Merge "Define default opencontrail parameters"
diff --git a/defaults/haproxy/elasticsearch.yml b/defaults/haproxy/elasticsearch.yml
new file mode 100644
index 0000000..07db053
--- /dev/null
+++ b/defaults/haproxy/elasticsearch.yml
@@ -0,0 +1,6 @@
+parameters:
+  _param:
+    haproxy_elasticsearch_http_bind_port: 9200
+    haproxy_elasticsearch_http_exposed_port: 9200
+    haproxy_elasticsearch_binary_bind_port: 9300
+    haproxy_elasticsearch_binary_exposed_port: 9300
diff --git a/defaults/haproxy/init.yml b/defaults/haproxy/init.yml
new file mode 100644
index 0000000..499e085
--- /dev/null
+++ b/defaults/haproxy/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.defaults.haproxy.elasticsearch
diff --git a/defaults/init.yml b/defaults/init.yml
index c05e518..b37fbfb 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -27,6 +27,7 @@
 - system.defaults.stacklight
 - system.defaults.xtrabackup
 - system.defaults.backup
+- system.defaults.haproxy
 # k8s
 - system.defaults.etcd
 parameters:
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 536fe60..153bca8 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -38,7 +38,7 @@
     openstack_service_user_options:
       ignore_change_password_upon_first_use: True
       ignore_password_expiry: True
-      ignore_lockout_failure_attempts: False
+      ignore_lockout_failure_attempts: True
       lock_password: False
     # Cinder
     cinder_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
diff --git a/defaults/stacklight.yml b/defaults/stacklight.yml
index 1abbb5e..8838246 100644
--- a/defaults/stacklight.yml
+++ b/defaults/stacklight.yml
@@ -1,5 +1,8 @@
 parameters:
   _param:
+    fluentd_elasticsearch_host: 127.0.0.1
+    fluentd_elasticsearch_port: 9200
+    fluentd_elasticsearch_scheme: http
     # ELK stack versions
     elasticsearch_version: 5
     kibana_version: 5
diff --git a/docker/host.yml b/docker/host.yml
index a88ff2f..894f6ee 100644
--- a/docker/host.yml
+++ b/docker/host.yml
@@ -14,6 +14,7 @@
         - ${_param:cluster_vip_address}:5000
         - ${_param:cluster_public_host}:5000
       options:
+        bridge: none
         ipv6: true
         fixed-cidr-v6: fc00::/7
         storage-driver: overlay2
diff --git a/elasticsearch/client/ssl.yml b/elasticsearch/client/ssl.yml
new file mode 100644
index 0000000..9f0f9c2
--- /dev/null
+++ b/elasticsearch/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+  elasticsearch:
+    client:
+      server:
+        scheme: https
diff --git a/fluentd/label/default_metric/prometheus_ssl.yml b/fluentd/label/default_metric/prometheus_ssl.yml
new file mode 100644
index 0000000..292c481
--- /dev/null
+++ b/fluentd/label/default_metric/prometheus_ssl.yml
@@ -0,0 +1,9 @@
+parameters:
+  fluentd:
+    agent:
+      config:
+        input:
+          prometheus:
+            metric:
+              ssl:
+                enabled: True
diff --git a/fluentd/label/default_output/elasticsearch.yml b/fluentd/label/default_output/elasticsearch.yml
index 398ea8c..daf95dd 100644
--- a/fluentd/label/default_output/elasticsearch.yml
+++ b/fluentd/label/default_output/elasticsearch.yml
@@ -2,9 +2,6 @@
 - service.fluentd.agent.output.elasticsearch
 - system.fluentd.label.default_output.filter.common
 parameters:
-  _param:
-    fluentd_elasticsearch_host: 127.0.0.1
-    elasticsearch_port: 9200
   fluentd:
     agent:
       config:
@@ -13,4 +10,5 @@
             match:
               elasticsearch_output:
                 host: ${_param:fluentd_elasticsearch_host}
-                port: ${_param:elasticsearch_port}
+                port: ${_param:fluentd_elasticsearch_port}
+                scheme: ${_param:fluentd_elasticsearch_scheme}
diff --git a/fluentd/label/notifications/audit.yml b/fluentd/label/notifications/audit.yml
index 6449e1e..da0c31a 100644
--- a/fluentd/label/notifications/audit.yml
+++ b/fluentd/label/notifications/audit.yml
@@ -45,7 +45,8 @@
               audit_output:
                 tag: audit
                 type: elasticsearch
-                host: ${_param:stacklight_log_address}
-                port: ${_param:elasticsearch_port}
+                host: ${_param:fluentd_elasticsearch_host}
+                port: ${_param:fluentd_elasticsearch_port}
+                scheme: ${_param:fluentd_elasticsearch_scheme}
                 es_index_name: audit
                 tag_key: Type
diff --git a/fluentd/label/notifications/notifications.yml b/fluentd/label/notifications/notifications.yml
index 5556d6e..7d1e5c6 100644
--- a/fluentd/label/notifications/notifications.yml
+++ b/fluentd/label/notifications/notifications.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    elasticsearch_port: 9200
   fluentd:
     agent:
       config:
@@ -118,7 +116,8 @@
               notifications_output:
                 tag: notification
                 type: elasticsearch
-                host: ${_param:stacklight_log_address}
-                port: ${_param:elasticsearch_port}
+                host: ${_param:fluentd_elasticsearch_host}
+                port: ${_param:fluentd_elasticsearch_port}
+                scheme: ${_param:fluentd_elasticsearch_scheme}
                 es_index_name: notification
                 tag_key: Type
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch.yml b/haproxy/proxy/listen/stacklight/elasticsearch.yml
index 582de6a..d684861 100644
--- a/haproxy/proxy/listen/stacklight/elasticsearch.yml
+++ b/haproxy/proxy/listen/stacklight/elasticsearch.yml
@@ -1,10 +1,6 @@
 parameters:
   _param:
     haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
-    haproxy_elasticsearch_http_bind_port: 9200
-    haproxy_elasticsearch_http_exposed_port: 9200
-    haproxy_elasticsearch_binary_bind_port: 9300
-    haproxy_elasticsearch_binary_exposed_port: 9300
   haproxy:
     proxy:
       listen:
@@ -17,7 +13,7 @@
             - dontlog-normal
           balance: roundrobin
           binds:
-            - address: ${_param:haproxy_elasticsearch_bind_host}
+            - address: ${_param:cluster_vip_address}
               port: ${_param:haproxy_elasticsearch_http_bind_port}
           servers:
             - name: ${_param:cluster_node01_hostname}
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
new file mode 100644
index 0000000..a50280e
--- /dev/null
+++ b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
@@ -0,0 +1,55 @@
+parameters:
+  _param:
+    haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
+  haproxy:
+    proxy:
+      listen:
+        elasticsearch:
+          mode: http
+          options:
+            - httplog
+            - http-keep-alive
+            - prefer-last-server
+            - dontlog-normal
+          balance: roundrobin
+          binds:
+            - address: ${_param:cluster_vip_address}
+              port: ${_param:haproxy_elasticsearch_http_bind_port}
+              ssl:
+                enabled: true
+                pem_file: /etc/elasticsearch/elasticsearch.pem
+          servers:
+            - name: ${_param:cluster_node01_hostname}
+              host: ${_param:cluster_node01_address}
+              port: ${_param:haproxy_elasticsearch_http_exposed_port}
+              params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+            - name: ${_param:cluster_node02_hostname}
+              host: ${_param:cluster_node02_address}
+              port: ${_param:haproxy_elasticsearch_http_exposed_port}
+              params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+            - name: ${_param:cluster_node03_hostname}
+              host: ${_param:cluster_node03_address}
+              port: ${_param:haproxy_elasticsearch_http_exposed_port}
+              params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+        elasticsearch_binary:
+          mode: tcp
+          options:
+            - tcpka
+            - tcplog
+          balance: source
+          binds:
+            - address: ${_param:cluster_vip_address}
+              port: ${_param:haproxy_elasticsearch_binary_bind_port}
+          servers:
+            - name: ${_param:cluster_node01_hostname}
+              host: ${_param:cluster_node01_address}
+              port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+              params: 'check'
+            - name: ${_param:cluster_node02_hostname}
+              host: ${_param:cluster_node02_address}
+              port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+              params: 'check'
+            - name: ${_param:cluster_node03_hostname}
+              host: ${_param:cluster_node03_address}
+              port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+              params: 'check'
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index 8e58753..c3ea450 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -5,7 +5,6 @@
   - system.jenkins.client.job.deploy.update.update_mirror_image
   - system.jenkins.client.job.deploy.update.update_ceph
   - system.jenkins.client.job.deploy.update.upgrade
-  - system.jenkins.client.job.deploy.update.upgrade_rabbitmq
   - system.jenkins.client.job.deploy.update.upgrade_compute
   - system.jenkins.client.job.deploy.update.upgrade_mcp_release
   - system.jenkins.client.job.deploy.update.upgrade_ovs_gateway
@@ -22,3 +21,7 @@
   - system.jenkins.client.job.deploy.galera_database_backup
   - system.jenkins.client.job.deploy.backupninja_backup
   - system.jenkins.client.job.deploy.backupninja_restore
+  - system.jenkins.client.job.deploy.update.update_glusterfs
+  - system.jenkins.client.job.deploy.update.update_glusterfs_servers
+  - system.jenkins.client.job.deploy.update.update_glusterfs_clients
+  - system.jenkins.client.job.deploy.update.update_glusterfs_cluster_op_version
diff --git a/jenkins/client/job/deploy/update/update_glusterfs.yml b/jenkins/client/job/deploy/update/update_glusterfs.yml
new file mode 100644
index 0000000..dfdfc9e
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs.yml
@@ -0,0 +1,31 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        update-glusterfs:
+          type: workflow-scm
+          description: This is a general job which runs "Update glusterfs servers", "Update glusterfs clients" and "Update glusterfs cluster.op-version" jobs with default parameters. If you need/want better control of update process use those jobs.
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Update GlusterFS"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: update-glusterfs.groovy
+          param:
+            DRIVE_TRAIN_PARAMS:
+              type: text
+              description: "Yaml based DriveTrain releated params"
+              default: |
+                ---
+                SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+                SALT_MASTER_CREDENTIALS: "salt"
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_clients.yml b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
new file mode 100644
index 0000000..48a393c
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        update-glusterfs-clients:
+          type: workflow-scm
+          description: Update glusterfs-client package on corresponding hosts
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Update glusterfs clients"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: update-glusterfs-clients.groovy
+          param:
+            DRIVE_TRAIN_PARAMS:
+              type: text
+              description: "Yaml based DriveTrain releated params"
+              default: |
+                ---
+                SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+                SALT_MASTER_CREDENTIALS: "salt"
+                # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+                TARGET_SERVERS: "I@glusterfs:client"
+                # Does not validate server availability/status before update
+                IGNORE_SERVER_STATUS: false
+                # Does not validate that all servers have been updated
+                IGNORE_SERVER_VERSION: false
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
new file mode 100644
index 0000000..e35e4fa
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
@@ -0,0 +1,39 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        update-glusterfs-cluster-op-version:
+          type: workflow-scm
+          description: Update cluster.op-version global option
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Update glusterfs cluster.op-version"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: update-glusterfs-cluster-op-version.groovy
+          param:
+            DRIVE_TRAIN_PARAMS:
+              type: text
+              description: "Yaml based DriveTrain releated params"
+              default: |
+                ---
+                SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+                SALT_MASTER_CREDENTIALS: "salt"
+                # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+                TARGET_SERVERS: "I@glusterfs:server:role:primary"
+                # GlusterFS cluster.op-verion option to set. Leave it empty to get proper version from cluster.max-op-version if available.
+                CLUSTER_OP_VERSION: ''
+                # Does not validate that all clients have been updated
+                IGNORE_CLIENT_VERSION: false
+                # Does not validate that all servers have been updated
+                IGNORE_SERVER_VERSION: false
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_servers.yml b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
new file mode 100644
index 0000000..97f4e77
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        update-glusterfs-servers:
+          type: workflow-scm
+          description: Update glusterfs-server package on corresponding hosts
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Update glusterfs servers"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: update-glusterfs-servers.groovy
+          param:
+            DRIVE_TRAIN_PARAMS:
+              type: text
+              description: "Yaml based DriveTrain releated params"
+              default: |
+                ---
+                SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+                SALT_MASTER_CREDENTIALS: "salt"
+                # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+                TARGET_SERVERS: "I@glusterfs:server"
+                # Does not validate server availability/status before update
+                IGNORE_SERVER_STATUS: false
+                # Update GlusterFS even there is a non-replicated volume
+                IGNORE_NON_REPLICATED_VOLUMES: false
diff --git a/keepalived/cluster/instance/kdt_kube_api_server_vip.yml b/keepalived/cluster/instance/kdt_kube_api_server_vip.yml
index a26748a..e76b767 100644
--- a/keepalived/cluster/instance/kdt_kube_api_server_vip.yml
+++ b/keepalived/cluster/instance/kdt_kube_api_server_vip.yml
@@ -23,6 +23,6 @@
           address: ${_param:keepalived_kdt_k8s_apiserver_vip_address}
           password: ${_param:keepalived_kdt_k8s_apiserver_vip_password}
           interface: ${_param:keepalived_kdt_k8s_apiserver_vip_interface}
-          virtual_router_id: 70
+          virtual_router_id: 71
           priority: ${_param:keepalived_vip_priority}
           track_script: kdt_vip
diff --git a/kibana/client/ssl.yml b/kibana/client/ssl.yml
new file mode 100644
index 0000000..76160c6
--- /dev/null
+++ b/kibana/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+  kibana:
+    client:
+      server:
+        scheme: https
diff --git a/kibana/server/single.yml b/kibana/server/single.yml
index 965f274..5c59588 100644
--- a/kibana/server/single.yml
+++ b/kibana/server/single.yml
@@ -13,4 +13,5 @@
         engine: elasticsearch
         host: ${_param:kibana_elasticsearch_host}
         port: 9200
+        scheme: http
 
diff --git a/kibana/server/ssl.yml b/kibana/server/ssl.yml
new file mode 100644
index 0000000..5b049f8
--- /dev/null
+++ b/kibana/server/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+  kibana:
+    server:
+      database:
+        scheme: https
diff --git a/nginx/server/proxy/ssl.yml b/nginx/server/proxy/ssl.yml
index 66a1938..dd4f2cd 100644
--- a/nginx/server/proxy/ssl.yml
+++ b/nginx/server/proxy/ssl.yml
@@ -16,10 +16,10 @@
       protocols:
         TLSv1:
           name: 'TLSv1'
-          enabled: True
+          enabled: False
         TLSv1.1:
           name: 'TLSv1.1'
-          enabled: True
+          enabled: False
         TLSv1.2:
           name: 'TLSv1.2'
           enabled: True
@@ -28,16 +28,16 @@
       ciphers:
         ECDHE-ECDSA-CHACHA20-POLY1305:
           name: 'ECDHE-ECDSA-CHACHA20-POLY1305'
-          enabled: True
+          enabled: False
         ECDHE-RSA-CHACHA20-POLY1305:
           name: 'ECDHE-RSA-CHACHA20-POLY1305'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES128-GCM-SHA256:
           name: 'ECDHE-ECDSA-AES128-GCM-SHA256'
-          enabled: True
+          enabled: False
         ECDHE-RSA-AES128-GCM-SHA256:
           name: 'ECDHE-RSA-AES128-GCM-SHA256'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES256-GCM-SHA384:
           name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
           enabled: True
@@ -46,76 +46,76 @@
           enabled: True
         DHE-RSA-AES128-GCM-SHA256:
           name: 'DHE-RSA-AES128-GCM-SHA256'
-          enabled: True
+          enabled: False
         DHE-RSA-AES256-GCM-SHA384:
           name: 'DHE-RSA-AES256-GCM-SHA384'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES128-SHA256:
           name: 'ECDHE-ECDSA-AES128-SHA256'
-          enabled: True
+          enabled: False
         ECDHE-RSA-AES128-SHA256:
           name: 'ECDHE-RSA-AES128-SHA256'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES128-SHA:
           name: 'ECDHE-ECDSA-AES128-SHA'
-          enabled: True
+          enabled: False
         ECDHE-RSA-AES256-SHA384:
           name: 'ECDHE-RSA-AES256-SHA384'
           enabled: True
         ECDHE-RSA-AES128-SHA:
           name: 'ECDHE-RSA-AES128-SHA'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES256-SHA384:
           name: 'ECDHE-ECDSA-AES256-SHA384'
           enabled: True
         ECDHE-ECDSA-AES256-SHA:
           name: 'ECDHE-ECDSA-AES256-SHA'
-          enabled: True
+          enabled: False
         ECDHE-RSA-AES256-SHA:
           name: 'ECDHE-RSA-AES256-SHA'
-          enabled: True
+          enabled: False
         DHE-RSA-AES128-SHA256:
           name: 'DHE-RSA-AES128-SHA256'
-          enabled: True
+          enabled: False
         DHE-RSA-AES128-SHA:
           name: 'DHE-RSA-AES128-SHA'
-          enabled: True
+          enabled: False
         DHE-RSA-AES256-SHA256:
           name: 'DHE-RSA-AES256-SHA256'
-          enabled: True
+          enabled: False
         DHE-RSA-AES256-SHA:
           name: 'DHE-RSA-AES256-SHA'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-DES-CBC3-SHA:
           name: 'ECDHE-ECDSA-DES-CBC3-SHA'
-          enabled: True
+          enabled: False
         ECDHE-RSA-DES-CBC3-SHA:
           name: 'ECDHE-RSA-DES-CBC3-SHA'
-          enabled: True
+          enabled: False
         EDH-RSA-DES-CBC3-SHA:
           name: 'EDH-RSA-DES-CBC3-SHA'
-          enabled: True
+          enabled: False
         AES128-GCM-SHA256:
           name: 'AES128-GCM-SHA256'
-          enabled: True
+          enabled: False
         AES256-GCM-SHA384:
           name: 'AES256-GCM-SHA384'
-          enabled: True
+          enabled: False
         AES128-SHA256:
           name: 'AES128-SHA256'
-          enabled: True
+          enabled: False
         AES256-SHA256:
           name: 'AES256-SHA256'
-          enabled: True
+          enabled: False
         AES256-SHA:
           name: 'AES256-SHA'
-          enabled: True
+          enabled: False
         AES128-SHA:
           name: 'AES128-SHA'
-          enabled: True
+          enabled: False
         DES-CBC3-SHA:
           name: 'DES-CBC3-SHA'
-          enabled: True
+          enabled: False
         removeDSS:
           name: '!DSS'
-          enabled: True
\ No newline at end of file
+          enabled: True
diff --git a/salt/control/placement/openstack/golden.yml b/salt/control/placement/openstack/golden.yml
index 03abda5..1212a42 100644
--- a/salt/control/placement/openstack/golden.yml
+++ b/salt/control/placement/openstack/golden.yml
@@ -31,7 +31,7 @@
     openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_barbican_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_dns_backend_image: ${_param:salt_control_xenial_image_backend}
-    openstack_telemetry_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_telemetry_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_control:
       user_data:
         write_files:
@@ -74,6 +74,13 @@
             ${salt:control:size:openstack.dns:image_layout}
           owner: root:root
           path: /usr/share/growlvm/image-layout.yml
+    salt_control_cluster_node_cloud_init_openstack_telemetry:
+      user_data:
+        write_files:
+        - content: |
+            ${salt:control:size:openstack.telemetry:image_layout}
+          owner: root:root
+          path: /usr/share/growlvm/image-layout.yml
   salt:
     control:
       cluster:
@@ -194,21 +201,21 @@
             mdb01:
               name: ${_param:openstack_telemetry_node01_hostname}
               provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
             mdb02:
               name: ${_param:openstack_telemetry_node02_hostname}
               provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
             mdb03:
               name: ${_param:openstack_telemetry_node03_hostname}
               provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
diff --git a/salt/minion/cert/elasticsearch.yml b/salt/minion/cert/elasticsearch.yml
new file mode 100644
index 0000000..0ac232d
--- /dev/null
+++ b/salt/minion/cert/elasticsearch.yml
@@ -0,0 +1,16 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        elasticsearch:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: elasticsearch
+          signing_policy: cert_server
+          alternative_names: IP:127.0.0.1,IP:${_param:single_address},IP:${_param:stacklight_log_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+          key_file: /etc/elasticsearch/elasticsearch.key
+          cert_file: /etc/elasticsearch/elasticsearch.crt
+          ca_file: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+          all_file: /etc/elasticsearch/elasticsearch.pem
+          mode: '0444'
+          enabled: true
diff --git a/salt/minion/cert/fluentd_prometheus.yml b/salt/minion/cert/fluentd_prometheus.yml
new file mode 100644
index 0000000..d7f4469
--- /dev/null
+++ b/salt/minion/cert/fluentd_prometheus.yml
@@ -0,0 +1,14 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        fluentd_prometheus:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: fluentd_prometheus
+          signing_policy: cert_server
+          alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+          key_file: ${fluentd:agent:dir:config}/fluentd-prometheus.key
+          cert_file: ${fluentd:agent:dir:config}/fluentd-prometheus.crt
+          mode: '0444'
+          enabled: true