jenkins/client/job/deploy/update/virt_snapshot.yml
+++ b/jenkins/client/job/deploy/update/virt_snapshot.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: libvirt-live-snapshots.groovy
           param:
             SALT_MASTER_URL:
diff --git a/jenkins/client/job/git-mirrors/downstream/init.yml b/jenkins/client/job/git-mirrors/downstream/init.yml
index fbfcd56..92a3d6d 100644
--- a/jenkins/client/job/git-mirrors/downstream/init.yml
+++ b/jenkins/client/job/git-mirrors/downstream/init.yml
@@ -19,18 +19,21 @@
               type: git
               url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
               branch: "${_param:jenkins_pipelines_branch}"
-              credentials: "gerrit"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: git-mirror-pipeline.groovy
             param:
               SOURCE_URL:
                 type: string
                 default: "{{upstream}}"
+              SOURCE_CREDENTIALS:
+                type: string
+                default: "{{source_credentials}}"
               TARGET_URL:
                 type: string
                 default: "${_param:jenkins_gerrit_url}/{{downstream}}"
               CREDENTIALS_ID:
                 type: string
-                default: "gerrit"
+                default: ${_param:jenkins_gerrit_credentials}
               BRANCHES:
                 type: string
                 default: "{{branches}}"
diff --git a/jenkins/client/job/git-mirrors/downstream/pipelines.yml b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
index fbec27c..ea9cbe1 100644
--- a/jenkins/client/job/git-mirrors/downstream/pipelines.yml
+++ b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
@@ -4,12 +4,17 @@
   _param:
     gerrit_pipeline_library_repo: https://github.com/Mirantis/pipeline-library
     gerrit_mk_pipelines_repo: https://github.com/Mirantis/mk-pipelines
+    pipeline_library_source_credentials: ""
+    mk_pipelines_source_credentials: ${_param:pipeline_library_source_credentials}
+    vnf_onboaring_source_credentials: ${_param:pipeline_library_source_credentials}
     jenkins_git_mirror_downstream_jobs:
       - name: pipeline-library
         downstream: mcp-ci/pipeline-library
         upstream: "${_param:gerrit_pipeline_library_repo}"
         branches: "*"
+        source_credentials: "${_param:pipeline_library_source_credentials}"
       - name: mk-pipelines
         downstream: mk/mk-pipelines
         upstream: "${_param:gerrit_mk_pipelines_repo}"
-        branches: "*"
\ No newline at end of file
+        branches: "*"
+        source_credentials: "${_param:mk_pipelines_source_credentials}"
\ No newline at end of file
diff --git a/jenkins/client/job/salt-models/generate.yml b/jenkins/client/job/salt-models/generate.yml
index 67f8747..8fe0916 100644
--- a/jenkins/client/job/salt-models/generate.yml
+++ b/jenkins/client/job/salt-models/generate.yml
@@ -20,7 +20,7 @@
               type: git
               url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
               branch: "${_param:jenkins_pipelines_branch}"
-              credentials: "gerrit"
+              credentials: ${_param:jenkins_gerrit_credentials}
               script: generate-cookiecutter-products.groovy
             param:
               # Cookiecutter
diff --git a/jenkins/client/job/security/openscap.yml b/jenkins/client/job/security/openscap.yml
index 94baf0f..4a9a84d 100644
--- a/jenkins/client/job/security/openscap.yml
+++ b/jenkins/client/job/security/openscap.yml
@@ -18,7 +18,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: test-openscap-pipeline.groovy
           param:
             OPENSCAP_TEST_TYPE:
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index e4e628a..ec79239 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -6,6 +6,11 @@
           enabled: true
           type: ListView
           include_regex: "validate.*"
+      CVP:
+        cvp:
+          enabled: true
+          type: ListView
+          include_regex: "cvp.*"
       job:
         validate_openstack:
           type: workflow-scm
@@ -21,7 +26,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: validate-cloud.groovy
           param:
             SALT_MASTER_URL:
@@ -191,17 +196,17 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cvp-runner.groovy
           param:
             IMAGE:
               type: string
-              default: ${_param:docker_image_cvp_sanity_checks}
+              default: "${_param:docker_image_cvp_sanity_checks}"
               description: Docker image with tests and all pip dependecies to use for testing
             SALT_MASTER_URL:
               type: string
               default: "${_param:jenkins_salt_api_url}"
-              description: Full Salt API address [e.g. https://10.10.10.2:6969]
+              description: Full Salt API address [e.g. https://10.10.10.2:8969]
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
@@ -225,7 +230,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cvp-func.groovy
           param:
             DEBUG_MODE:
@@ -238,15 +243,15 @@
               description: Path to skip list in container
             SALT_MASTER_URL:
               type: string
-              default: "${_param:jenkins_salt_api_url}"
-              description: Full Salt API address [e.g. https://10.10.10.2:6969]
+              default: "http://${_param:salt_master_host}:6969"
+              description: Full Salt API address [e.g. http://10.10.10.2:6969]
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
               description: Credentials to the Salt API
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.11.2"
+              default: "${_param:docker_image_cvp_xrally}"
               description: Docker image to use for running Rally/Tempest
             TARGET_NODE:
               type: string
@@ -273,7 +278,7 @@
               description: URL to Tempest repo (local or remote) or path to tempest folder in container
             TOOLS_REPO:
               type: string
-              default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
+              default: "https://github.com/Mirantis/cvp-configuration -b release/${_param:mcp_version}"
               description: URL of repo where testing tools, scenarios, configs are located.
         cvp-ha:
           type: workflow-scm
@@ -289,13 +294,13 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cvp-ha.groovy
           param:
             SALT_MASTER_URL:
               type: string
-              default: "${_param:jenkins_salt_api_url}"
-              description: Full Salt API address [e.g. https://10.10.10.2:6969]
+              default: "http://${_param:salt_master_host}:6969"
+              description: Full Salt API address [e.g. http://10.10.10.2:6969]
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
@@ -306,7 +311,7 @@
               description: Node where container with tempest will be run
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.11.2"
+              default: "${_param:docker_image_cvp_xrally}"
               description: Docker image to use for running Rally/Tempest
             TARGET_NODES:
               type: string
@@ -342,7 +347,7 @@
               description: Can be repo url (local or remote) or path to folder (inside container) with Tempest
             TOOLS_REPO:
               type: string
-              default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
+              default: "https://github.com/Mirantis/cvp-configuration -b release/${_param:mcp_version}"
               description: URL of repo where testing tools, scenarios, configs are located.
         cvp-tempest:
           type: workflow-scm
@@ -358,7 +363,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cvp-tempest.groovy
           param:
             PREPARE_RESOURCES:
@@ -367,8 +372,8 @@
               description: Prepare resources for Tempest
             SALT_MASTER_URL:
               type: string
-              default: "${_param:jenkins_salt_api_url}"
-              description: SALT_MASTER_URL
+              default: "http://${_param:salt_master_host}:6969"
+              description: Full Salt API address [e.g. http://10.10.10.2:6969]
             TEMPEST_TEST_PATTERN:
               type: string
               default: "set=smoke"
@@ -386,7 +391,7 @@
                 ---
                   DEBUG_MODE: false
                   GENERATE_CONFIG: true
-                  TEST_IMAGE: "docker-prod-virtual.docker.mirantis.net/mirantis/cicd/ci-tempest:${_param:openstack_version}"
+                  TEST_IMAGE: "${_param:docker_image_cvp_tempest}"
                   report_prefix: "cvp_"
               description: YAML context with additional parameters
         cvp-perf:
@@ -403,7 +408,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cvp-perf.groovy
           param:
             DEBUG_MODE:
@@ -416,12 +421,12 @@
               description: Path to scenario file in container
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.11.2"
+              default: "${_param:docker_image_cvp_xrally}"
               description: Docker image to use for running Rally/Tempest
             SALT_MASTER_URL:
               type: string
-              default: "${_param:jenkins_salt_api_url}"
-              description: Full Salt API address [e.g. https://10.10.10.2:6969]
+              default: "http://${_param:salt_master_host}:6969"
+              description: Full Salt API address [e.g. http://10.10.10.2:6969]
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
@@ -432,7 +437,7 @@
               description: Node where docker container with Rally will be run
             TOOLS_REPO:
               type: string
-              default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
+              default: "https://github.com/Mirantis/cvp-configuration -b release/${_param:mcp_version}"
               description: URL of repo where testing tools, scenarios, configs are located.
             PROXY:
               type: string
@@ -452,17 +457,17 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cvp-runner.groovy
           param:
             IMAGE:
               type: string
-              default: ${_param:docker_image_cvp_sanity_checks}
+              default: "${_param:docker_image_cvp_sanity_checks}"
               description: Docker image with tests and all pip dependecies to use for testing
             SALT_MASTER_URL:
               type: string
               default: "${_param:jenkins_salt_api_url}"
-              description: Full Salt API address [e.g. https://10.10.10.2:6969]
+              description: Full Salt API address [e.g. https://10.10.10.2:8969]
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
@@ -486,17 +491,17 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cvp-runner.groovy
           param:
             IMAGE:
               type: string
-              default: ${_param:docker_image_cvp_sanity_checks}
+              default: "${_param:docker_image_cvp_sanity_checks}"
               description: Docker image with tests and all pip dependecies to use for testing
             SALT_MASTER_URL:
               type: string
               default: "${_param:jenkins_salt_api_url}"
-              description: Full Salt API address [e.g. https://10.10.10.2:6969]
+              description: Full Salt API address [e.g. https://10.10.10.2:8969]
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
@@ -505,7 +510,7 @@
               default: |
                 envs:
                   - tests_set=''
-                  - image_name='Ubuntu'
+                  - image_name=Ubuntu
                   - networks=10.101.0.0/24
               description: 'YAML context with additional parameters. Additional params: HW_NODES, CMP_HOSTS, salt_timeout, skipped_nodes, nova_timeout, iperf_prep_string, IMAGE_SIZE_MB'
         cvp-shaker:
@@ -522,7 +527,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: "gerrit"
+            credentials: ${_param:jenkins_gerrit_credentials}
             script: cvp-shaker.groovy
           param:
             IMAGE:
diff --git a/jenkins/client/ssh_node.yml b/jenkins/client/ssh_node.yml
new file mode 100644
index 0000000..4203e6b
--- /dev/null
+++ b/jenkins/client/ssh_node.yml
@@ -0,0 +1,13 @@
+parameters:
+  jenkins:
+    client:
+      node:
+        slave01:
+          launcher:
+            type: ssh
+        slave02:
+          launcher:
+            type: ssh
+        slave03:
+          launcher:
+            type: ssh
diff --git a/keystone/client/os_client_config/octavia_identity.yml b/keystone/client/os_client_config/octavia_identity.yml
index 3d84b0c..8dabc3f 100644
--- a/keystone/client/os_client_config/octavia_identity.yml
+++ b/keystone/client/os_client_config/octavia_identity.yml
@@ -12,7 +12,7 @@
                   identity_api_version: '3'
                   interface: 'internal'
                   auth:
-                    username: 'octavia'
+                    username: '${_param:keystone_octavia_username}'
                     password: ${_param:keystone_octavia_password}
                     user_domain_name: 'Default'
                     project_name: 'service'
diff --git a/keystone/client/service/aodh.yml b/keystone/client/service/aodh.yml
index 3d2dae0..704ed1b 100644
--- a/keystone/client/service/aodh.yml
+++ b/keystone/client/service/aodh.yml
@@ -12,6 +12,7 @@
             service:
               user:
                 aodh:
+                  name: ${_param:keystone_aodh_username}
                   is_admin: true
                   password: ${_param:keystone_aodh_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/barbican.yml b/keystone/client/service/barbican.yml
index 1a65afd..23bda00 100644
--- a/keystone/client/service/barbican.yml
+++ b/keystone/client/service/barbican.yml
@@ -14,6 +14,7 @@
             service:
               user:
                 barbican:
+                  name: ${_param:keystone_barbican_username}
                   password: ${_param:keystone_barbican_password}
                   email: ${_param:admin_email}
                   options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/service/billometer.yml b/keystone/client/service/billometer.yml
index 14c570e..002ca9b 100644
--- a/keystone/client/service/billometer.yml
+++ b/keystone/client/service/billometer.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 billometer:
+                  name: ${_param:keystone_billometer_username}
                   is_admin: true
                   password: ${_param:keystone_billometer_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/ceilometer.yml b/keystone/client/service/ceilometer.yml
index 131f3bb..ff52e6c 100644
--- a/keystone/client/service/ceilometer.yml
+++ b/keystone/client/service/ceilometer.yml
@@ -5,6 +5,7 @@
     ceilometer_service_protocol: http
     ceilometer_public_host: ${_param:cluster_public_host}
     ceilometer_endpoint_status: present
+    ceilometer_service_status: ${_param:ceilometer_endpoint_status}
   keystone:
     client:
       server:
@@ -13,12 +14,14 @@
             service:
               user:
                 ceilometer:
+                  name: ${_param:keystone_ceilometer_username}
                   is_admin: true
                   password: ${_param:keystone_ceilometer_password}
                   email: ${_param:admin_email}
                   options: ${_param:openstack_service_user_options}
           service:
             ceilometer:
+              status: ${_param:ceilometer_service_status}
               type: metering
               description: OpenStack Telemetry Service
               endpoints:
diff --git a/keystone/client/service/cinder.yml b/keystone/client/service/cinder.yml
index ec0b2ca..c36fef2 100644
--- a/keystone/client/service/cinder.yml
+++ b/keystone/client/service/cinder.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 cinder:
+                  name: ${_param:keystone_cinder_username}
                   is_admin: true
                   password: ${_param:keystone_cinder_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/cinder2.yml b/keystone/client/service/cinder2.yml
index fd8cbfc..0115d1b 100644
--- a/keystone/client/service/cinder2.yml
+++ b/keystone/client/service/cinder2.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 cinder:
+                  name: ${_param:keystone_cinder_username}
                   is_admin: true
                   password: ${_param:keystone_cinder_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/cinder3.yml b/keystone/client/service/cinder3.yml
index 6280a7b..cd0df24 100644
--- a/keystone/client/service/cinder3.yml
+++ b/keystone/client/service/cinder3.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 cinder:
+                  name: ${_param:keystone_cinder_username}
                   is_admin: true
                   password: ${_param:keystone_cinder_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/congress.yml b/keystone/client/service/congress.yml
index e0a6754..6c51c33 100644
--- a/keystone/client/service/congress.yml
+++ b/keystone/client/service/congress.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 congress:
+                  name: ${_param:keystone_congress_username}
                   is_admin: true
                   password: ${_param:keystone_congress_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/contrail.yml b/keystone/client/service/contrail.yml
index 6792156..8f2534e 100644
--- a/keystone/client/service/contrail.yml
+++ b/keystone/client/service/contrail.yml
@@ -1,8 +1,6 @@
 classes:
 - system.keystone.client.v3.service.contrail
 parameters:
-  _param:
-    contrail_service_protocol: http
   keystone:
     client:
       server:
@@ -25,11 +23,11 @@
                 public_address: ${_param:cluster_public_host}
                 public_port: 8082
                 public_path: ''
-                internal_protocol: ${_param:contrail_service_protocol}
+                internal_protocol: ${_param:opencontrail_api_protocol}
                 internal_address: ${_param:opencontrail_control_address}
                 internal_port: 8082
                 internal_path: ''
-                admin_protocol: ${_param:contrail_service_protocol}
+                admin_protocol: ${_param:opencontrail_api_protocol}
                 admin_address: ${_param:opencontrail_control_address}
                 admin_port: 8082
                 admin_path: ''
\ No newline at end of file
diff --git a/keystone/client/service/designate.yml b/keystone/client/service/designate.yml
index 80f3761..b3756b8 100644
--- a/keystone/client/service/designate.yml
+++ b/keystone/client/service/designate.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 designate:
+                  name: ${_param:keystone_designate_username}
                   is_admin: true
                   password: ${_param:keystone_designate_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/glance.yml b/keystone/client/service/glance.yml
index 69b5d8b..67ced92 100644
--- a/keystone/client/service/glance.yml
+++ b/keystone/client/service/glance.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 glance:
+                  name: ${_param:keystone_glance_username}
                   is_admin: true
                   password: ${_param:keystone_glance_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/glare.yml b/keystone/client/service/glare.yml
index 22d619f..8bd8c4c 100644
--- a/keystone/client/service/glare.yml
+++ b/keystone/client/service/glare.yml
@@ -9,6 +9,7 @@
             service:
               user:
                 glance:
+                  name: ${_param:keystone_glance_username}
                   is_admin: true
                   password: ${_param:keystone_glance_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/gnocchi.yml b/keystone/client/service/gnocchi.yml
index 2336a8c..fa38f05 100644
--- a/keystone/client/service/gnocchi.yml
+++ b/keystone/client/service/gnocchi.yml
@@ -14,6 +14,7 @@
             service:
               user:
                 gnocchi:
+                  name: ${_param:keystone_gnocchi_username}
                   is_admin: true
                   password: ${_param:keystone_gnocchi_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/heat.yml b/keystone/client/service/heat.yml
index 9c17b06..6d8a8f0 100644
--- a/keystone/client/service/heat.yml
+++ b/keystone/client/service/heat.yml
@@ -14,6 +14,7 @@
             service:
               user:
                 heat:
+                  name: ${_param:keystone_heat_username}
                   is_admin: true
                   password: ${_param:keystone_heat_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/ironic.yml b/keystone/client/service/ironic.yml
index e350284..ce449c2 100644
--- a/keystone/client/service/ironic.yml
+++ b/keystone/client/service/ironic.yml
@@ -12,6 +12,7 @@
             service:
               user:
                 ironic:
+                  name: ${_param:keystone_ironic_username}
                   is_admin: true
                   password: ${_param:keystone_ironic_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/manila.yml b/keystone/client/service/manila.yml
index 5cc66d2..8f83e18 100644
--- a/keystone/client/service/manila.yml
+++ b/keystone/client/service/manila.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 manila:
+                  name: ${_param:keystone_manila_username}
                   is_admin: true
                   password: ${_param:keystone_manila_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/manila2.yml b/keystone/client/service/manila2.yml
index 8cccc24..2be0481 100644
--- a/keystone/client/service/manila2.yml
+++ b/keystone/client/service/manila2.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 manila:
+                  name: ${_param:keystone_manila_username}
                   is_admin: true
                   password: ${_param:keystone_manila_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/murano.yml b/keystone/client/service/murano.yml
index 1652ac2..9e01c74 100644
--- a/keystone/client/service/murano.yml
+++ b/keystone/client/service/murano.yml
@@ -9,6 +9,7 @@
             service:
               user:
                 murano:
+                  name: ${_param:keystone_murano_username}
                   is_admin: true
                   password: ${_param:keystone_murano_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/neutron.yml b/keystone/client/service/neutron.yml
index 59e4b33..86102a2 100644
--- a/keystone/client/service/neutron.yml
+++ b/keystone/client/service/neutron.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 neutron:
+                  name: ${_param:keystone_neutron_username}
                   is_admin: true
                   password: ${_param:keystone_neutron_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/nova.yml b/keystone/client/service/nova.yml
index 22bbfc9..ddb5ff8 100644
--- a/keystone/client/service/nova.yml
+++ b/keystone/client/service/nova.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 nova:
+                  name: ${_param:keystone_nova_username}
                   is_admin: true
                   password: ${_param:keystone_nova_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/nova21.yml b/keystone/client/service/nova21.yml
index 27a0580..9de386e 100644
--- a/keystone/client/service/nova21.yml
+++ b/keystone/client/service/nova21.yml
@@ -11,6 +11,7 @@
             service:
               user:
                 nova:
+                  name: ${_param:keystone_nova_username}
                   is_admin: true
                   password: ${_param:keystone_nova_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/octavia.yml b/keystone/client/service/octavia.yml
index c5ca83f..b6dab99 100644
--- a/keystone/client/service/octavia.yml
+++ b/keystone/client/service/octavia.yml
@@ -15,6 +15,7 @@
             service:
               user:
                 octavia:
+                  name: ${_param:keystone_octavia_username}
                   is_admin: true
                   password: ${_param:keystone_octavia_password}
                   email: ${_param:admin_email}
@@ -39,7 +40,7 @@
                 admin_path: '/'
         octavia_identity:
           admin:
-            user: octavia
+            user: ${_param:keystone_octavia_username}
             password: ${_param:keystone_octavia_password}
             project: service
             host: ${_param:keystone_service_host}
diff --git a/keystone/client/service/panko.yml b/keystone/client/service/panko.yml
index 43897be..46939ca 100644
--- a/keystone/client/service/panko.yml
+++ b/keystone/client/service/panko.yml
@@ -12,6 +12,7 @@
             service:
               user:
                 panko:
+                  name: ${_param:keystone_panko_username}
                   is_admin: true
                   password: ${_param:keystone_panko_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/radosgw-s3.yml b/keystone/client/service/radosgw-s3.yml
index bcf596f..464ffb2 100644
--- a/keystone/client/service/radosgw-s3.yml
+++ b/keystone/client/service/radosgw-s3.yml
@@ -12,6 +12,7 @@
             service:
               user:
                 swift:
+                  name: ${_param:keystone_swift_username}
                   is_admin: true
                   password: ${_param:keystone_swift_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/radosgw-swift.yml b/keystone/client/service/radosgw-swift.yml
index c8b6569..df88eb3 100644
--- a/keystone/client/service/radosgw-swift.yml
+++ b/keystone/client/service/radosgw-swift.yml
@@ -14,6 +14,7 @@
             service:
               user:
                 swift:
+                  name: ${_param:keystone_swift_username}
                   is_admin: true
                   password: ${_param:keystone_swift_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/sahara.yml b/keystone/client/service/sahara.yml
index 8d88168..2ae7e42 100644
--- a/keystone/client/service/sahara.yml
+++ b/keystone/client/service/sahara.yml
@@ -9,6 +9,7 @@
             service:
               user:
                 sahara:
+                  name: ${_param:keystone_sahara_username}
                   is_admin: true
                   password: ${_param:keystone_sahara_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/swift-s3.yml b/keystone/client/service/swift-s3.yml
index 36050a4..5df5db8 100644
--- a/keystone/client/service/swift-s3.yml
+++ b/keystone/client/service/swift-s3.yml
@@ -9,6 +9,7 @@
             service:
               user:
                 swift:
+                  name: ${_param:keystone_swift_username}
                   is_admin: true
                   password: ${_param:keystone_swift_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/swift.yml b/keystone/client/service/swift.yml
index ddcaf26..5398f40 100644
--- a/keystone/client/service/swift.yml
+++ b/keystone/client/service/swift.yml
@@ -9,6 +9,7 @@
             service:
               user:
                 swift:
+                  name: ${_param:keystone_swift_username}
                   is_admin: true
                   password: ${_param:keystone_swift_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/service/tacker.yml b/keystone/client/service/tacker.yml
index e1c7019..69fbc62 100644
--- a/keystone/client/service/tacker.yml
+++ b/keystone/client/service/tacker.yml
@@ -10,6 +10,7 @@
             service:
               user:
                 tacker:
+                  name: ${_param:keystone_tacker_username}
                   is_admin: true
                   password: ${_param:keystone_tacker_password}
                   email: ${_param:admin_email}
diff --git a/keystone/client/v3/service/aodh.yml b/keystone/client/v3/service/aodh.yml
index a4f217c..af9b9b2 100644
--- a/keystone/client/v3/service/aodh.yml
+++ b/keystone/client/v3/service/aodh.yml
@@ -9,6 +9,7 @@
           cloud_name: 'admin_identity'
           users:
             aodh:
+              name: ${_param:keystone_aodh_username}
               password: ${_param:keystone_aodh_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/barbican.yml b/keystone/client/v3/service/barbican.yml
index f008abc..9708bdc 100644
--- a/keystone/client/v3/service/barbican.yml
+++ b/keystone/client/v3/service/barbican.yml
@@ -14,6 +14,7 @@
               enabled: true
           users:
             barbican:
+              name: ${_param:keystone_barbican_username}
               password: ${_param:keystone_barbican_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/billometer.yml b/keystone/client/v3/service/billometer.yml
index 9e115eb..6ab12ed 100644
--- a/keystone/client/v3/service/billometer.yml
+++ b/keystone/client/v3/service/billometer.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             billometer:
+              name: ${_param:keystone_billometer_username}
               password: ${_param:keystone_billometer_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/ceilometer.yml b/keystone/client/v3/service/ceilometer.yml
index 9129773..3cdb748 100644
--- a/keystone/client/v3/service/ceilometer.yml
+++ b/keystone/client/v3/service/ceilometer.yml
@@ -8,6 +8,7 @@
         v3:
           users:
             ceilometer:
+              name: ${_param:keystone_ceilometer_username}
               password: ${_param:keystone_ceilometer_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
@@ -17,6 +18,7 @@
                   project_id: service
           services:
             ceilometer:
+              status: ${_param:ceilometer_service_status}
               type: metering
               description: OpenStack Telemetry Service
               endpoints:
diff --git a/keystone/client/v3/service/cinder.yml b/keystone/client/v3/service/cinder.yml
index 1dd279a..b94b713 100644
--- a/keystone/client/v3/service/cinder.yml
+++ b/keystone/client/v3/service/cinder.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             cinder:
+              name: ${_param:keystone_cinder_username}
               password: ${_param:keystone_cinder_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/cinder2.yml b/keystone/client/v3/service/cinder2.yml
index 4d49d2b..e392a6a 100644
--- a/keystone/client/v3/service/cinder2.yml
+++ b/keystone/client/v3/service/cinder2.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             cinder:
+              name: ${_param:keystone_cinder_username}
               password: ${_param:keystone_cinder_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/cinder3.yml b/keystone/client/v3/service/cinder3.yml
index a4465ac..1ded99a 100644
--- a/keystone/client/v3/service/cinder3.yml
+++ b/keystone/client/v3/service/cinder3.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             cinder:
+              name: ${_param:keystone_cinder_username}
               password: ${_param:keystone_cinder_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/congress.yml b/keystone/client/v3/service/congress.yml
index 0d34181..936f71c 100644
--- a/keystone/client/v3/service/congress.yml
+++ b/keystone/client/v3/service/congress.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             congress:
+              name: ${_param:keystone_congress_username}
               password: ${_param:keystone_congress_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/contrail.yml b/keystone/client/v3/service/contrail.yml
index 930804a..f9bbd69 100644
--- a/keystone/client/v3/service/contrail.yml
+++ b/keystone/client/v3/service/contrail.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    contrail_service_protocol: http
   keystone:
     client:
       server:
@@ -37,9 +35,9 @@
                   region: ${_param:openstack_region}
                 contrail_internal:
                   interface: 'internal'
-                  url: ${_param:contrail_service_protocol}://${_param:opencontrail_control_address}:8082
+                  url: ${_param:opencontrail_api_protocol}://${_param:opencontrail_control_address}:8082
                   region: ${_param:openstack_region}
                 contrail_admin:
                   interface: 'admin'
-                  url: ${_param:contrail_service_protocol}://${_param:opencontrail_control_address}:8082
+                  url: ${_param:opencontrail_api_protocol}://${_param:opencontrail_control_address}:8082
                   region: ${_param:openstack_region}
diff --git a/keystone/client/v3/service/designate.yml b/keystone/client/v3/service/designate.yml
index 271ea22..544a172 100644
--- a/keystone/client/v3/service/designate.yml
+++ b/keystone/client/v3/service/designate.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             designate:
+              name: ${_param:keystone_designate_username}
               password: ${_param:keystone_designate_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/glance.yml b/keystone/client/v3/service/glance.yml
index 0e01709..3abc3c8 100644
--- a/keystone/client/v3/service/glance.yml
+++ b/keystone/client/v3/service/glance.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             glance:
+              name: ${_param:keystone_glance_username}
               password: ${_param:keystone_glance_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/gnocchi.yml b/keystone/client/v3/service/gnocchi.yml
index 63241db..da3dfa7 100644
--- a/keystone/client/v3/service/gnocchi.yml
+++ b/keystone/client/v3/service/gnocchi.yml
@@ -8,6 +8,7 @@
         v3:
           users:
             gnocchi:
+              name: ${_param:keystone_gnocchi_username}
               password: ${_param:keystone_gnocchi_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/heat.yml b/keystone/client/v3/service/heat.yml
index 54c8f0b..2163292 100644
--- a/keystone/client/v3/service/heat.yml
+++ b/keystone/client/v3/service/heat.yml
@@ -14,6 +14,7 @@
               enabled: true
           users:
             heat:
+              name: ${_param:keystone_heat_username}
               password: ${_param:keystone_heat_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/ironic.yml b/keystone/client/v3/service/ironic.yml
index bd2795b..5dc431e 100644
--- a/keystone/client/v3/service/ironic.yml
+++ b/keystone/client/v3/service/ironic.yml
@@ -8,6 +8,7 @@
         v3:
           users:
             ironic:
+              name: ${_param:keystone_ironic_username}
               password: ${_param:keystone_ironic_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/manila.yml b/keystone/client/v3/service/manila.yml
index bb90159..6519b84 100644
--- a/keystone/client/v3/service/manila.yml
+++ b/keystone/client/v3/service/manila.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             manila:
+              name: ${_param:keystone_manila_username}
               password: ${_param:keystone_manila_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/manila2.yml b/keystone/client/v3/service/manila2.yml
index f5771ad..1ccf704 100644
--- a/keystone/client/v3/service/manila2.yml
+++ b/keystone/client/v3/service/manila2.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             manila:
+              name: ${_param:keystone_manila_username}
               password: ${_param:keystone_manila_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/neutron.yml b/keystone/client/v3/service/neutron.yml
index 6af16f9..1d6dae8 100644
--- a/keystone/client/v3/service/neutron.yml
+++ b/keystone/client/v3/service/neutron.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             neutron:
+              name: ${_param:keystone_neutron_username}
               password: ${_param:keystone_neutron_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/nova.yml b/keystone/client/v3/service/nova.yml
index d0c7366..2015900 100644
--- a/keystone/client/v3/service/nova.yml
+++ b/keystone/client/v3/service/nova.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             nova:
+              name: ${_param:keystone_nova_username}
               password: ${_param:keystone_nova_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/nova21.yml b/keystone/client/v3/service/nova21.yml
index 85bd29f..6ed684b 100644
--- a/keystone/client/v3/service/nova21.yml
+++ b/keystone/client/v3/service/nova21.yml
@@ -7,6 +7,7 @@
         v3:
           users:
             nova:
+              name: ${_param:keystone_nova_username}
               password: ${_param:keystone_nova_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/octavia.yml b/keystone/client/v3/service/octavia.yml
index 54c8bc9..035dbfb 100644
--- a/keystone/client/v3/service/octavia.yml
+++ b/keystone/client/v3/service/octavia.yml
@@ -24,6 +24,7 @@
               enabled: true
           users:
             octavia:
+              name: ${_param:keystone_octavia_username}
               password: ${_param:keystone_octavia_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/panko.yml b/keystone/client/v3/service/panko.yml
index 226f601..1620d91 100644
--- a/keystone/client/v3/service/panko.yml
+++ b/keystone/client/v3/service/panko.yml
@@ -8,6 +8,7 @@
         v3:
           users:
             panko:
+              name: ${_param:keystone_panko_username}
               password: ${_param:keystone_panko_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/radosgw-s3.yml b/keystone/client/v3/service/radosgw-s3.yml
index 1a7ae3c..0da4b0b 100644
--- a/keystone/client/v3/service/radosgw-s3.yml
+++ b/keystone/client/v3/service/radosgw-s3.yml
@@ -8,6 +8,7 @@
         v3:
           users:
             swift:
+              name: ${_param:keystone_swift_username}
               password: ${_param:keystone_swift_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/radosgw-swift.yml b/keystone/client/v3/service/radosgw-swift.yml
index 2e78bb9..cf1290d 100644
--- a/keystone/client/v3/service/radosgw-swift.yml
+++ b/keystone/client/v3/service/radosgw-swift.yml
@@ -12,6 +12,7 @@
               enabled: true
           users:
             swift:
+              name: ${_param:keystone_swift_username}
               password: ${_param:keystone_swift_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/client/v3/service/tacker.yml b/keystone/client/v3/service/tacker.yml
index bddca05..4d4396e 100644
--- a/keystone/client/v3/service/tacker.yml
+++ b/keystone/client/v3/service/tacker.yml
@@ -8,6 +8,7 @@
         v3:
           users:
             tacker:
+              name: ${_param:keystone_tacker_username}
               password: ${_param:keystone_tacker_password}
               email: ${_param:admin_email}
               options: ${_param:openstack_service_user_options}
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index 824c6b5..e0d01d9 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -5,6 +5,8 @@
 - system.haproxy.proxy.listen.openstack.keystone
 - system.haproxy.proxy.listen.openstack.keystone.standalone
 - system.linux.system.users.keystone
+# Add os-ctl-vip address to ctl nodes PROD-31397
+- system.linux.network.hosts.openstack
 - system.keystone.server.fernet_rotation.cluster
 - system.salt.minion.cert.mysql.clients.openstack.keystone
 - system.salt.minion.cert.rabbitmq.clients.openstack.keystone
@@ -46,7 +48,7 @@
         host: ${_param:openstack_database_address}
         name: keystone
         password: ${_param:mysql_keystone_password}
-        user: keystone
+        user: ${_param:mysql_keystone_username}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_keystone_ssl_ca_file}
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 014a6dc..8c5e594 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -43,7 +43,7 @@
         host: ${_param:single_address}
         name: keystone
         password: ${_param:mysql_keystone_password}
-        user: keystone
+        user: ${_param:mysql_keystone_username}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_keystone_ssl_ca_file}
diff --git a/manila/common/cluster.yml b/manila/common/cluster.yml
index 57ced1d..73c679b 100644
--- a/manila/common/cluster.yml
+++ b/manila/common/cluster.yml
@@ -28,7 +28,7 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: manila
-        user: manila
+        user: ${_param:mysql_manila_username}
         password: ${_param:mysql_manila_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -42,7 +42,7 @@
         region: ${_param:openstack_region}
         host: ${_param:manila_cluster_vip_address}
         port: 35357
-        user: manila
+        user: ${_param:keystone_manila_username}
         password: ${_param:keystone_manila_password}
         tenant: service
         auth_type: password
diff --git a/manila/common/single.yml b/manila/common/single.yml
index 00f42eb..fe59263 100644
--- a/manila/common/single.yml
+++ b/manila/common/single.yml
@@ -26,7 +26,7 @@
         host: ${_param:single_address}
         port: 3306
         name: manila
-        user: manila
+        user: ${_param:mysql_manila_username}
         password: ${_param:mysql_manila_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -40,7 +40,7 @@
         region: ${_param:openstack_region}
         host: ${_param:single_address}
         port: 35357
-        user: manila
+        user: ${_param:keystone_manila_username}
         password: ${_param:keystone_manila_password}
         tenant: service
         auth_type: password
diff --git a/murano/server/cluster.yml b/murano/server/cluster.yml
index a9b1f6d..73dcb38 100644
--- a/murano/server/cluster.yml
+++ b/murano/server/cluster.yml
@@ -19,14 +19,14 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: murano
-        user: murano
+        user: ${_param:mysql_murano_username}
         password: ${_param:mysql_murano_password}
       identity:
         engine: keystone
         host: ${_param:openstack_control_address}
         port: 35357
         tenant: service
-        user: murano
+        user: ${_param:keystone_murano_username}
         password: ${_param:keystone_murano_password}
       message_queue:
         engine: rabbitmq
diff --git a/murano/server/single.yml b/murano/server/single.yml
index 8c85019..1512893 100644
--- a/murano/server/single.yml
+++ b/murano/server/single.yml
@@ -17,14 +17,14 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: murano
-        user: murano
+        user: ${_param:mysql_murano_username}
         password: ${_param:mysql_murano_password}
       identity:
         engine: keystone
         host: ${_param:openstack_control_address}
         port: 35357
         tenant: service
-        user: murano
+        user: ${_param:keystone_murano_username}
         password: ${_param:keystone_murano_password}
       message_queue:
         engine: rabbitmq
diff --git a/mysql/client/database/aodh.yml b/mysql/client/database/aodh.yml
index 92a2b29..b8842e9 100644
--- a/mysql/client/database/aodh.yml
+++ b/mysql/client/database/aodh.yml
@@ -7,11 +7,11 @@
             aodh:
               encoding: utf8
               users:
-              - name: aodh
+              - name: ${_param:mysql_aodh_username}
                 password: ${_param:mysql_aodh_password}
                 host: '%'
                 rights: all
-              - name: aodh
+              - name: ${_param:mysql_aodh_username}
                 password: ${_param:mysql_aodh_password}
                 host: ${_param:single_address}
                 rights: all
\ No newline at end of file
diff --git a/mysql/client/database/barbican.yml b/mysql/client/database/barbican.yml
index f9fe6dd..a900905 100644
--- a/mysql/client/database/barbican.yml
+++ b/mysql/client/database/barbican.yml
@@ -7,11 +7,11 @@
             barbican:
               encoding: utf8
               users:
-              - name: barbican
+              - name: ${_param:mysql_barbican_username}
                 password: ${_param:mysql_barbican_password}
                 host: '%'
                 rights: all
-              - name: barbican
+              - name: ${_param:mysql_barbican_username}
                 password: ${_param:mysql_barbican_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/ceilometer.yml b/mysql/client/database/ceilometer.yml
index 436bf97..4cf65a1 100644
--- a/mysql/client/database/ceilometer.yml
+++ b/mysql/client/database/ceilometer.yml
@@ -7,11 +7,11 @@
             ceilometer:
               encoding: utf8
               users:
-              - name: ceilometer
+              - name: ${_param:mysql_ceilometer_username}
                 password: ${_param:mysql_ceilometer_password}
                 host: '%'
                 rights: all
-              - name: ceilometer
+              - name: ${_param:mysql_ceilometer_username}
                 password: ${_param:mysql_ceilometer_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/cinder.yml b/mysql/client/database/cinder.yml
index 4d6783b..280b35b 100644
--- a/mysql/client/database/cinder.yml
+++ b/mysql/client/database/cinder.yml
@@ -7,11 +7,11 @@
             cinder:
               encoding: utf8
               users:
-              - name: cinder
+              - name: ${_param:mysql_cinder_username}
                 password: ${_param:mysql_cinder_password}
                 host: '%'
                 rights: all
-              - name: cinder
+              - name: ${_param:mysql_cinder_username}
                 password: ${_param:mysql_cinder_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/designate.yml b/mysql/client/database/designate.yml
index cee6ff1..f6301a8 100644
--- a/mysql/client/database/designate.yml
+++ b/mysql/client/database/designate.yml
@@ -7,11 +7,11 @@
             designate:
               encoding: utf8
               users:
-              - name: designate
+              - name: ${_param:mysql_designate_username}
                 password: ${_param:mysql_designate_password}
                 host: '%'
                 rights: all
-              - name: designate
+              - name: ${_param:mysql_designate_username}
                 password: ${_param:mysql_designate_password}
                 host: ${_param:single_address}
                 rights: all
\ No newline at end of file
diff --git a/mysql/client/database/designate_pool_manager.yml b/mysql/client/database/designate_pool_manager.yml
index 6913bd4..09352b4 100644
--- a/mysql/client/database/designate_pool_manager.yml
+++ b/mysql/client/database/designate_pool_manager.yml
@@ -7,11 +7,11 @@
             designate_pool_manager:
               encoding: utf8
               users:
-              - name: designate
+              - name: ${_param:mysql_designate_username}
                 password: ${_param:mysql_designate_password}
                 host: '%'
                 rights: all
-              - name: designate
+              - name: ${_param:mysql_designate_username}
                 password: ${_param:mysql_designate_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/glance.yml b/mysql/client/database/glance.yml
index b93b343..6a8a4d1 100644
--- a/mysql/client/database/glance.yml
+++ b/mysql/client/database/glance.yml
@@ -7,11 +7,11 @@
             glance:
               encoding: utf8
               users:
-              - name: glance
+              - name: ${_param:mysql_glance_username}
                 password: ${_param:mysql_glance_password}
                 host: '%'
                 rights: all
-              - name: glance
+              - name: ${_param:mysql_glance_username}
                 password: ${_param:mysql_glance_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/grafana.yml b/mysql/client/database/grafana.yml
index a2899f0..26bc3cd 100644
--- a/mysql/client/database/grafana.yml
+++ b/mysql/client/database/grafana.yml
@@ -7,11 +7,11 @@
             grafana:
               encoding: utf8
               users:
-              - name: grafana
+              - name: ${_param:mysql_grafana_username}
                 password: ${_param:mysql_grafana_password}
                 host: '%'
                 rights: all
-              - name: grafana
+              - name: ${_param:mysql_grafana_username}
                 password: ${_param:mysql_grafana_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/heat.yml b/mysql/client/database/heat.yml
index 51aae8f..36cfdc5 100644
--- a/mysql/client/database/heat.yml
+++ b/mysql/client/database/heat.yml
@@ -7,11 +7,11 @@
             heat:
               encoding: utf8
               users:
-              - name: heat
+              - name: ${_param:mysql_heat_username}
                 password: ${_param:mysql_heat_password}
                 host: '%'
                 rights: all
-              - name: heat
+              - name: ${_param:mysql_heat_username}
                 password: ${_param:mysql_heat_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/ironic.yml b/mysql/client/database/ironic.yml
index e142e64..9441f74 100644
--- a/mysql/client/database/ironic.yml
+++ b/mysql/client/database/ironic.yml
@@ -7,11 +7,11 @@
             ironic:
               encoding: utf8
               users:
-              - name: ironic
+              - name: ${_param:mysql_ironic_username}
                 password: ${_param:mysql_ironic_password}
                 host: '%'
                 rights: all
-              - name: ironic
+              - name: ${_param:mysql_ironic_username}
                 password: ${_param:mysql_ironic_password}
                 host: ${_param:cluster_local_address}
                 rights: all
diff --git a/mysql/client/database/keystone.yml b/mysql/client/database/keystone.yml
index 09885dd..ebd4810 100644
--- a/mysql/client/database/keystone.yml
+++ b/mysql/client/database/keystone.yml
@@ -7,11 +7,11 @@
             keystone:
               encoding: utf8
               users:
-              - name: keystone
+              - name: ${_param:mysql_keystone_username}
                 password: ${_param:mysql_keystone_password}
                 host: '%'
                 rights: all
-              - name: keystone
+              - name: ${_param:mysql_keystone_username}
                 password: ${_param:mysql_keystone_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/murano.yml b/mysql/client/database/murano.yml
index 561ea3d..5a8b41e 100644
--- a/mysql/client/database/murano.yml
+++ b/mysql/client/database/murano.yml
@@ -7,11 +7,11 @@
             murano:
               encoding: utf8
               users:
-              - name: murano
+              - name: ${_param:mysql_murano_username}
                 password: ${_param:mysql_murano_password}
                 host: '%'
                 rights: all
-              - name: murano
+              - name: ${_param:mysql_murano_username}
                 password: ${_param:mysql_murano_password}
                 host: ${_param:single_address}
                 rights: all
\ No newline at end of file
diff --git a/mysql/client/database/neutron.yml b/mysql/client/database/neutron.yml
index 94d9722..7481797 100644
--- a/mysql/client/database/neutron.yml
+++ b/mysql/client/database/neutron.yml
@@ -7,11 +7,11 @@
             neutron:
               encoding: utf8
               users:
-              - name: neutron
+              - name: ${_param:mysql_neutron_username}
                 password: ${_param:mysql_neutron_password}
                 host: '%'
                 rights: all
-              - name: neutron
+              - name: ${_param:mysql_neutron_username}
                 password: ${_param:mysql_neutron_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/nova.yml b/mysql/client/database/nova.yml
index 930b280..da2a4ae 100644
--- a/mysql/client/database/nova.yml
+++ b/mysql/client/database/nova.yml
@@ -7,11 +7,11 @@
             nova:
               encoding: utf8
               users:
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: '%'
                 rights: all
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/nova_api.yml b/mysql/client/database/nova_api.yml
index a8fbd59..96862ad 100644
--- a/mysql/client/database/nova_api.yml
+++ b/mysql/client/database/nova_api.yml
@@ -7,22 +7,22 @@
             nova_api:
               encoding: utf8
               users:
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: '%'
                 rights: all
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: ${_param:single_address}
                 rights: all
             nova_cell0:
               encoding: utf8
               users:
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: '%'
                 rights: all
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/octavia.yml b/mysql/client/database/octavia.yml
index 6c31ece..22fa442 100644
--- a/mysql/client/database/octavia.yml
+++ b/mysql/client/database/octavia.yml
@@ -7,11 +7,11 @@
             octavia:
               encoding: utf8
               users:
-              - name: octavia
+              - name: ${_param:mysql_octavia_username}
                 password: ${_param:mysql_octavia_password}
                 host: '%'
                 rights: all
-              - name: octavia
+              - name: ${_param:mysql_octavia_username}
                 password: ${_param:mysql_octavia_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/panko.yml b/mysql/client/database/panko.yml
index e0463ef..848e32f 100644
--- a/mysql/client/database/panko.yml
+++ b/mysql/client/database/panko.yml
@@ -7,11 +7,11 @@
             panko:
               encoding: utf8
               users:
-              - name: panko
+              - name: ${_param:mysql_panko_username}
                 password: ${_param:mysql_panko_password}
                 host: '%'
                 rights: all
-              - name: panko
+              - name: ${_param:mysql_panko_username}
                 password: ${_param:mysql_panko_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database/sahara.yml b/mysql/client/database/sahara.yml
index 86497d8..3db7e3e 100644
--- a/mysql/client/database/sahara.yml
+++ b/mysql/client/database/sahara.yml
@@ -7,11 +7,11 @@
             sahara:
               encoding: utf8
               users:
-              - name: sahara
+              - name: ${_param:mysql_sahara_username}
                 password: ${_param:mysql_sahara_password}
                 host: '%'
                 rights: all
-              - name: sahara
+              - name: ${_param:mysql_sahara_username}
                 password: ${_param:mysql_sahara_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/aodh.yml b/mysql/client/database_upgrade/aodh.yml
index d363161..e351db3 100644
--- a/mysql/client/database_upgrade/aodh.yml
+++ b/mysql/client/database_upgrade/aodh.yml
@@ -7,11 +7,11 @@
             aodh_upgrade:
               encoding: utf8
               users:
-              - name: aodh
+              - name: ${_param:mysql_aodh_username}
                 password: ${_param:mysql_aodh_password}
                 host: '%'
                 rights: all
-              - name: aodh
+              - name: ${_param:mysql_aodh_username}
                 password: ${_param:mysql_aodh_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/ceilometer.yml b/mysql/client/database_upgrade/ceilometer.yml
index 5344b4b..28f6a26 100644
--- a/mysql/client/database_upgrade/ceilometer.yml
+++ b/mysql/client/database_upgrade/ceilometer.yml
@@ -7,11 +7,11 @@
             ceilometer_upgrade:
               encoding: utf8
               users:
-              - name: ceilometer
+              - name: ${_param:mysql_ceilometer_username}
                 password: ${_param:mysql_ceilometer_password}
                 host: '%'
                 rights: all
-              - name: ceilometer
+              - name: ${_param:mysql_ceilometer_username}
                 password: ${_param:mysql_ceilometer_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/cinder.yml b/mysql/client/database_upgrade/cinder.yml
index bafc70d..a72823e 100644
--- a/mysql/client/database_upgrade/cinder.yml
+++ b/mysql/client/database_upgrade/cinder.yml
@@ -7,11 +7,11 @@
             cinder_upgrade:
               encoding: utf8
               users:
-              - name: cinder
+              - name: ${_param:mysql_cinder_username}
                 password: ${_param:mysql_cinder_password}
                 host: '%'
                 rights: all
-              - name: cinder
+              - name: ${_param:mysql_cinder_username}
                 password: ${_param:mysql_cinder_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/designate.yml b/mysql/client/database_upgrade/designate.yml
index 48b7fce..7f13286 100644
--- a/mysql/client/database_upgrade/designate.yml
+++ b/mysql/client/database_upgrade/designate.yml
@@ -7,11 +7,11 @@
             designate_upgrade:
               encoding: utf8
               users:
-              - name: designate
+              - name: ${_param:mysql_designate_username}
                 password: ${_param:mysql_designate_password}
                 host: '%'
                 rights: all
-              - name: designate
+              - name: ${_param:mysql_designate_username}
                 password: ${_param:mysql_designate_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/designate_pool_manager.yml b/mysql/client/database_upgrade/designate_pool_manager.yml
index 26dd975..abc9491 100644
--- a/mysql/client/database_upgrade/designate_pool_manager.yml
+++ b/mysql/client/database_upgrade/designate_pool_manager.yml
@@ -7,11 +7,11 @@
             designate_pool_manager_upgrade:
               encoding: utf8
               users:
-              - name: designate
+              - name: ${_param:mysql_designate_username}
                 password: ${_param:mysql_designate_password}
                 host: '%'
                 rights: all
-              - name: designate
+              - name: ${_param:mysql_designate_username}
                 password: ${_param:mysql_designate_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/glance.yml b/mysql/client/database_upgrade/glance.yml
index bebe604..d1690ae 100644
--- a/mysql/client/database_upgrade/glance.yml
+++ b/mysql/client/database_upgrade/glance.yml
@@ -7,11 +7,11 @@
             glance_upgrade:
               encoding: utf8
               users:
-              - name: glance
+              - name: ${_param:mysql_glance_username}
                 password: ${_param:mysql_glance_password}
                 host: '%'
                 rights: all
-              - name: glance
+              - name: ${_param:mysql_glance_username}
                 password: ${_param:mysql_glance_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/grafana.yml b/mysql/client/database_upgrade/grafana.yml
index 7759a66..30c9d35 100644
--- a/mysql/client/database_upgrade/grafana.yml
+++ b/mysql/client/database_upgrade/grafana.yml
@@ -7,11 +7,11 @@
             grafana_upgrade:
               encoding: utf8
               users:
-              - name: grafana
+              - name: ${_param:mysql_grafana_username}
                 password: ${_param:mysql_grafana_password}
                 host: '%'
                 rights: all
-              - name: grafana
+              - name: ${_param:mysql_grafana_username}
                 password: ${_param:mysql_grafana_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/heat.yml b/mysql/client/database_upgrade/heat.yml
index 24e4cb1..1dd29cd 100644
--- a/mysql/client/database_upgrade/heat.yml
+++ b/mysql/client/database_upgrade/heat.yml
@@ -7,11 +7,11 @@
             heat_upgrade:
               encoding: utf8
               users:
-              - name: heat
+              - name: ${_param:mysql_heat_username}
                 password: ${_param:mysql_heat_password}
                 host: '%'
                 rights: all
-              - name: heat
+              - name: ${_param:mysql_heat_username}
                 password: ${_param:mysql_heat_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/keystone.yml b/mysql/client/database_upgrade/keystone.yml
index 8265662..c9b884f 100644
--- a/mysql/client/database_upgrade/keystone.yml
+++ b/mysql/client/database_upgrade/keystone.yml
@@ -7,11 +7,11 @@
             keystone_upgrade:
               encoding: utf8
               users:
-              - name: keystone
+              - name: ${_param:mysql_keystone_username}
                 password: ${_param:mysql_keystone_password}
                 host: '%'
                 rights: all
-              - name: keystone
+              - name: ${_param:mysql_keystone_username}
                 password: ${_param:mysql_keystone_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/murano.yml b/mysql/client/database_upgrade/murano.yml
index 2223ce6..45342a8 100644
--- a/mysql/client/database_upgrade/murano.yml
+++ b/mysql/client/database_upgrade/murano.yml
@@ -7,11 +7,11 @@
             murano_upgrade:
               encoding: utf8
               users:
-              - name: murano
+              - name: ${_param:mysql_murano_username}
                 password: ${_param:mysql_murano_password}
                 host: '%'
                 rights: all
-              - name: murano
+              - name: ${_param:mysql_murano_username}
                 password: ${_param:mysql_murano_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/neutron.yml b/mysql/client/database_upgrade/neutron.yml
index 7dd723c..ee5e200 100644
--- a/mysql/client/database_upgrade/neutron.yml
+++ b/mysql/client/database_upgrade/neutron.yml
@@ -7,11 +7,11 @@
             neutron_upgrade:
               encoding: utf8
               users:
-              - name: neutron
+              - name: ${_param:mysql_neutron_username}
                 password: ${_param:mysql_neutron_password}
                 host: '%'
                 rights: all
-              - name: neutron
+              - name: ${_param:mysql_neutron_username}
                 password: ${_param:mysql_neutron_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/nova.yml b/mysql/client/database_upgrade/nova.yml
index 699c9c3..2a0e246 100644
--- a/mysql/client/database_upgrade/nova.yml
+++ b/mysql/client/database_upgrade/nova.yml
@@ -7,11 +7,11 @@
             nova_upgrade:
               encoding: utf8
               users:
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: '%'
                 rights: all
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/nova_api.yml b/mysql/client/database_upgrade/nova_api.yml
index 8bb33c8..d9815d5 100644
--- a/mysql/client/database_upgrade/nova_api.yml
+++ b/mysql/client/database_upgrade/nova_api.yml
@@ -7,11 +7,11 @@
             nova_upgrade_api:
               encoding: utf8
               users:
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: '%'
                 rights: all
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: ${_param:single_address}
                 rights: all
@@ -23,11 +23,11 @@
             nova_upgrade_cell0:
               encoding: utf8
               users:
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: '%'
                 rights: all
-              - name: nova
+              - name: ${_param:mysql_nova_username}
                 password: ${_param:mysql_nova_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/mysql/client/database_upgrade/sahara.yml b/mysql/client/database_upgrade/sahara.yml
index 73618d0..414b3dc 100644
--- a/mysql/client/database_upgrade/sahara.yml
+++ b/mysql/client/database_upgrade/sahara.yml
@@ -7,11 +7,11 @@
             sahara_upgrade:
               encoding: utf8
               users:
-              - name: sahara
+              - name: ${_param:mysql_sahara_username}
                 password: ${_param:mysql_sahara_password}
                 host: '%'
                 rights: all
-              - name: sahara
+              - name: ${_param:mysql_sahara_username}
                 password: ${_param:mysql_sahara_password}
                 host: ${_param:single_address}
                 rights: all
diff --git a/neutron/control/cluster.yml b/neutron/control/cluster.yml
index 91b410b..fe6f464 100644
--- a/neutron/control/cluster.yml
+++ b/neutron/control/cluster.yml
@@ -15,6 +15,9 @@
           version: latest
   neutron:
     server:
+      compute:
+        user: ${_param:keystone_nova_username}
+        password: ${_param:keystone_nova_password}
       message_queue:
         port: ${_param:openstack_rabbitmq_port}
         members:
@@ -29,6 +32,8 @@
         ssl:
           enabled: ${_param:rabbitmq_ssl_enabled}
       database:
+        user: ${_param:mysql_neutron_username}
+        password: ${_param:mysql_neutron_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_neutron_ssl_ca_file}
@@ -38,4 +43,6 @@
           enabled: ${_param:galera_ssl_enabled}
       role: ${_param:openstack_node_role}
       identity:
+        user: ${_param:keystone_neutron_username}
+        password: ${_param:keystone_neutron_password}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/neutron/control/opencontrail/cluster.yml b/neutron/control/opencontrail/cluster.yml
index a33c273..8b09377 100644
--- a/neutron/control/opencontrail/cluster.yml
+++ b/neutron/control/opencontrail/cluster.yml
@@ -16,6 +16,7 @@
         engine: contrail
         host: ${_param:opencontrail_control_address}
         port: 8082
+        use_ssl: ${_param:opencontrail_api_ssl_enabled}
         user: ${_param:opencontrail_admin_user}
         password: ${_param:opencontrail_admin_password}
         tenant: admin
diff --git a/neutron/control/ovn/single.yml b/neutron/control/ovn/single.yml
index f3dd749..73702fd 100644
--- a/neutron/control/ovn/single.yml
+++ b/neutron/control/ovn/single.yml
@@ -29,8 +29,12 @@
       compute:
         region: ${_param:openstack_region}
       database:
+        user: ${_param:mysql_neutron_username}
+        password: ${_param:mysql_neutron_password}
         host: ${_param:openstack_database_address}
       identity:
+        user: ${_param:keystone_neutron_username}
+        password: ${_param:keystone_neutron_password}
         region: ${_param:openstack_region}
       message_queue:
         members:
diff --git a/neutron/control/single.yml b/neutron/control/single.yml
index 803f12f..bc025eb 100644
--- a/neutron/control/single.yml
+++ b/neutron/control/single.yml
@@ -16,6 +16,8 @@
     server:
       role: ${_param:openstack_node_role}
       database:
+        user: ${_param:mysql_neutron_username}
+        password: ${_param:mysql_neutron_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_neutron_ssl_ca_file}
@@ -33,4 +35,6 @@
         ssl:
           enabled: ${_param:rabbitmq_ssl_enabled}
       identity:
+        user: ${_param:keystone_neutron_username}
+        password: ${_param:keystone_neutron_password}
         protocol: ${_param:internal_protocol}
diff --git a/nginx/server/proxy/cicd/gerrit.yml b/nginx/server/proxy/cicd/gerrit.yml
index 0baf26c..72d0e12 100644
--- a/nginx/server/proxy/cicd/gerrit.yml
+++ b/nginx/server/proxy/cicd/gerrit.yml
@@ -15,7 +15,7 @@
           proxy:
             host: ${_param:nginx_proxy_gerrit_server_proxy_host}
             port: ${_param:nginx_proxy_gerrit_server_proxy_port}
-            protocol: http
+            protocol: https
           host:
             name: ${_param:nginx_proxy_gerrit_server_site_host}
             port: ${_param:nginx_proxy_gerrit_server_site_port}
diff --git a/nginx/server/proxy/cicd/jenkins.yml b/nginx/server/proxy/cicd/jenkins.yml
index bd270f2..b348f26 100644
--- a/nginx/server/proxy/cicd/jenkins.yml
+++ b/nginx/server/proxy/cicd/jenkins.yml
@@ -15,7 +15,7 @@
           proxy:
             host: ${_param:nginx_proxy_jenkins_server_proxy_host}
             port: ${_param:nginx_proxy_jenkins_server_proxy_port}
-            protocol: http
+            protocol: https
           host:
             name: ${_param:nginx_proxy_jenkins_server_site_host}
             port: ${_param:nginx_proxy_jenkins_server_site_port}
diff --git a/nova/compute/cluster.yml b/nova/compute/cluster.yml
index 4cc9ccf..1fdb3bd 100644
--- a/nova/compute/cluster.yml
+++ b/nova/compute/cluster.yml
@@ -31,14 +31,14 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: nova
-        user: nova
+        user: ${_param:mysql_nova_username}
         password: ${_param:mysql_nova_password}
       identity:
         engine: keystone
         region: ${_param:openstack_region}
         host: ${_param:cluster_vip_address}
         port: 35357
-        user: nova
+        user: ${_param:keystone_nova_username}
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
@@ -73,7 +73,7 @@
         region: ${_param:openstack_region}
         host: ${_param:neutron_service_host}
         port: 9696
-        user: neutron
+        user: ${_param:keystone_neutron_username}
         tenant: service
         password: ${_param:keystone_neutron_password}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/nova/compute/single.yml b/nova/compute/single.yml
index e6b1a5b..2c47148 100644
--- a/nova/compute/single.yml
+++ b/nova/compute/single.yml
@@ -30,13 +30,13 @@
         host: ${_param:control_address}
         port: 3306
         name: nova
-        user: nova
+        user: ${_param:mysql_nova_username}
         password: ${_param:mysql_nova_password}
       identity:
         engine: keystone
         host: ${_param:control_address}
         port: 35357
-        user: nova
+        user: ${_param:keystone_nova_username}
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
diff --git a/nova/compute_ironic/cluster.yml b/nova/compute_ironic/cluster.yml
index 7796fa1..8b57948 100644
--- a/nova/compute_ironic/cluster.yml
+++ b/nova/compute_ironic/cluster.yml
@@ -14,14 +14,14 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: nova
-        user: nova
+        user: ${_param:mysql_nova_username}
         password: ${_param:mysql_nova_password}
       identity:
         engine: keystone
         region: ${_param:openstack_region}
         host: ${_param:cluster_vip_address}
         port: 35357
-        user: nova
+        user: ${_param:keystone_nova_username}
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
@@ -42,7 +42,7 @@
         region: ${_param:openstack_region}
         host: ${_param:neutron_service_host}
         port: 9696
-        user: neutron
+        user: ${_param:keystone_neutron_username}
         tenant: service
         password: ${_param:keystone_neutron_password}
         protocol: ${_param:cluster_internal_protocol}
@@ -52,7 +52,7 @@
         region: ${_param:openstack_region}
         host: ${_param:ironic_service_host}
         port: 6385
-        user: ironic
+        user: ${_param:keystone_ironic_username}
         tenant: service
         password: ${_param:keystone_ironic_password}
         auth_type: password
diff --git a/nova/compute_ironic/single.yml b/nova/compute_ironic/single.yml
index 718ec59..bc3ee7c 100644
--- a/nova/compute_ironic/single.yml
+++ b/nova/compute_ironic/single.yml
@@ -14,14 +14,14 @@
         host: ${_param:control_address}
         port: 3306
         name: nova
-        user: nova
+        user: ${_param:mysql_nova_username}
         password: ${_param:mysql_nova_password}
       identity:
         engine: keystone
         region: ${_param:openstack_region}
         host: ${_param:control_address}
         port: 35357
-        user: nova
+        user: ${_param:keystone_nova_username}
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
@@ -39,7 +39,7 @@
         region: ${_param:openstack_region}
         host: ${_param:control_address}
         port: 9696
-        user: neutron
+        user: ${_param:keystone_neutron_username}
         tenant: service
         password: ${_param:keystone_neutron_password}
         protocol: ${_param:cluster_internal_protocol}
@@ -49,7 +49,7 @@
         region: ${_param:openstack_region}
         host: ${_param:control_address}
         port: 6385
-        user: ironic
+        user: ${_param:keystone_ironic_username}
         tenant: service
         password: ${_param:keystone_ironic_password}
         protocol: ${_param:cluster_internal_protocol}
diff --git a/nova/control/cluster.yml b/nova/control/cluster.yml
index 437f3c1..325c6a5 100644
--- a/nova/control/cluster.yml
+++ b/nova/control/cluster.yml
@@ -43,7 +43,7 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: nova
-        user: nova
+        user: ${_param:mysql_nova_username}
         password: ${_param:mysql_nova_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -57,7 +57,7 @@
         region: ${_param:openstack_region}
         host: ${_param:cluster_vip_address}
         port: 35357
-        user: nova
+        user: ${_param:keystone_nova_username}
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
@@ -95,7 +95,7 @@
         engine: neutron
         region: ${_param:openstack_region}
         host: ${_param:neutron_service_host}
-        user: neutron
+        user: ${_param:keystone_neutron_username}
         password: ${_param:keystone_neutron_password}
         port: 9696
         mtu: 1500
diff --git a/octavia/api/cluster.yml b/octavia/api/cluster.yml
index 31989b0..e698481 100644
--- a/octavia/api/cluster.yml
+++ b/octavia/api/cluster.yml
@@ -11,6 +11,7 @@
       bind:
         address: ${_param:cluster_local_address}
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -20,6 +21,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/api/single.yml b/octavia/api/single.yml
index c42009d..b359885 100644
--- a/octavia/api/single.yml
+++ b/octavia/api/single.yml
@@ -10,6 +10,7 @@
       bind:
         address: ${_param:single_address}
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -19,6 +20,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/manager/cluster.yml b/octavia/manager/cluster.yml
index f86dd80..c10e800 100644
--- a/octavia/manager/cluster.yml
+++ b/octavia/manager/cluster.yml
@@ -12,6 +12,7 @@
         user: octavia
         group: octavia
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -21,6 +22,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/manager/single.yml b/octavia/manager/single.yml
index e1e356b..51671eb 100644
--- a/octavia/manager/single.yml
+++ b/octavia/manager/single.yml
@@ -17,6 +17,7 @@
         user: octavia
         group: octavia
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -26,6 +27,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/opencontrail/compute/single.yml b/opencontrail/compute/single.yml
index 2211a69..c016479 100644
--- a/opencontrail/compute/single.yml
+++ b/opencontrail/compute/single.yml
@@ -27,7 +27,7 @@
       network:
         engine: keystone
         host: ${_param:control_address}
-        user: neutron
+        user: ${_param:keystone_neutron_username}
         password: ${_param:keystone_neutron_password}
         tenant: service
   neutron:
@@ -37,7 +37,7 @@
         engine: keystone
         host: ${_param:control_address}
         port: 35357
-        user: neutron
+        user: ${_param:keystone_neutron_username}
         password: ${_param:keystone_neutron_password}
         tenant: service
 
diff --git a/opencontrail/control/analytics4_0.yml b/opencontrail/control/analytics4_0.yml
index 19fefcc..91868d3 100644
--- a/opencontrail/control/analytics4_0.yml
+++ b/opencontrail/control/analytics4_0.yml
@@ -94,6 +94,7 @@
                 - /var/crashes:/var/crashes
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -117,6 +118,7 @@
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/cluster4_0.yml b/opencontrail/control/cluster4_0.yml
index 6859b9c..bbba05c 100644
--- a/opencontrail/control/cluster4_0.yml
+++ b/opencontrail/control/cluster4_0.yml
@@ -162,6 +162,7 @@
                 - /var/log/journal/contrail-controller:/var/log/journal
                 - ${_param:opencontrail_host_configdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_configdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
@@ -178,6 +179,7 @@
                 - /etc/redis/redis.conf:/etc/redis/redis.conf
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -201,6 +203,7 @@
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index bc37f8e..67c91e2 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -120,6 +120,7 @@
                 - /var/log/journal/contrail-controller:/var/log/journal
                 - ${_param:opencontrail_host_configdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_configdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/single4_0.yml b/opencontrail/control/single4_0.yml
index 89768d3..7612638 100644
--- a/opencontrail/control/single4_0.yml
+++ b/opencontrail/control/single4_0.yml
@@ -173,6 +173,7 @@
                 - /etc/zookeeper/conf/log4j.properties:/etc/zookeeper/conf/log4j.properties
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-controller:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
@@ -189,6 +190,7 @@
                 - /etc/redis/redis.conf:/etc/redis/redis.conf
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -210,6 +212,7 @@
                 - /etc/zookeeper/conf/log4j.properties:/etc/zookeeper/conf/log4j.properties
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/openldap/client/init.yml b/openldap/client/init.yml
index 25812f6..c0c20a8 100644
--- a/openldap/client/init.yml
+++ b/openldap/client/init.yml
@@ -3,7 +3,10 @@
 parameters:
   _param:
     openldap_server: ${_param:cluster_vip_address}
-    openldap_tls: false
+    openldap_tls:
+      starttls: true
+      keyfile: /etc/haproxy/ssl/drivetrain.key
+      certfile: /etc/haproxy/ssl/drivetrain.crt
   openldap:
     client:
       server:
diff --git a/openssh/server/team/members/gmani.yml b/openssh/server/team/members/gmani.yml
new file mode 100644
index 0000000..7a25132
--- /dev/null
+++ b/openssh/server/team/members/gmani.yml
@@ -0,0 +1,20 @@
+parameters:
+  linux:
+    system:
+      user:
+        gmani:
+          enabled: true
+          name: gmani
+          sudo: ${_param:linux_system_user_sudo}
+          full_name: Gautam Mani
+          home: /home/gmani
+          email: gmani@mirantis.com
+  openssh:
+    server:
+      user:
+        gmani:
+          enabled: true
+          public_keys:
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+k2aPVLU8M9AfAGoJU7m48yjBIB/AxNzqiyMi2yPy9BaH3q4zPCTY0e8CLX6W0vU/uATBOoLjtWgLUmBqW6eOTD09zb60CKJy+vQUYVLZEEV1Aa2hxJ6zl0ruwCinmKDnLFkLe5HQmcLPWHccO3IvxaKAYCKeI9LFpiV/NwzYpjqrSP35jw36cMvxK8pvkw0YEZNz/+ApSB5JQWpFPM3563b6W0oH1/sX97MdxUuggRGNmS5Xd5TrxOPiQAipIXGGBNlafT7/IfWnJGhlIWYe2yQrbefOQ9RjaUA3VlU+YGAlcTLu5VWg3rKfMgdvNsA56doxYquRc6w+Sv/C8Eip gmani@1153-MBP15.local 
+          user: ${linux:system:user:gmani}
+
diff --git a/openssh/server/team/members/someara.yml b/openssh/server/team/members/someara.yml
new file mode 100644
index 0000000..eab2c90
--- /dev/null
+++ b/openssh/server/team/members/someara.yml
@@ -0,0 +1,20 @@
+parameters:
+  linux:
+    system:
+      user:
+        someara:
+          enabled: true
+          name: someara
+          sudo: ${_param:linux_system_user_sudo}
+          full_name: Shaun OMeara
+          home: /home/someara
+          email: someara@mirantis.com
+  openssh:
+    server:
+      user:
+        someara:
+          enabled: true
+          public_keys:
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwH33yz82vYBUYFlJ5LJT+4NFJNUTzeBobJVlEtv6Hwd1t+xGrze5F3RZ/M1U24YOjnXoN4SutC7nciPfvUUYhLEBKA6/0n4v+yRf+pnovmH2RA6FJ4D9lKAbmdr7O0BRrzE++iUwzCnZIsDdfc+pQPfis2IYpN878x/F8jfvkMCvQRSN8Oyn3IeB2Yc/RMBWObNYD9Cm0KjtmZxwpyP+J6tzxj34e5kJRDCIAAYnS3Gmr9SJpJBx/Z80meeT44HdGz5RnKT2ouxAZUf7hxGKH6h0fYjwdwcs89QsyCBTvrXXuWPADFuBjvJcqTf5PmcqOZTIgM9lyI7rlzw6ynkxn shauno@Shauns-MacBook-Pro.local 
+          user: ${linux:system:user:someara}
+
diff --git a/openssh/server/team/pm_team.yml b/openssh/server/team/pm_team.yml
new file mode 100644
index 0000000..af18aca
--- /dev/null
+++ b/openssh/server/team/pm_team.yml
@@ -0,0 +1,7 @@
+classes:
+- system.openssh.server.team.members.someara
+- system.openssh.server.team.members.gmani
+
+parameters:
+  _param:
+    linux_system_user_sudo: true
diff --git a/panko/server/cluster.yml b/panko/server/cluster.yml
index b6e87bb..3257a99 100644
--- a/panko/server/cluster.yml
+++ b/panko/server/cluster.yml
@@ -24,9 +24,13 @@
       role: ${_param:openstack_node_role}
       event_time_to_live: ${_param:panko_event_time_to_live}
       identity:
+        user: ${_param:keystone_panko_username}
+        password: ${_param:keystone_panko_password}
         host: ${_param:openstack_control_address}
         protocol: ${_param:cluster_internal_protocol}
       database:
+        user: ${_param:mysql_panko_username}
+        password: ${_param:mysql_panko_password}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
diff --git a/panko/server/single.yml b/panko/server/single.yml
index ea8f4a1..a10562a 100644
--- a/panko/server/single.yml
+++ b/panko/server/single.yml
@@ -16,8 +16,12 @@
   panko:
     server:
       identity:
+        user: ${_param:keystone_panko_username}
+        password: ${_param:keystone_panko_password}
         protocol: ${_param:internal_protocol}
       database:
+        user: ${_param:mysql_panko_username}
+        password: ${_param:mysql_panko_password}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_panko_ssl_ca_file}
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index 0e7aab6..679a6fc 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -11,11 +11,11 @@
         instances: "'Instances','avg(sum(avg_over_time(openstack_nova_instances{state=\"active\"}[24h])) by (instance))'"
         compute_nodes: "'Compute Nodes','avg(sum(openstack_nova_services{binary=~\"nova.compute\"}) by (instance))'"
         tenants: "'Tenants','avg(sum(avg_over_time(openstack_keystone_tenants_total[24h])) by (instance))'"
-        cinder_api: "'Cinder API','avg(avg_over_time(openstack_api_check_status{name=\"cinderv2\"}[24h]))'"
-        nova_api: "'Nova API','avg(avg_over_time(openstack_api_check_status{name=\"nova\"}[24h]))'"
-        keystone_api: "'Keystone API','avg(avg_over_time(openstack_api_check_status{name=\"keystone\"}[24h]))'"
-        glance_api: "'Glance API','avg(avg_over_time(openstack_api_check_status{name=\"glance\"}[24h]))'"
-        neutron_api: "'Neutron API','avg(avg_over_time(openstack_api_check_status{name=\"neutron\"}[24h]))'"
+        cinder_api: "'Cinder API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"cinderv2\"}[24h])'"
+        nova_api: "'Nova API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"nova\"}[24h])'"
+        keystone_api: "'Keystone API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"keystone\"}[24h])'"
+        glance_api: "'Glance API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"glance\"}[24h])'"
+        neutron_api: "'Neutron API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"neutron\"}[24h])'"
         nova_vm_all: "'Total VM number','avg_over_time(total:openstack_nova_instance_all[1d])'"
         nova_vm_failed: "'Failed VM number','avg_over_time(total:openstack_nova_instance_failed[1d])'"
         kpi_downtime: "'KPI Downtime','1 - avg_over_time(total:openstack_nova_instance_failed[1d]) / avg_over_time(total:openstack_nova_instance_all[1d])'"
diff --git a/sahara/server/cluster.yml b/sahara/server/cluster.yml
index b01ab3d..3e48e7d 100644
--- a/sahara/server/cluster.yml
+++ b/sahara/server/cluster.yml
@@ -18,7 +18,7 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: sahara
-        user: sahara
+        user: ${_param:mysql_sahara_username}
         password: ${_param:mysql_sahara_password}
       identity:
         engine: keystone
@@ -26,7 +26,7 @@
         host:  ${_param:openstack_control_address}
         port: 35357
         tenant: service
-        user: sahara
+        user: ${_param:keystone_sahara_username}
         password: ${_param:keystone_sahara_password}
       message_queue:
         engine: rabbitmq
diff --git a/sahara/server/single.yml b/sahara/server/single.yml
index fcb26c9..3b63c44 100644
--- a/sahara/server/single.yml
+++ b/sahara/server/single.yml
@@ -14,13 +14,13 @@
         host: ${_param:openstack_database_address}
         port: 3306
         name: sahara
-        user: sahara
+        user: ${_param:mysql_sahara_username}
         password: ${_param:mysql_sahara_password}
       identity:
         engine: keystone
         host: ${_param:openstack_control_address}
         port: 35357
-        user: sahara
+        user: ${_param:keystone_sahara_username}
         password: ${_param:keystone_sahara_password}
         tenant: service
       message_queue:
diff --git a/salt/control/cluster/infra_proxy_cluster.yml b/salt/control/cluster/infra_proxy_cluster.yml
index 6d4b25b..7d0454d 100644
--- a/salt/control/cluster/infra_proxy_cluster.yml
+++ b/salt/control/cluster/infra_proxy_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    infra_proxy_backend_image: ${_param:salt_control_trusty_image_backend}
+    infra_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_infra_proxy:
       user_data:
         write_files:
@@ -25,14 +25,14 @@
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:infra_proxy_backend_image}
               size: infra.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_infra_proxy}
             prx02:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:infra_proxy_backend_image}
               size: infra.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_infra_proxy}
diff --git a/salt/control/cluster/infra_proxy_single.yml b/salt/control/cluster/infra_proxy_single.yml
index fe6c710..c9110f8 100644
--- a/salt/control/cluster/infra_proxy_single.yml
+++ b/salt/control/cluster/infra_proxy_single.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    infra_proxy_backend_image: ${_param:salt_control_trusty_image_backend}
+    infra_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_infra_proxy:
       user_data:
         write_files:
@@ -25,7 +25,7 @@
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:infra_proxy_backend_image}
               size: infra.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_infra_proxy}
diff --git a/salt/control/cluster/opencontrail_analytics_cluster.yml b/salt/control/cluster/opencontrail_analytics_cluster.yml
index 4652ce2..f3de786 100644
--- a/salt/control/cluster/opencontrail_analytics_cluster.yml
+++ b/salt/control/cluster/opencontrail_analytics_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    opencontrail_analytics_backend_image: ${_param:salt_control_trusty_image_backend}
+    opencontrail_analytics_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_opencontrail_analytics:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             nal01:
               name: ${_param:opencontrail_analytics_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
             nal02:
               name: ${_param:opencontrail_analytics_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
             nal03:
               name: ${_param:opencontrail_analytics_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
diff --git a/salt/control/cluster/opencontrail_control_cluster.yml b/salt/control/cluster/opencontrail_control_cluster.yml
index 2f73d1f..2189738 100644
--- a/salt/control/cluster/opencontrail_control_cluster.yml
+++ b/salt/control/cluster/opencontrail_control_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    opencontrail_control_backend_image: ${_param:salt_control_trusty_image_backend}
+    opencontrail_control_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_opencontrail_control:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             ntw01:
               name: ${_param:opencontrail_control_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             ntw02:
               name: ${_param:opencontrail_control_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             ntw03:
               name: ${_param:opencontrail_control_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
diff --git a/salt/control/cluster/openstack_benchmark_single.yml b/salt/control/cluster/openstack_benchmark_single.yml
index 814f65a..3d2bacd 100644
--- a/salt/control/cluster/openstack_benchmark_single.yml
+++ b/salt/control/cluster/openstack_benchmark_single.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_benchmark_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_benchmark_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_benchmark:
       user_data:
         write_files:
@@ -25,7 +25,7 @@
             bmk01:
               name: ${_param:openstack_benchmark_node01_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_benchmark_backend_image}
               size: openstack.benchmark
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_benchmark}
diff --git a/salt/control/cluster/openstack_billing_single.yml b/salt/control/cluster/openstack_billing_single.yml
index 9853725..ae724e9 100644
--- a/salt/control/cluster/openstack_billing_single.yml
+++ b/salt/control/cluster/openstack_billing_single.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_billing_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_billing_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_billing:
       user_data:
         write_files:
@@ -24,7 +24,7 @@
           node:
             bil01:
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_billing_backend_image}
               size: openstack.billing
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_billing}
diff --git a/salt/control/cluster/openstack_control_cluster.yml b/salt/control/cluster/openstack_control_cluster.yml
index 367041a..8ed8a5e 100644
--- a/salt/control/cluster/openstack_control_cluster.yml
+++ b/salt/control/cluster/openstack_control_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_control_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_control_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_control:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             ctl01:
               name: ${_param:openstack_control_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_control_backend_image}
               size: openstack.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_control}
             ctl02:
               name: ${_param:openstack_control_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_control_backend_image}
               size: openstack.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_control}
             ctl03:
               name: ${_param:openstack_control_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_control_backend_image}
               size: openstack.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_control}
diff --git a/salt/control/cluster/openstack_database_cluster.yml b/salt/control/cluster/openstack_database_cluster.yml
index cee9ff8..56ecd2f 100644
--- a/salt/control/cluster/openstack_database_cluster.yml
+++ b/salt/control/cluster/openstack_database_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_database_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_database_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_database:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             dbs01:
               name: ${_param:openstack_database_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_database_backend_image}
               size: openstack.database
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_database}
             dbs02:
               name: ${_param:openstack_database_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_database_backend_image}
               size: openstack.database
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_database}
             dbs03:
               name: ${_param:openstack_database_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_database_backend_image}
               size: openstack.database
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_database}
diff --git a/salt/control/cluster/openstack_message_queue_cluster.yml b/salt/control/cluster/openstack_message_queue_cluster.yml
index 7a59a52..cccc408 100644
--- a/salt/control/cluster/openstack_message_queue_cluster.yml
+++ b/salt/control/cluster/openstack_message_queue_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_message_queue_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_message_queue_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_message_queue:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             msg01:
               name: ${_param:openstack_message_queue_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             msg02:
               name: ${_param:openstack_message_queue_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             msg03:
               name: ${_param:openstack_message_queue_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
diff --git a/salt/control/cluster/openstack_proxy_cluster.yml b/salt/control/cluster/openstack_proxy_cluster.yml
index 1f3f134..4027e00 100644
--- a/salt/control/cluster/openstack_proxy_cluster.yml
+++ b/salt/control/cluster/openstack_proxy_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_proxy_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_proxy:
       user_data:
         write_files:
@@ -25,14 +25,14 @@
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
             prx02:
               name: ${_param:openstack_proxy_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
diff --git a/salt/control/cluster/openstack_proxy_single.yml b/salt/control/cluster/openstack_proxy_single.yml
index 11771b0..386d024 100644
--- a/salt/control/cluster/openstack_proxy_single.yml
+++ b/salt/control/cluster/openstack_proxy_single.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_proxy_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_proxy:
       user_data:
         write_files:
@@ -25,7 +25,7 @@
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
diff --git a/salt/control/cluster/openstack_telemetry_cluster.yml b/salt/control/cluster/openstack_telemetry_cluster.yml
index 594d671..d53bb45 100644
--- a/salt/control/cluster/openstack_telemetry_cluster.yml
+++ b/salt/control/cluster/openstack_telemetry_cluster.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    openstack_telemetry_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_telemetry_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_telemetry:
       user_data:
         write_files:
@@ -25,21 +25,21 @@
             mdb01:
               name: ${_param:openstack_telemetry_node01_hostname}
               provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
             mdb02:
               name: ${_param:openstack_telemetry_node02_hostname}
               provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
             mdb03:
               name: ${_param:openstack_telemetry_node03_hostname}
               provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
diff --git a/salt/control/placement/opencontrail/medium.yml b/salt/control/placement/opencontrail/medium.yml
index e596bcb..f75e760 100644
--- a/salt/control/placement/opencontrail/medium.yml
+++ b/salt/control/placement/opencontrail/medium.yml
@@ -1,8 +1,8 @@
 parameters:
   _param:
-    infra_kvm07_hostname: kvm07
-    infra_kvm08_hostname: kvm08
-    infra_kvm09_hostname: kvm09
+    infra_kvm04_hostname: kvm04
+    infra_kvm05_hostname: kvm05
+    infra_kvm06_hostname: kvm06
     opencontrail_control_node01_hostname: ntw01
     opencontrail_control_node02_hostname: ntw02
     opencontrail_control_node03_hostname: ntw03
@@ -34,41 +34,41 @@
               name: ${_param:opencontrail_control_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
-              provider: ${_param:infra_kvm_node07_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             ntw02:
               name: ${_param:opencontrail_control_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
-              provider: ${_param:infra_kvm_node08_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             ntw03:
               name: ${_param:opencontrail_control_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_control_backend_image}
-              provider: ${_param:infra_kvm_node09_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: opencontrail.control
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_control}
             nal01:
               name: ${_param:opencontrail_analytics_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
-              provider: ${_param:infra_kvm_node07_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
             nal02:
               name: ${_param:opencontrail_analytics_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
-              provider: ${_param:infra_kvm_node08_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
             nal03:
               name: ${_param:opencontrail_analytics_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:opencontrail_analytics_backend_image}
-              provider: ${_param:infra_kvm_node09_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: opencontrail.analytics
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_opencontrail_analytics}
diff --git a/salt/control/placement/openstack/medium.yml b/salt/control/placement/openstack/medium.yml
index 6867e3a..d2a8507 100644
--- a/salt/control/placement/openstack/medium.yml
+++ b/salt/control/placement/openstack/medium.yml
@@ -17,10 +17,17 @@
     openstack_message_queue_node03_hostname: msg03
     openstack_proxy_node01_hostname: prx01
     openstack_proxy_node02_hostname: prx02
+    openstack_dns_node01_hostname: dns01
+    openstack_dns_node02_hostname: dns02
+    openstack_barbican_node01_hostname: kmn01
+    openstack_barbican_node02_hostname: kmn02
+    openstack_barbican_node03_hostname: kmn03
     openstack_control_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_database_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_message_queue_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
+    openstack_barbican_backend_image: ${_param:salt_control_xenial_image_backend}
+    openstack_dns_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_control:
       user_data:
         write_files:
@@ -49,6 +56,20 @@
             ${salt:control:size:openstack.proxy:image_layout}
           owner: root:root
           path: /usr/share/growlvm/image-layout.yml
+    salt_control_cluster_node_cloud_init_openstack_dns:
+      user_data:
+        write_files:
+        - content: |
+            ${salt:control:size:openstack.dns:image_layout}
+          owner: root:root
+          path: /usr/share/growlvm/image-layout.yml
+    salt_control_cluster_node_cloud_init_openstack_barbican:
+      user_data:
+        write_files:
+        - content: |
+            ${salt:control:size:openstack.barbican:image_layout}
+          owner: root:root
+          path: /usr/share/growlvm/image-layout.yml
   salt:
     control:
       cluster:
@@ -100,34 +121,69 @@
               name: ${_param:openstack_message_queue_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
-              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             msg02:
               name: ${_param:openstack_message_queue_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
-              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             msg03:
               name: ${_param:openstack_message_queue_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_message_queue_backend_image}
-              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
               size: openstack.message_queue
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_message_queue}
             prx01:
               name: ${_param:openstack_proxy_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
-              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
             prx02:
               name: ${_param:openstack_proxy_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_proxy_backend_image}
-              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
               size: openstack.proxy
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_proxy}
+            dns01:
+              name: ${_param:openstack_dns_node01_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_dns_backend_image}
+              provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
+              size: openstack.dns
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_dns}
+            dns02:
+              name: ${_param:openstack_dns_node02_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_dns_backend_image}
+              provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
+              size: openstack.dns
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_dns}
+            kmn01:
+              name: ${_param:openstack_barbican_node01_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_barbican_backend_image}
+              provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
+              size: openstack.barbican
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_barbican}
+            kmn02:
+              name: ${_param:openstack_barbican_node02_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_barbican_backend_image}
+              provider: ${_param:infra_kvm_node02_hostname}.${_param:cluster_domain}
+              size: openstack.barbican
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_barbican}
+            kmn03:
+              name: ${_param:openstack_barbican_node03_hostname}
+              image: ${_param:salt_control_xenial_image}
+              backend: ${_param:openstack_barbican_backend_image}
+              provider: ${_param:infra_kvm_node03_hostname}.${_param:cluster_domain}
+              size: openstack.barbican
+              cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_barbican}
diff --git a/salt/control/placement/stacklight/medium.yml b/salt/control/placement/stacklight/medium.yml
index d8279c6..4bfd44c 100644
--- a/salt/control/placement/stacklight/medium.yml
+++ b/salt/control/placement/stacklight/medium.yml
@@ -1,8 +1,8 @@
 parameters:
   _param:
-    infra_kvm10_hostname: kvm10
-    infra_kvm11_hostname: kvm11
-    infra_kvm12_hostname: kvm12
+    infra_kvm04_hostname: kvm04
+    infra_kvm05_hostname: kvm05
+    infra_kvm06_hostname: kvm06
     stacklight_log_node01_hostname: log01
     stacklight_log_node02_hostname: log02
     stacklight_log_node03_hostname: log03
@@ -45,62 +45,62 @@
               name: ${_param:stacklight_telemetry_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_telemetry_backend_image}
-              provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: stacklight.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_telemetry}
             mtr02:
               name: ${_param:stacklight_telemetry_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_telemetry_backend_image}
-              provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: stacklight.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_telemetry}
             mtr03:
               name: ${_param:stacklight_telemetry_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_telemetry_backend_image}
-              provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: stacklight.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_telemetry}
             log01:
               name: ${_param:stacklight_log_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_log_backend_image}
-              provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: stacklight.log
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_log}
             log02:
               name: ${_param:stacklight_log_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_log_backend_image}
-              provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: stacklight.log
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_log}
             log03:
               name: ${_param:stacklight_log_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_log_backend_image}
-              provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: stacklight.log
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_log}
             mon01:
               name: ${_param:stacklight_monitor_node01_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_monitor_backend_image}
-              provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
               size: stacklight.server
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_server}
             mon02:
               name: ${_param:stacklight_monitor_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_monitor_backend_image}
-              provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
               size: stacklight.server
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_server}
             mon03:
               name: ${_param:stacklight_monitor_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               backend: ${_param:stacklight_monitor_backend_image}
-              provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
+              provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
               size: stacklight.server
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_stacklight_server}
diff --git a/salt/control/sizes/opencontrail/medium.yml b/salt/control/sizes/opencontrail/medium.yml
index 3690a11..94a002a 100644
--- a/salt/control/sizes/opencontrail/medium.yml
+++ b/salt/control/sizes/opencontrail/medium.yml
@@ -1,12 +1,12 @@
 parameters:
   _param:
-    salt_control_size_cpu_opencontrail_control: 8
-    salt_control_size_ram_opencontrail_control: 65536
+    salt_control_size_cpu_opencontrail_control: 12
+    salt_control_size_ram_opencontrail_control: 32768
     salt_control_size_disk_profile_opencontrail_control: large
     salt_control_size_net_profile_opencontrail_control: default
-    salt_control_size_cpu_opencontrail_analytics: 16
-    salt_control_size_ram_opencontrail_analytics: 98304
-    salt_control_size_disk_profile_opencontrail_analytics: xhuge
+    salt_control_size_cpu_opencontrail_analytics: 12
+    salt_control_size_ram_opencontrail_analytics: 49152
+    salt_control_size_disk_profile_opencontrail_analytics: huge
     salt_control_size_net_profile_opencontrail_analytics: default
   salt:
     control:
diff --git a/salt/control/sizes/openstack/medium.yml b/salt/control/sizes/openstack/medium.yml
index cadaa79..d8a89b5 100644
--- a/salt/control/sizes/openstack/medium.yml
+++ b/salt/control/sizes/openstack/medium.yml
@@ -14,7 +14,7 @@
     salt_control_size_net_profile_openstack_message_queue: default
     salt_control_size_cpu_openstack_proxy: 4
     salt_control_size_ram_openstack_proxy: 16384
-    salt_control_size_disk_profile_openstack_proxy: small
+    salt_control_size_disk_profile_openstack_proxy: xxlarge
     salt_control_size_net_profile_openstack_proxy: default
     salt_control_size_cpu_openstack_upgrade: 8
     salt_control_size_ram_openstack_upgrade: 16384
@@ -24,8 +24,8 @@
     salt_control_size_ram_openstack_share: 4096
     salt_control_size_disk_profile_openstack_share: large
     salt_control_size_net_profile_openstack_share: default
-    salt_control_size_cpu_openstack_dns: 4
-    salt_control_size_ram_openstack_dns: 6144
+    salt_control_size_cpu_openstack_dns: 2
+    salt_control_size_ram_openstack_dns: 4096
     salt_control_size_disk_profile_openstack_dns: small
     salt_control_size_net_profile_openstack_dns: default
     salt_control_size_cpu_openstack_telemetry: 8
@@ -33,8 +33,8 @@
     salt_control_size_disk_profile_openstack_telemetry: large
     salt_control_size_net_profile_openstack_telemetry: default
     salt_control_size_cpu_openstack_barbican: 4
-    salt_control_size_ram_openstack_barbican: 16384
-    salt_control_size_disk_profile_openstack_barbican: large
+    salt_control_size_ram_openstack_barbican: 8192
+    salt_control_size_disk_profile_openstack_barbican: small
     salt_control_size_net_profile_openstack_barbican: default
     salt_control_size_cpu_openstack_baremetal: 16
     salt_control_size_ram_openstack_baremetal: 16384
@@ -67,18 +67,6 @@
           disk_profile: ${_param:salt_control_size_disk_profile_openstack_proxy}
           net_profile: ${_param:salt_control_size_net_profile_openstack_proxy}
           image_layout: ${_param:salt_control_size_image_layout_openstack_proxy}
-        openstack.upgrade:
-          cpu: ${_param:salt_control_size_cpu_openstack_upgrade}
-          ram: ${_param:salt_control_size_ram_openstack_upgrade}
-          disk_profile: ${_param:salt_control_size_disk_profile_openstack_upgrade}
-          net_profile: ${_param:salt_control_size_net_profile_openstack_upgrade}
-          image_layout: ${_param:salt_control_size_image_layout_openstack_upgrade}
-        openstack.share:
-          cpu: ${_param:salt_control_size_cpu_openstack_share}
-          ram: ${_param:salt_control_size_ram_openstack_share}
-          disk_profile: ${_param:salt_control_size_disk_profile_openstack_share}
-          net_profile: ${_param:salt_control_size_net_profile_openstack_share}
-          image_layout: ${_param:salt_control_size_image_layout_openstack_share}
         openstack.dns:
           cpu: ${_param:salt_control_size_cpu_openstack_dns}
           ram: ${_param:salt_control_size_ram_openstack_dns}
@@ -97,9 +85,3 @@
           disk_profile: ${_param:salt_control_size_disk_profile_openstack_barbican}
           net_profile: ${_param:salt_control_size_net_profile_openstack_barbican}
           image_layout: ${_param:salt_control_size_image_layout_openstack_barbican}
-        openstack.baremetal:
-          cpu: ${_param:salt_control_size_cpu_openstack_baremetal}
-          ram: ${_param:salt_control_size_ram_openstack_baremetal}
-          disk_profile: ${_param:salt_control_size_disk_profile_openstack_baremetal}
-          net_profile: ${_param:salt_control_size_net_profile_openstack_baremetal}
-          image_layout: ${_param:salt_control_size_image_layout_openstack_baremetal}
diff --git a/salt/control/sizes/stacklight/medium.yml b/salt/control/sizes/stacklight/medium.yml
index 16a19e1..a1793d4 100644
--- a/salt/control/sizes/stacklight/medium.yml
+++ b/salt/control/sizes/stacklight/medium.yml
@@ -1,15 +1,15 @@
 parameters:
   _param:
     salt_control_size_cpu_stacklight_log: 16
-    salt_control_size_ram_stacklight_log: 49152
+    salt_control_size_ram_stacklight_log: 32768
     salt_control_size_disk_profile_stacklight_log: xxhuge
     salt_control_size_net_profile_stacklight_log: default
     salt_control_size_cpu_stacklight_server: 12
-    salt_control_size_ram_stacklight_server: 65536
-    salt_control_size_disk_profile_stacklight_server: xxlarge
+    salt_control_size_ram_stacklight_server: 49152
+    salt_control_size_disk_profile_stacklight_server: huge
     salt_control_size_net_profile_stacklight_server: default
     salt_control_size_cpu_stacklight_telemetry: 12
-    salt_control_size_ram_stacklight_telemetry: 98304
+    salt_control_size_ram_stacklight_telemetry: 49152
     salt_control_size_disk_profile_stacklight_telemetry: xhuge
     salt_control_size_net_profile_stacklight_telemetry: default
   salt:
diff --git a/salt/master/single.yml b/salt/master/single.yml
index 8d36565..a4f25d4 100644
--- a/salt/master/single.yml
+++ b/salt/master/single.yml
@@ -4,11 +4,12 @@
 parameters:
   linux:
     system:
-      sysctl:
-        net.core.rmem_max: 16777216
-        net.core.wmem_max: 16777216
-        net.ipv4.tcp_rmem: 4096 87380 16777216
-        net.ipv4.tcp_wmem: 4096 87380 16777216
+      kernel:
+        sysctl:
+          net.core.rmem_max: 16777216
+          net.core.wmem_max: 16777216
+          net.ipv4.tcp_rmem: 4096 87380 16777216
+          net.ipv4.tcp_wmem: 4096 87380 16777216
   salt:
     master:
       accept_policy: auto_accept
diff --git a/salt/minion/ca/qemu-vnc_ca.yml b/salt/minion/ca/qemu-vnc_ca.yml
index a4583ad..d787fb2 100644
--- a/salt/minion/ca/qemu-vnc_ca.yml
+++ b/salt/minion/ca/qemu-vnc_ca.yml
@@ -6,6 +6,7 @@
     qemu_vnc_ca_organization: Mirantis
     qemu_vnc_ca_days_valid_authority: 3650
     qemu_vnc_ca_days_valid_certificate: 365
+    qemu_vnc_ca_signing_policy_cert_client_minions: 'ctl*'
   salt:
     minion:
       ca:
@@ -24,7 +25,7 @@
               minions: '*'
             cert_client:
               type: v3_edge_cert_client
-              minions: 'ctl*'
+              minions: ${_param:qemu_vnc_ca_signing_policy_cert_client_minions}
           days_valid:
             authority: ${_param:qemu_vnc_ca_days_valid_authority}
             certificate: ${_param:qemu_vnc_ca_days_valid_certificate}
diff --git a/salt/minion/cert/opencontrail/api.yml b/salt/minion/cert/opencontrail/api.yml
new file mode 100644
index 0000000..717fb33
--- /dev/null
+++ b/salt/minion/cert/opencontrail/api.yml
@@ -0,0 +1,17 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        opencontrail_api:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: opencontrail_api
+          signing_policy: cert_server
+          alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_vip_address}
+          key_file: ${_param:opencontrail_api_keyfile}
+          cert_file: ${_param:opencontrail_api_certfile}
+          ca_file: ${_param:opencontrail_api_cafile}
+          all_file: ${_param:opencontrail_api_all_pemfile}
+          user: contrail
+          enabled: true
+          engine: salt
diff --git a/salt/minion/cert/proxy/drivetrain_ssl.yml b/salt/minion/cert/proxy/drivetrain_ssl.yml
new file mode 100644
index 0000000..5e7cf5f
--- /dev/null
+++ b/salt/minion/cert/proxy/drivetrain_ssl.yml
@@ -0,0 +1,18 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        drivetrain:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: drivetrain
+          signing_policy: cert_server
+          alternative_names: "DNS:${_param:cluster_public_host}, DNS:*.${_param:cluster_public_host}, DNS:${_param:cicd_control_address}, IP:${_param:cicd_control_address}"
+          key_file: /etc/haproxy/ssl/drivetrain.key
+          cert_file: /etc/haproxy/ssl/drivetrain.crt
+          ca_file: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+          all_file: /etc/haproxy/ssl/drivetrain.pem
+          user: root
+          group: haproxy
+          mode: 640
+          enabled: true
diff --git a/telegraf/agent/init.yml b/telegraf/agent/init.yml
index 64ef566..213d3ba 100644
--- a/telegraf/agent/init.yml
+++ b/telegraf/agent/init.yml
@@ -1,5 +1,6 @@
 classes:
 - service.telegraf.agent
+- system.telegraf.agent.input.internal
 - system.telegraf.agent.input.http_listener
 - system.telegraf.agent.output.prometheus_client
 - system.telegraf.sudo
diff --git a/telegraf/agent/input/internal.yml b/telegraf/agent/input/internal.yml
new file mode 100644
index 0000000..aba90c8
--- /dev/null
+++ b/telegraf/agent/input/internal.yml
@@ -0,0 +1,5 @@
+parameters:
+  telegraf:
+    agent:
+      input:
+        internal:
diff --git a/vnf_onboarding/common/init.yml b/vnf_onboarding/common/init.yml
index f988897..88ade04 100644
--- a/vnf_onboarding/common/init.yml
+++ b/vnf_onboarding/common/init.yml
@@ -1,7 +1,6 @@
 parameters:
   _param:
     mcp_docker_registry: 'docker-dev-local.docker.mirantis.net'
-    vnf_gerrit_credentials: "gerrit"
     vnf_openstack_api_url: "${_param:cluster_public_protocol}://${_param:cluster_public_host}:5000/v2.0"
     vnf_openstack_api_credentials: "test-openstack"
     vnf_openstack_api_admin_credentials: "admin-openstack"
diff --git a/vnf_onboarding/common/jenkins_job.yml b/vnf_onboarding/common/jenkins_job.yml
index b63aa34..a928d2f 100644
--- a/vnf_onboarding/common/jenkins_job.yml
+++ b/vnf_onboarding/common/jenkins_job.yml
@@ -12,7 +12,7 @@
           scm:
             type: git
             url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-            credentials: "${_param:vnf_gerrit_credentials}"
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: deploy_cloudify.groovy
           param:
             OPENSTACK_API_URL:
@@ -33,7 +33,7 @@
               default: "master"
             NFV_PLATFORM_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             CFM_IMAGE:
               type: string
               default: "cloudify-manager-4.3.1ga"
diff --git a/vnf_onboarding/common/mirrors.yml b/vnf_onboarding/common/mirrors.yml
index 83d11c0..c830d85 100644
--- a/vnf_onboarding/common/mirrors.yml
+++ b/vnf_onboarding/common/mirrors.yml
@@ -9,7 +9,9 @@
         downstream: vnf-onboarding/pipelines
         upstream: ${_param:gerrit_vnf_onboaring_pipelines_repo}
         branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
       - name: nfv-platform
         downstream: vnf-onboarding/nfv-platform
         upstream: ${_param:gerrit_vnf_onboaring_nfv_platform_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml b/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
index 54d82fc..c4ad531 100644
--- a/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
+++ b/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
@@ -17,7 +17,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials: "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -59,7 +59,7 @@
                 default: "test-avi"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -75,7 +75,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
diff --git a/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml b/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
index c74bda3..0b47570 100644
--- a/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
+++ b/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
@@ -7,4 +7,5 @@
       - name: avi-loadbalancer
         downstream: vnf-onboarding/avi-loadbalancer
         upstream: ${_param:gerrit_vnf_onboaring_avi_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml b/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
index e480d46..709ab38 100644
--- a/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
+++ b/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
@@ -14,7 +14,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials:  "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -53,7 +53,7 @@
                 default: "test-metaswitch"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -70,7 +70,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
@@ -146,7 +146,7 @@
           scm:
             type: git
             url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-            credentials: "${_param:vnf_gerrit_credentials}"
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: test_platform.groovy
           param:
             OPENSTACK_API_CREDENTIALS:
@@ -202,7 +202,7 @@
               default: "master"
             VNF_PLATFORM_TESTS_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             TEMPEST_IMAGE_DOCKER_REGISTRY_PATH:
               type: string
               description: "Path for docker image with testing tool.  If empty, image will be build using VNF_PLATFORM_TESTS_* parameters."
@@ -221,7 +221,7 @@
               default: "${_param:jenkins_gerrit_url}/vnf-onboarding/nfv-platform"
             ELASTIC_TRANSFER_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             ELASTIC_TRANSFER_REPO_BRANCH:
               type: string
               default: "master"
diff --git a/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml b/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
index 0a0c300..f032fb4 100644
--- a/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
+++ b/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
@@ -9,7 +9,9 @@
         downstream: vnf-onboarding/metaswitch-vsbc
         upstream: ${_param:gerrit_vnf_onboaring_metaswitch_repo}
         branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
       - name: platform-tests
         downstream: vnf-onboarding/platform-tests
         upstream: ${_param:gerrit_vnf_onboaring_platform_tests_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml b/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
index e2f4cbd..b72994e 100644
--- a/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
+++ b/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
@@ -18,7 +18,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials: "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -60,7 +60,7 @@
                 default: "test-nginx"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -77,7 +77,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
diff --git a/vnf_onboarding/vnf/mock_nginx/mirrors.yml b/vnf_onboarding/vnf/mock_nginx/mirrors.yml
index 6aff50c..76ca94c 100644
--- a/vnf_onboarding/vnf/mock_nginx/mirrors.yml
+++ b/vnf_onboarding/vnf/mock_nginx/mirrors.yml
@@ -7,4 +7,5 @@
       - name: nginx-vnf
         downstream: vnf-onboarding/nginx-vnf
         upstream: ${_param:gerrit_vnf_onboaring_nginx_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/xtrabackup/client/single.yml b/xtrabackup/client/single.yml
index 25fa6d2..ec24f7d 100644
--- a/xtrabackup/client/single.yml
+++ b/xtrabackup/client/single.yml
@@ -6,4 +6,11 @@
     xtrabackup_client_throttle: 0 # disabled
   xtrabackup:
     client:
+      cron: false
       throttle: ${_param:xtrabackup_client_throttle}
+      incr_before_full: ${_param:xtrabackup_client_incr_before_full}
+  linux:
+    system:
+      package:
+        sysstat:
+          version: latest
\ No newline at end of file
diff --git a/xtrabackup/server/single.yml b/xtrabackup/server/single.yml
index 92d9fc3..d440e48 100644
--- a/xtrabackup/server/single.yml
+++ b/xtrabackup/server/single.yml
@@ -3,6 +3,7 @@
 parameters:
   xtrabackup:
     server:
+      cron: false
       backup_dir: /srv/volumes/backup/xtrabackup
       key:
         xtrabackup_pub_key:
@@ -13,3 +14,6 @@
         user:
           xtrabackup:
             enabled: true
+      package:
+        sysstat:
+          version: latest
\ No newline at end of file