diff --git a/galera/server/database/ssl/nova.yml b/galera/server/database/ssl/nova.yml
new file mode 100644
index 0000000..b0a87c8
--- /dev/null
+++ b/galera/server/database/ssl/nova.yml
@@ -0,0 +1,4 @@
+parameters:
+  _param:
+    mysql_nova_ssl_option:
+      - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/nova.yml b/galera/server/database/x509/nova.yml
new file mode 100644
index 0000000..305fafd
--- /dev/null
+++ b/galera/server/database/x509/nova.yml
@@ -0,0 +1,7 @@
+parameters:
+  _param:
+    mysql_nova_clietn_ssl_x509_subject: '/C=cz/CN=mysql-nova-client/L=Prague/O=Mirantis'
+    mysql_nova_clietn_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+    mysql_nova_ssl_option:
+      - SUBJECT: ${_param:mysql_nova_clietn_ssl_x509_subject}
+      - ISSUER: ${_param:mysql_nova_clietn_ssl_x509_issuer}
\ No newline at end of file
diff --git a/glusterfs/client/volume/keystone.yml b/glusterfs/client/volume/keystone.yml
index a93c0c1..f0a6e30 100644
--- a/glusterfs/client/volume/keystone.yml
+++ b/glusterfs/client/volume/keystone.yml
@@ -1,3 +1,5 @@
+classes:
+- system.linux.system.users.keystone
 parameters:
   _param:
     keystone_glusterfs_service_host: ${_param:glusterfs_service_host}
@@ -20,20 +22,3 @@
           user: keystone
           group: keystone
           opts: "defaults,backup-volfile-servers=${_param:glusterfs_node01_address}:${_param:glusterfs_node02_address}:${_param:glusterfs_node03_address}"
-  linux:
-    system:
-      user:
-        keystone:
-          enabled: true
-          name: keystone
-          home: /var/lib/keystone
-          uid: 301
-          gid: 301
-          shell: /bin/false
-          system: True
-      group:
-        keystone:
-          enabled: true
-          name: keystone
-          gid: 301
-          system: True
diff --git a/jenkins/client/approved_scripts.yml b/jenkins/client/approved_scripts.yml
index 65db576..0dc20b0 100644
--- a/jenkins/client/approved_scripts.yml
+++ b/jenkins/client/approved_scripts.yml
@@ -66,6 +66,7 @@
         - method java.util.regex.MatchResult group int
         - method java.util.regex.MatchResult groupCount
         - method java.util.regex.Matcher find
+        - method java.util.regex.Matcher group java.lang.String
         - method java.util.regex.Matcher matches
         - method java.util.regex.Pattern matcher java.lang.CharSequence
         - method java.util.stream.Stream collect java.util.stream.Collector
@@ -84,6 +85,7 @@
         - new groovy.json.JsonSlurperClassic
         - new groovy.util.XmlParser
         - new java.io.File java.lang.String
+        - new java.io.File java.lang.String java.lang.String
         - new java.io.IOException java.lang.String
         - new java.io.OutputStreamWriter java.io.OutputStream
         - new java.lang.Exception java.lang.String
diff --git a/jenkins/client/job/debian/packages/salt-multi.yml b/jenkins/client/job/debian/packages/salt-multi.yml
index e185b60..b58b801 100644
--- a/jenkins/client/job/debian/packages/salt-multi.yml
+++ b/jenkins/client/job/debian/packages/salt-multi.yml
@@ -63,7 +63,7 @@
               upload_source_package: true
               dist: xenial
             - name: swift
-              upload_source_package: true
+              upload_source_package: false
               dist: xenial
           template:
             discard:
diff --git a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
index 5968245..18f5646 100644
--- a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
+++ b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
@@ -47,4 +47,8 @@
             UPDATE_LOCAL_REPOS:
               type: boolean
               default: 'false'
-              description: "Use only when local repositories are present."
\ No newline at end of file
+              description: "Use only when local repositories are present."
+            PIPELINE_TIMEOUT:
+              type: string
+              default: '12'
+              description: "Sets pipeline timeout in hours. Defaults to '12' if left empty."
\ No newline at end of file
diff --git a/jenkins/client/job/salt-models/generate.yml b/jenkins/client/job/salt-models/generate.yml
index 39af9b8..73f815d 100644
--- a/jenkins/client/job/salt-models/generate.yml
+++ b/jenkins/client/job/salt-models/generate.yml
@@ -32,8 +32,8 @@
                 type: string
               TEST_MODEL:
                 type: boolean
-                default: false
+                default: true
               RECLASS_VERSION:
                 type: string
                 default: 'v1.5.4'
-                description: "Version (branch) of Reclass we will use"
+                description: "Version (branch) of Reclass we will use.pip+git package"
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index a020a73..112cb3d 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -206,12 +206,12 @@
               description: e.g. skipped_nodes=nal01.local.com,ntw01.local.com
             TESTS_SET:
               type: string
-              default: "cvp-sanity-check/cvp_checks/tests/"
-              description: Leave empty for full run or choose a file, e.g. test_mtu.py
+              default: "cvp-sanity-checks/cvp_checks/tests/"
+              description: "Leave as is for full run or add a filename, e.g. _default_path_/test_mtu.py"
             PROXY:
               type: string
               default: ""
-              description: Proxy address to clone repo and install python requirements
+              description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
         cvp-func:
           type: workflow-scm
           name: cvp-func
@@ -246,7 +246,7 @@
               description: Credentials to the Salt API
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.9.1"
+              default: "xrally/xrally-openstack:0.9.2"
               description: Docker image to use for running Rally/Tempest
             TARGET_NODE:
               type: string
@@ -255,7 +255,7 @@
             PROXY:
               type: string
               default: ""
-              description: Proxy address to clone repo and install python requirements
+              description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
             TEMPEST_TEST_PATTERN:
               type: string
               default: "set=smoke"
@@ -309,7 +309,7 @@
               description: Node where container with tempest will be run
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.9.1"
+              default: "xrally/xrally-openstack:0.9.2"
               description: Docker image to use for running Rally/Tempest
             TARGET_NODES:
               type: string
@@ -330,7 +330,7 @@
             PROXY:
               type: string
               default: ""
-              description: Proxy address to clone repo and install python requirements
+              description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
             TEMPEST_TEST_PATTERN:
               type: string
               default: "set=smoke"
@@ -373,7 +373,7 @@
               description: Path to scenario file in container
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.9.1"
+              default: "xrally/xrally-openstack:0.9.2"
               description: Docker image to use for running Rally/Tempest
             SALT_MASTER_URL:
               type: string
@@ -390,9 +390,11 @@
             TOOLS_REPO:
               type: string
               default: "https://github.com/Mirantis/cvp-configuration"
+              description: URL of repo where testing tools, scenarios, configs are located.
             PROXY:
               type: string
               default: ""
+              description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
         cvp-stacklight:
           type: workflow-scm
           name: cvp-stacklight
@@ -419,7 +421,7 @@
               default: "salt"
             TESTS_REPO:
               type: string
-              default: "https://github.com/legan4ik/stacklight-pytest"
+              default: "https://github.com/Mirantis/stacklight-pytest -b cvp_stacklight"
               description: Url for cvp-stacklight-tests
             TESTS_SETTINGS:
               type: string
@@ -428,11 +430,11 @@
             TESTS_SET:
               type: string
               default: "stacklight-pytest/stacklight_tests/tests/prometheus/"
-              description: "Leave empty for full run or choose a file, e.g. test_dashboards.py"
+              description: "Leave as is for full run or add a filename, e.g. _default_path_/test_dashboards.py"
             PROXY:
               type: string
               default: ""
-              description: Proxy address to clone repo and install python requirements
+              description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
         cvp-spt:
           type: workflow-scm
           name: cvp-spt
@@ -468,8 +470,8 @@
             TESTS_SET:
               type: string
               default: "cvp-spt/cvp_spt/tests/"
-              description: "Leave empty for full run or choose a file, e.g. test_glance.py"
+              description: "Leave as is for full run or add a filename, e.g. _default_path_/test_glance.py"
             PROXY:
               type: string
               default: ""
-              description: Proxy address to clone repo and install python requirements
+              description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index 7e6980b..4c24975 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -3,6 +3,7 @@
 - service.keepalived.cluster.single
 - system.haproxy.proxy.listen.openstack.keystone
 - system.haproxy.proxy.listen.openstack.keystone.standalone
+- system.linux.system.users.keystone
 parameters:
   _param:
     keystone_tokens_expiration: 3600
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 2b1e89e..68a29a7 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -1,5 +1,6 @@
 classes:
 - service.keystone.server.single
+- system.linux.system.users.keystone
 parameters:
   _param:
     keystone_service_token: token
diff --git a/linux/system/banner.yml b/linux/system/banner.yml
index 173a044..55b417f 100644
--- a/linux/system/banner.yml
+++ b/linux/system/banner.yml
@@ -8,9 +8,9 @@
         contents: |
           =================================== WARNING ====================================
           You have accessed a computer managed by ${_param:banner_company_name}.
-          You are required to have authorisation from ${_param:banner_company_name}
+          You are required to have authorization from ${_param:banner_company_name}
           before you proceed and you are strictly limited to use set out within that
-          authorisation. Unauthorised access to or misuse of this system is prohibited
+          authorization. Unauthorized access to or misuse of this system is prohibited
           and constitutes an offence under the Computer Misuse Act 1990.
           If you disclose any information obtained through this system without authority
           ${_param:banner_company_name} may take legal action against you.
diff --git a/linux/system/motd/static.yml b/linux/system/motd/static.yml
index c0e23c0..831a84e 100644
--- a/linux/system/motd/static.yml
+++ b/linux/system/motd/static.yml
@@ -6,9 +6,9 @@
       motd: |
         =================================== WARNING ====================================
         You have accessed a computer managed by ${_param:motd_company_name}.
-        You are required to have authorisation from ${_param:motd_company_name}
+        You are required to have authorization from ${_param:motd_company_name}
         before you proceed and you are strictly limited to use set out within that
-        authorisation.  Unauthorised access to or misuse of this system is prohibited
+        authorization.  Unauthorized access to or misuse of this system is prohibited
         and constitutes an offence under the Computer Misuse Act 1990.
         If you disclose  any information obtained through this system without
         authority ${_param:motd_company_name} may take legal action against you.
diff --git a/linux/system/users/keystone.yml b/linux/system/users/keystone.yml
new file mode 100644
index 0000000..14e38dd
--- /dev/null
+++ b/linux/system/users/keystone.yml
@@ -0,0 +1,18 @@
+parameters:
+  linux:
+    system:
+      user:
+        keystone:
+          enabled: true
+          name: keystone
+          home: /var/lib/keystone
+          uid: 301
+          gid: 301
+          shell: /bin/false
+          system: True
+      group:
+        keystone:
+          enabled: true
+          name: keystone
+          gid: 301
+          system: True
diff --git a/nginx/server/proxy/openstack_web.yml b/nginx/server/proxy/openstack_web.yml
index ad5ffea..b85527f 100644
--- a/nginx/server/proxy/openstack_web.yml
+++ b/nginx/server/proxy/openstack_web.yml
@@ -36,3 +36,7 @@
           host:
             name: ${_param:nginx_proxy_openstack_web_host}
             port: 80
+  apache:
+    server:
+      bind:
+        listen_default_ports: false
diff --git a/openssh/server/team/mcp_qa.yml b/openssh/server/team/mcp_qa.yml
index b22272a..38e19c3 100644
--- a/openssh/server/team/mcp_qa.yml
+++ b/openssh/server/team/mcp_qa.yml
@@ -156,6 +156,13 @@
           full_name: Artem Minasyan
           home: /home/aminasyan
           email: aminasyan@mirantis.com
+        imenkov:
+          enabled: true
+          name: imenkov
+          sudo: true
+          full_name: Ilya Menkov
+          home: /home/imenkov
+          email: imenkov@mirantis.com
       group:
         libvirtd:
           enabled: true
@@ -284,6 +291,11 @@
           public_keys:
           - ${public_keys:aminasyan}
           user: ${linux:system:user:aminasyan}
+        imenkov:
+          enable: true
+          public_keys:
+          - ${public_keys:imenkov}
+          user: ${linux:system:user:imenkov}
   public_keys:
     ddmitriev:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDuD4wJ8hzkchQ0pfgdwWukQyps1xYRfHOsjosmDu/mmgaXVud5mnpwb2q35E2YYTox2mx+ulJqyS+099gz6MPg4P8D5qdMuRbAsJqbceLaaIGQhdT8qgSo7ESrl5pwvYnfWzKLKF0z5s7nrW0nvArC40zhV9o9XpvzzzSFByepWfkwA8ReldGUYVvTKp8YXaCrqEdMZrU42adPM2nl+fYBbGF+h4/Ka247aVjPeER0blV3znFXbv2Kf38G+i/TEGaktgpBdtGGDi1tX2loMypmTJeqZRJnM0Eoly0BnynB7CSxn11eoIXBUe1mVYNqmQd1hw6uh59iymhK5j939v9J ddmitriev@dis_xcom
@@ -333,4 +345,6 @@
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYj97WGfiL550eVPyQmFyrgpTw61tfins1CpgrZewWqAWJMgYklRdMYl4OReE5UO2po7ag0f/QsOtGU8aQbnxnWUYPZyS3Qk+Bg8OOSBmewPxmT7WH97KdGKBdC9b3xUNFOUXEUOMmOe3jq9YET+xebUnfsA5qwYU5dL9Cb5UAPzVxYI8z5RiaNTo8dtwZr7lbJJRy8YfSWCtiD59vewc6BE2NTUyDjsfmKd9K/IkyKboGU9AC5mLYDsjvWwiGcNdfigRyaYWKmoo7Xhe1W2Og4dpI5pozOwVg7hISW9NRgLXrZP/9me1rFBH7EQjpjO3+Pto1//R3Nx9QLsB59yuj snovikov@snovikov
     aminasyan:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo9BHw8WdIFOEuY10XvUqHPl1jCqtA8TYntt5Aee2rR8X8pLG9lWjHPFkNArD5upCRvv6f88Xs4QLoEGWMWcbfMkJE4gMNkOWL4As5iNgagw+DybQrA6nXyassHi8le+quwICfJ1v16IXxPgMBCcrRcSYvHKv+n8KsuBH1csRnJ8aHvIZJTL43Eq0F+aj2S0/9D+m2dyRwcmamn6EqX61NfL5UP3422i4JykTXY6I8iwEHs7Er+jPBD7rtJ/q4Kn/bIyT/Vz0tGHiWyVt7B8GBoPb3PgDuzXKvU7OtOxFb3uhANeecjzIz5G5rAsAQcizf+MGCOoBwFLFJTPAharWN artem@Artem
+    imenkov:
+      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSWoSuHV1FNRuooS3d0nVkTRCwC+Tc585Z1cPcMQns7H1ogLIya//T3gMfxINxCjlF1eek18vI9B5QszZZUL2P7prFxe5EJlt6iM8jD61umkncaTbx6oc8r8xu5ufH9RDxfKHvQX1mhhID5JK+/GoRDIW5Zs7wFSHCrANYV2dtmOfmRSc/qpgh87Z9X10UDymp5MLjpQZzjM+qZCtz6yV14m835j4eiEN7+QZ2XZ/Wtzer7VVdhtjbw8gESSyuPIVf66keuLVUixk0CXosQYrqWDPWpT0Rhh63lnUacgplh74TU+bb+vYRjIHxCgOY2Ex6Pk5jrsroi0YoWtI4SErD imenkov@atopilin-nb-wifi.srt.mirantis.net
 
diff --git a/salt/master/formula/pkg/openstack.yml b/salt/master/formula/pkg/openstack.yml
index 381ae1a..4717682 100644
--- a/salt/master/formula/pkg/openstack.yml
+++ b/salt/master/formula/pkg/openstack.yml
@@ -34,6 +34,9 @@
             glusterfs:
               source: pkg
               name: salt-formula-glusterfs
+            gnocchi:
+              source: pkg
+              name: salt-formula-gnocchi
             designate:
               source: pkg
               name: salt-formula-designate
@@ -82,6 +85,9 @@
             opencontrail:
               source: pkg
               name: salt-formula-opencontrail
+            panko:
+              source: pkg
+              name: salt-formula-panko
             python:
               source: pkg
               name: salt-formula-python
@@ -97,6 +103,3 @@
             supervisor:
               source: pkg
               name: salt-formula-supervisor
-            swift:
-              source: pkg
-              name: salt-formula-swift
diff --git a/salt/minion/cert/mysql/clients/openstack/nova.yml b/salt/minion/cert/mysql/clients/openstack/nova.yml
new file mode 100644
index 0000000..154a553
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/nova.yml
@@ -0,0 +1,27 @@
+parameters:
+  _param:
+    salt_minion_ca_host: cfg01.${_param:cluster_domain}
+    salt_minion_ca_authority: salt_master_ca
+    mysql_nova_client_ssl_key_file: /etc/pki/mysql-nova-client/client-key.pem
+    mysql_nova_client_ssl_cert_file: /etc/pki/mysql-nova-client/client-cert.pem
+    mysql_nova_ssl_ca_file: /etc/pki/mysql-nova-client/ca-cert.pem
+  salt:
+    minion:
+      cert:
+        mysql-nova-client:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: mysql-nova-client
+          signing_policy: cert_client
+          alternative_names: >
+            IP:${_param:cluster_local_address},
+            DNS:${_param:cluster_local_address},
+            DNS:${linux:system:name},
+            DNS:${linux:network:fqdn}
+          key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+          key_file: ${_param:mysql_nova_client_ssl_key_file}
+          cert_file: ${_param:mysql_nova_client_ssl_cert_file}
+          ca_file: ${_param:mysql_nova_ssl_ca_file}
+          user: nova
+          group: nova
+          mode: 640
\ No newline at end of file