Merge "Adding upgrade job for Pike -> Queens"
diff --git a/artifactory/client/init.yml b/artifactory/client/init.yml
index bd69bd3..381681e 100644
--- a/artifactory/client/init.yml
+++ b/artifactory/client/init.yml
@@ -329,7 +329,8 @@
           pypi-remote:
             rclass: remote
             packageType: pypi
-            url: https://pypi.python.org
+            url: https://files.pythonhosted.org
+            pyPIRegistryUrl: https://pypi.org
             unusedArtifactsCleanupEnabled: true
             unusedArtifactsCleanupPeriodHours: 720
 
diff --git a/defaults/linux_system_repo.yml b/defaults/linux_system_repo.yml
index 0b3d197..435f38e 100644
--- a/defaults/linux_system_repo.yml
+++ b/defaults/linux_system_repo.yml
@@ -2,14 +2,11 @@
   _param:
     # Global
     linux_repo_refresh_db: true
-    linux_system_repo_url: "http://mirror.mirantis.com/${_param:apt_mk_version}/"
+    linux_system_repo_url: http://mirror.mirantis.com/${_param:apt_mk_version}/
     # Global-updates
     linux_system_repo_update_url: http://mirror.mirantis.com/update/${_param:apt_mk_version}/
-    linux_system_repo_update_ubuntu_url: ${_param:linux_system_repo_update_url}/ubuntu/
     # Global-hotfix
     linux_system_repo_hotfix_url: http://mirror.mirantis.com/hotfix/${_param:apt_mk_version}/
-    linux_system_repo_hotfix_ubuntu_url: ${_param:linux_system_repo_hotfix_url}/ubuntu/
-
     # Per repos
     linux_system_repo_mcp_aptly_url: ${_param:linux_system_repo_url}/aptly/
     linux_system_repo_mcp_cassandra_url: ${_param:linux_system_repo_url}/cassandra/
@@ -24,9 +21,14 @@
     linux_system_repo_mcp_maas_url: ${_param:linux_system_repo_url}/maas/
     linux_system_repo_mcp_percona_url: ${_param:linux_system_repo_url}/percona/
     linux_system_repo_mcp_saltstack_url: ${_param:linux_system_repo_url}/saltstack-${_param:linux_system_repo_mcp_saltstack_version_number}/
+    #
     linux_system_repo_mirantis_openstack_url: ${_param:linux_system_repo_url}/openstack-${_param:openstack_version}/
+    linux_system_repo_update_mirantis_openstack_url: ${_param:linux_system_repo_update_url}/openstack-${_param:openstack_version}/
+    linux_system_repo_hotfix_mirantis_openstack_url: ${_param:linux_system_repo_hotfix_url}/openstack-${_param:openstack_version}/
+    #
     linux_system_repo_ubuntu_url: ${_param:linux_system_repo_url}/ubuntu/
-
+    linux_system_repo_update_ubuntu_url: ${_param:linux_system_repo_update_url}/ubuntu/
+    linux_system_repo_hotfix_ubuntu_url: ${_param:linux_system_repo_hotfix_url}/ubuntu/
 
     # Repo-component versions (if applicable)
     salt_version: 2017.7 # TODO should be deprecated after q4
diff --git a/docker/swarm/network/operations_api_backend.yml b/docker/swarm/network/operations_api_backend.yml
new file mode 100644
index 0000000..f23c239
--- /dev/null
+++ b/docker/swarm/network/operations_api_backend.yml
@@ -0,0 +1,10 @@
+parameters:
+  _param:
+    docker_operations_api_network_subnet: 10.80.0.0/24
+  docker:
+    client:
+      network:
+        operations_api_backend:
+          subnet: ${_param:docker_operations_api_network_subnet}
+          driver: overlay
+          attachable: true
diff --git a/docker/swarm/stack/operations_api.yml b/docker/swarm/stack/operations_api.yml
new file mode 100644
index 0000000..fff4f18
--- /dev/null
+++ b/docker/swarm/stack/operations_api.yml
@@ -0,0 +1,70 @@
+parameters:
+  _param:
+    docker_operations_api_replicas: 1
+    docker_image_operations_api: mirantis/python-operations-api:latest
+    operations_api_sqlalchemy_database_uri: "cockroachdb://oapi@cockroach-ui:26257/oapi"
+    operations_api_sqlalchemy_echo: "false"
+    operations_api_flask_debug: "false"
+    operations_api_bind_host: 0.0.0.0
+    operations_api_bind_port: ${_param:haproxy_operations_api_bind_port}
+    docker_image_cockroachdb: cockroachdb/cockroach:latest
+    operations_api_keycloak_url: "http://${_param:single_address}:${_param:haproxy_keycloak_exposed_port}"
+  docker:
+    client:
+      stack:
+        operations_api:
+          service:
+            operations-api:
+              environment:
+                OAPI_OIDC_CLIENT_SECRETS_OVERRIDE: '
+                  {
+                    "web": {
+                        "client_id": "operations-api",
+                        "client_secret": "${_param:keycloak_operations_api_client_secret}",
+                        "auth_uri": "${_param:operations_api_keycloak_url}/auth/realms/drivetrain-realm/protocol/openid-connect/auth",
+                        "token_uri": "${_param:operations_api_keycloak_url}/auth/realms/drivetrain-realm/protocol/openid-connect/token",
+                        "token_introspection_uri": "${_param:operations_api_keycloak_url}/auth/realms/drivetrain-realm/protocol/openid-connect/token/introspect",
+                        "issuer": "${_param:operations_api_keycloak_url}/auth/realms/drivetrain-realm",
+                        "userinfo_uri": "${_param:operations_api_keycloak_url}/auth/realms/drivetrain-realm/protocol/openid-connect/userinfo"
+                    }
+                  }'
+                OAPI_SQLALCHEMY_DATABASE_URI: ${_param:operations_api_sqlalchemy_database_uri}
+                OAPI_SQLALCHEMY_ECHO: ${_param:operations_api_sqlalchemy_echo}
+                OAPI_FLASK_DEBUG: ${_param:operations_api_flask_debug}
+                OAPI_FLASK_SECRET_KEY: ${_param:operations_api_flask_secret_key}
+                OAPI_FLASK_SERVER_HOST: ${_param:operations_api_bind_host}
+                OAPI_FLASK_SERVER_PORT: ${_param:operations_api_bind_port}
+              image: ${_param:docker_image_operations_api}
+              deploy:
+                replicas: ${_param:docker_operations_api_replicas}
+                restart_policy:
+                  condition: any
+              ports:
+                - ${_param:haproxy_operations_api_exposed_port}:${_param:haproxy_operations_api_bind_port}
+              volumes:
+                - /srv/volumes/operations_api/logs/:/var/log/operations_api
+            cockroach-ui:
+              image: ${_param:docker_image_cockroachdb}
+              ports:
+                - ${_param:haproxy_cockroachdb_ui_exposed_port}:${_param:haproxy_cockroachdb_ui_bind_port}
+              command: start --insecure
+            cockroach-db-1:
+              image: cockroachdb/cockroach
+              command: start --insecure --join=cockroach-ui
+              depends_on:
+                - cockroach-ui
+              volumes:
+                - /srv/volumes/cockroachdb/cockroach-db-1:/cockroach/cockroach-data
+            cockroach-init:
+              environment:
+                COCKROACH_HOST: cockroach-ui
+              image: atengler/cockroach
+              deploy:
+                restart_policy:
+                  condition: on-failure
+              depends_on:
+                - cockroach-db-1
+          network:
+            default:
+              external:
+                name: operations_api_backend
diff --git a/haproxy/proxy/listen/cicd/operations_api.yml b/haproxy/proxy/listen/cicd/operations_api.yml
new file mode 100644
index 0000000..14bb44a
--- /dev/null
+++ b/haproxy/proxy/listen/cicd/operations_api.yml
@@ -0,0 +1,76 @@
+parameters:
+  _param:
+    haproxy_operations_api_bind_host: ${_param:haproxy_bind_address}
+    haproxy_operations_api_bind_port: 8001
+    haproxy_operations_api_exposed_port: 18001
+    haproxy_cockroachdb_ui_bind_host: ${_param:haproxy_bind_address}
+    haproxy_cockroachdb_ui_bind_port: 8080
+    haproxy_cockroachdb_ui_exposed_port: 18080
+    haproxy_operations_api_ssl:
+      enabled: false
+    haproxy_cockroachdb_ui_ssl:
+      enabled: false
+  haproxy:
+    proxy:
+      listen:
+        operations_api:
+          mode: http
+          options:
+            - forwardfor
+            - httpchk GET /api/v1/
+            - httpclose
+            - httplog
+          balance: source
+          http_request:
+            - action: "add-header X-Forwarded-Proto https"
+              condition: "if { ssl_fc }"
+          sticks:
+          - http-check expect string 'API'
+          binds:
+            - address: ${_param:haproxy_operations_api_bind_host}
+              port: ${_param:haproxy_operations_api_bind_port}
+              ssl: ${_param:haproxy_operations_api_ssl}
+          servers:
+            - name: ${_param:cluster_node01_name}
+              host: ${_param:cluster_node01_address}
+              port: ${_param:haproxy_operations_api_exposed_port}
+              params: check
+            - name: ${_param:cluster_node02_name}
+              host: ${_param:cluster_node02_address}
+              port: ${_param:haproxy_operations_api_exposed_port}
+              params: backup check
+            - name: ${_param:cluster_node03_name}
+              host: ${_param:cluster_node03_address}
+              port: ${_param:haproxy_operations_api_exposed_port}
+              params: backup check
+        cockroachdb_ui:
+          mode: http
+          balance: source
+          options:
+            - forwardfor
+            - httpchk GET /#/overview/list
+            - httpclose
+            - httplog
+          balance: source
+          http_request:
+            - action: "add-header X-Forwarded-Proto https"
+              condition: "if { ssl_fc }"
+          sticks:
+          - http-check expect string 'CLUSTER OVERVIEW'
+          binds:
+            - address: ${_param:haproxy_cockroachdb_ui_bind_host}
+              port: ${_param:haproxy_cockroachdb_ui_bind_port}
+              ssl: ${_param:haproxy_cockroachdb_ui_ssl}
+          servers:
+            - name: ${_param:cluster_node01_name}
+              host: ${_param:cluster_node01_address}
+              port: ${_param:haproxy_cockroachdb_ui_exposed_port}
+              params: check
+            - name: ${_param:cluster_node02_name}
+              host: ${_param:cluster_node02_address}
+              port: ${_param:haproxy_cockroachdb_ui_exposed_port}
+              params: backup check
+            - name: ${_param:cluster_node03_name}
+              host: ${_param:cluster_node03_address}
+              port: ${_param:haproxy_cockroachdb_ui_exposed_port}
+              params: backup check
diff --git a/ironic/conductor/storage/cinder.yml b/ironic/conductor/storage/cinder.yml
new file mode 100644
index 0000000..d3b60b1
--- /dev/null
+++ b/ironic/conductor/storage/cinder.yml
@@ -0,0 +1,12 @@
+parameters:
+  ironic:
+    conductor:
+      cinder:
+        auth_strategy: keystone
+        auth_type: password
+        password: ${_param:keystone_cinder_password}
+        project_domain_id: default
+        project_name: service
+        url: ${_param:cinder_service_protocol}://${_param:cinder_service_host}:8776
+        user_domain_name: Default
+        username: cinder
diff --git a/jenkins/client/job/deploy/lab/deploy.yml b/jenkins/client/job/deploy/lab/deploy.yml
index 7e419f6..a713427 100644
--- a/jenkins/client/job/deploy/lab/deploy.yml
+++ b/jenkins/client/job/deploy/lab/deploy.yml
@@ -1,222 +1,2 @@
-parameters:
-  _param:
-    jenkins_deploy_jobs: []
-    heat_stack_zone_job_param:
-      type: string
-      default: "mcp-mk"
-    openstack_api_projects_job_param:
-      type: string
-      default: "mcp-mk"
-  jenkins:
-    client:
-      job_template:
-        deploy_template:
-          name: deploy-{{stack_type}}-{{stack_name}}
-          jobs: ${_param:jenkins_deploy_jobs}
-          template:
-            type: workflow-scm
-            discard:
-              build:
-                keep_num: 100
-            concurrent: true
-            display_name: "Deploy - {{stack_name}} {{stack_type}}"
-            scm:
-              type: git
-              url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
-              branch: "${_param:jenkins_pipelines_branch}"
-              credentials: "gerrit"
-              script: cloud-deploy-pipeline.groovy
-            trigger:
-              timer:
-                spec: "{{job_timer}}"
-            param:
-              # general parameters
-              ASK_ON_ERROR:
-                type: boolean
-                default: 'false'
-              SLAVE_NODE:
-                type: string
-                default: 'python'
-
-              # deployments
-              STACK_NAME:
-                type: string
-                description: Heat stack name. Will be generated if missing.
-              STACK_TYPE:
-                type: string
-                default: "{{stack_type}}"
-              STACK_INSTALL:
-                type: string
-                default: "{{stack_install}}"
-              STACK_TEST:
-                type: string
-                default: "{{stack_test}}"
-              STACK_REUSE:
-                type: boolean
-                default: 'false'
-              STACK_DELETE:
-                type: boolean
-                default: 'true'
-                description: "Don't enable it if you need to use the lab after"
-              STACK_COMPUTE_COUNT:
-                type: string
-                default: '2'
-              STACK_CLUSTER_NAME:
-                type: string
-                default: ""
-                description: "Cluster name to use from reclass"
-
-              STACK_TEMPLATE:
-                type: string
-                default: "{{stack_name}}"
-              STACK_TEMPLATE_URL:
-                type: string
-                default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
-              STACK_TEMPLATE_CREDENTIALS:
-                type: string
-                default: "gerrit"
-              STACK_TEMPLATE_BRANCH:
-                type: string
-                default: "master"
-              STACK_CLEANUP_JOB:
-                type: string
-                default: 'deploy-stack-cleanup'
-
-              STACK_RECLASS_ADDRESS:
-                type: string
-                default: ""
-              STACK_RECLASS_BRANCH:
-                type: string
-                default: ""
-
-              # salt
-              EXTRA_TARGET:
-                type: string
-                default: ""
-                description: "Salt extra target for edge clouds deployment"
-              SALT_MASTER_CREDENTIALS:
-                type: string
-                default: "salt-qa-credentials"
-              SALT_MASTER_URL:
-                type: string
-                default: ""
-              SALT_OVERRIDES:
-                type: text
-                default: ""
-                description: "YAML with overrides for Salt deployment"
-              SALT_VERSION:
-                type: text
-                default: "stable 2017.7"
-                description: "Version of Salt which is going to be installed i.e. 'stable 2016.3' or 'stable 2017.7' etc. Warning: This value doesn't override salt_version parameter set in the pillar."
-              BOOTSTRAP_EXTRA_REPO_PARAMS:
-                type: string
-                default: ""
-                description: "Defines a list of extra repos with parameters, format: repo 1, repo priority 1, repo pin 1; repo 2, repo priority 2, repo pin 2"
-              FORMULA_PKG_REVISION:
-                type: string
-                default: ""
-                description: "Formulas revision to install on Salt Master bootstrap stage"
-              STATIC_MGMT_NETWORK:
-                  type: boolean
-                  default: 'false'
-                  description: "Check if model contains static IP address definitions for all nodes"
-
-              # aws api
-              AWS_STACK_REGION:
-                type: string
-                default: "eu-central-1"
-              AWS_API_CREDENTIALS:
-                type: string
-                default: "aws-credentials"
-              AWS_SSH_KEY:
-                type: string
-                default: "jenkins-mk"
-
-              # heat
-              HEAT_STACK_ENVIRONMENT:
-                type: string
-                default: "{{stack_env}}"
-              HEAT_STACK_ZONE: ${_param:heat_stack_zone_job_param}
-              HEAT_STACK_PUBLIC_NET:
-                type: string
-                default: "public"
-
-              # openstack api
-              OPENSTACK_API_URL:
-                type: string
-                default: "https://cloud-cz.bud.mirantis.net:5000"
-              OPENSTACK_API_CREDENTIALS:
-                type: string
-                default: "openstack-devcloud-credentials"
-              OPENSTACK_API_PROJECT: ${_param:openstack_api_projects_job_param}
-              OPENSTACK_API_PROJECT_DOMAIN:
-                type: string
-                default: "default"
-              OPENSTACK_API_PROJECT_ID:
-                type: string
-                default: ""
-              OPENSTACK_API_USER_DOMAIN:
-                type: string
-                default: "default"
-
-              OPENSTACK_API_CLIENT:
-                type: string
-                default: ""
-              OPENSTACK_API_VERSION:
-                type: string
-                default: "3"
-
-              # test
-              TEST_K8S_API_SERVER:
-                type: string
-                default: "http://127.0.0.1:8080"
-              TEST_K8S_CONFORMANCE_IMAGE:
-                type: string
-                default: "docker-prod-virtual.docker.mirantis.net/mirantis/kubernetes/k8s-conformance:v1.11.3-2"
-
-              TEST_TEMPEST_IMAGE:
-                type: string
-                description: "Tempest docker image"
-                default: "${_param:mcp_docker_registry}/mirantis/oscore/rally-tempest"
-              TEST_TEMPEST_TARGET:
-                type: string
-                description: "Node to run tests"
-                default: ""
-              TEST_DOCKER_INSTALL:
-                type: boolean
-                description: "Install docker on the target if true"
-                default: "true"
-              TEST_TEMPEST_PATTERN:
-                type: string
-                description: "Run tests matched to pattern only"
-                default: ""
-
-              # TestRail vars
-              TESTRAIL_REPORT:
-                type: boolean
-                description: "Report test results to TestRail if true"
-                default: "false"
-              TESTRAIL_REPORTER_IMAGE:
-                type: string
-                description: "Testrail reporter docker image"
-                default: "alrem/xunit2testrail"
-              TESTRAIL_QA_CREDENTIALS:
-                type: string
-                description: "Credentials for results upload to testrail"
-                default: "oscore-qa-credentials"
-              TESTRAIL_MILESTONE:
-                type: string
-                description: "TestRail milestone"
-                default: "MCP1.1"
-              TESTRAIL_PLAN:
-                type: string
-                description: "TestRail test plan name. Will be generated if missing."
-                default: ""
-              TESTRAIL_GROUP:
-                type: string
-                description: "TestRail test group name."
-                default: "{{stack_name}}"
-              TESTRAIL_SUITE:
-                type: string
-                description: "TestRail test suite name"
-                default: "Tempest 16.0.0 with designate tests"
+# This file will be removed in Q3
+# jobs was moved into salt-models/infra repo
\ No newline at end of file
diff --git a/jenkins/client/job/deploy/update/kubernetes_update.yml b/jenkins/client/job/deploy/update/kubernetes_update.yml
index 11279ed..4100384 100644
--- a/jenkins/client/job/deploy/update/kubernetes_update.yml
+++ b/jenkins/client/job/deploy/update/kubernetes_update.yml
@@ -26,11 +26,11 @@
           param:
             KUBERNETES_HYPERKUBE_IMAGE:
               type: string
-              default: "${_param:kubernetes_hyperkube_repo}/hyperkube-amd64:v1.10.4-4"
+              default: "${_param:kubernetes_hyperkube_repo}/hyperkube-amd64:v1.11.3-2"
               description: "Versioned image to update control plane from. Should be null if update rolling via reclass-system level"
             KUBERNETES_PAUSE_IMAGE:
               type: string
-              default: "${_param:kubernetes_hyperkube_repo}/pause-amd64:v1.10.4-4"
+              default: "${_param:kubernetes_hyperkube_repo}/pause-amd64:v1.11.3-2"
               description: "Versioned pause image to use in deployments. Should be null if update rolling via reclass-system level"
             SALT_MASTER_URL:
               type: string
@@ -60,5 +60,21 @@
               description: "Salt targeted kubernetes CTL nodes (ex. I@kubernetes:master). Kubernetes control plane"
             CMP_TARGET:
               type: string
-              default: "cmp* and I@kubernetes:pool"
+              default: "I@kubernetes:pool and not I@kubernetes:master"
               description: "Salt targeted compute nodes (ex. 'cmp* and I@kubernetes:pool') Kubernetes computes"
+            CONFORMANCE_RUN_AFTER:
+              type: boolean
+              default: "false"
+              description: "Run conformance tests after upgrade"
+            CONFORMANCE_RUN_BEFORE:
+              type: boolean
+              default: "false"
+              description: "Run conformance tests before upgrade"
+            TEST_K8S_API_SERVER:
+              type: string
+              default: "http://127.0.0.1:8080"
+              description: "Local kubernetes apiserver variable for conformance tests"
+            ARTIFACTORY_URL:
+              type: string
+              default: "docker-prod-local.docker.mirantis.com"
+              description: "Artifactory URL where docker images located. Needed to correctly fetch conformance images."
diff --git a/jenkins/client/job/oscore/cookiecutter.yml b/jenkins/client/job/oscore/cookiecutter.yml
index a4b6cb2..23b9371 100644
--- a/jenkins/client/job/oscore/cookiecutter.yml
+++ b/jenkins/client/job/oscore/cookiecutter.yml
@@ -77,9 +77,9 @@
                 #Extra context that will be merged with content of COOKIECUTTER_TEMPLATE_CONTEXT_FILE
                 default_context:
                   openssh_groups: "qa_scale,oscore_devops,networking,tcpcloud,drivetrain,stacklight,k8s_team,mcp_qa"
-                  cookiecutter_template_url: https://gerrit.mcp.mirantis.net/mk/cookiecutter-templates.git
+                  cookiecutter_template_url: ssh://mcp-ci-gerrit@gerrit.mcp.mirantis.com:29418/mk/cookiecutter-templates.git
                   cookiecutter_template_branch: 'master'
-                  shared_reclass_url: https://gerrit.mcp.mirantis.net/salt-models/reclass-system.git
+                  shared_reclass_url: ssh://mcp-ci-gerrit@gerrit.mcp.mirantis.com:29418/salt-models/reclass-system.git
                   shared_reclass_branch: 'master'
             STACK_INSTALL:
               type: string
diff --git a/jenkins/client/job/stacklight/cookiecutter.yml b/jenkins/client/job/stacklight/cookiecutter.yml
index 15f0bb6..9ba858c 100644
--- a/jenkins/client/job/stacklight/cookiecutter.yml
+++ b/jenkins/client/job/stacklight/cookiecutter.yml
@@ -61,9 +61,9 @@
                 #Extra context that will be merged with content of COOKIECUTTER_TEMPLATE_CONTEXT_FILE
                 default_context:
                   openssh_groups: "qa_scale,oscore_devops,networking,tcpcloud,stacklight,k8s_team,drivetrain"
-                  cookiecutter_template_url: https://gerrit.mcp.mirantis.net/mk/cookiecutter-templates.git
+                  cookiecutter_template_url: ssh://mcp-ci-gerrit@gerrit.mcp.mirantis.com:29418/mk/cookiecutter-templates.git
                   cookiecutter_template_branch: 'master'
-                  shared_reclass_url: https://gerrit.mcp.mirantis.net/salt-models/reclass-system.git
+                  shared_reclass_url: ssh://mcp-ci-gerrit@gerrit.mcp.mirantis.com:29418/salt-models/reclass-system.git
                   shared_reclass_branch: 'master'
             STACK_INSTALL:
               type: string
diff --git a/linux/system/repo/mcp/apt_mirantis/hotfix/openstack.yml b/linux/system/repo/mcp/apt_mirantis/hotfix/openstack.yml
new file mode 100644
index 0000000..7f1f668
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/hotfix/openstack.yml
@@ -0,0 +1,15 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com
+parameters:
+  linux:
+    system:
+      repo:
+        mirantis_openstack_update:
+          source: "deb ${_param:linux_system_repo_hotfix_mirantis_openstack_url}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
+          key: ${_param:linux_system_repo_mirror_mirantis_key}
+          architectures: ${_param:linux_system_architecture}
+          clean_file: true
+          pin:
+          - pin: 'release o=Mirantis'
+            priority: 1100
+            package: '*'
diff --git a/linux/system/repo/mcp/apt_mirantis/update/openstack.yml b/linux/system/repo/mcp/apt_mirantis/update/openstack.yml
new file mode 100644
index 0000000..199873e
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/update/openstack.yml
@@ -0,0 +1,15 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com
+parameters:
+  linux:
+    system:
+      repo:
+        mirantis_openstack_update:
+          source: "deb ${_param:linux_system_repo_update_mirantis_openstack_url}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
+          key: ${_param:linux_system_repo_mirror_mirantis_key}
+          architectures: ${_param:linux_system_architecture}
+          clean_file: true
+          pin:
+          - pin: 'release o=Mirantis'
+            priority: 1100
+            package: '*'
diff --git a/nginx/server/proxy/openstack/octavia.yml b/nginx/server/proxy/openstack/octavia.yml
new file mode 100644
index 0000000..8d5f6c1
--- /dev/null
+++ b/nginx/server/proxy/openstack/octavia.yml
@@ -0,0 +1,23 @@
+parameters:
+  _param:
+    nginx_proxy_openstack_api_host: ${_param:cluster_public_host}
+    nginx_proxy_openstack_api_address: 0.0.0.0
+    nginx_proxy_openstack_octavia_host: ${_param:octavia_service_host}
+    nginx_proxy_openstack_octavia_protocol: 'http'
+  nginx:
+    server:
+      site:
+        nginx_proxy_openstack_api_octavia:
+          enabled: true
+          type: nginx_proxy
+          name: openstack_api_octavia
+          check: false
+          proxy:
+            host: ${_param:nginx_proxy_openstack_octavia_host}
+            port: 9876
+            protocol: ${_param:nginx_proxy_openstack_octavia_protocol}
+          host:
+            name: ${_param:nginx_proxy_openstack_api_host}
+            port: 9876
+            address: ${_param:nginx_proxy_openstack_api_address}
+          ssl: ${_param:nginx_proxy_ssl}
diff --git a/opencontrail/control/analytics.yml b/opencontrail/control/analytics.yml
index 6e56936..36781c2 100644
--- a/opencontrail/control/analytics.yml
+++ b/opencontrail/control/analytics.yml
@@ -33,6 +33,7 @@
       network:
         host: ${_param:opencontrail_control_address}
     collector:
+      role: ${_param:opencontrail_node_role}
       discovery:
         host: ${_param:opencontrail_control_address}
     database:
diff --git a/opencontrail/control/analytics4_0.yml b/opencontrail/control/analytics4_0.yml
index bfdbadb..f0cf352 100644
--- a/opencontrail/control/analytics4_0.yml
+++ b/opencontrail/control/analytics4_0.yml
@@ -39,6 +39,7 @@
       network:
         host: ${_param:openstack_control_address}
     collector:
+      role: ${_param:opencontrail_node_role}
       config_only: true
       discovery:
         host: None
diff --git a/opencontrail/control/control.yml b/opencontrail/control/control.yml
index e846f5d..4719dff 100644
--- a/opencontrail/control/control.yml
+++ b/opencontrail/control/control.yml
@@ -30,6 +30,8 @@
       identity:
         region: ${_param:openstack_region}
         host: ${_param:openstack_control_address}
+    control:
+      role: ${_param:opencontrail_node_role}
     web:
       analytics:
         host: ${_param:opencontrail_analytics_address}
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index 8572553..09b1e12 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -47,6 +47,7 @@
         region: ${_param:openstack_region}
         host: ${_param:openstack_control_address}
     control:
+      role: ${_param:opencontrail_node_role}
       config_only: true
       analytics:
         members:
diff --git a/reclass/storage/system/opencontrail_analytics_cluster.yml b/reclass/storage/system/opencontrail_analytics_cluster.yml
index 400853e..1027904 100644
--- a/reclass/storage/system/opencontrail_analytics_cluster.yml
+++ b/reclass/storage/system/opencontrail_analytics_cluster.yml
@@ -18,6 +18,7 @@
             single_address: ${_param:opencontrail_analytics_node01_address}
             keepalived_vip_priority: 103
             opencontrail_database_id: 1
+            opencontrail_node_role: primary
         opencontrail_analytics_node02:
           name: ${_param:opencontrail_analytics_node02_hostname}
           domain: ${_param:cluster_domain}
@@ -29,6 +30,7 @@
             single_address: ${_param:opencontrail_analytics_node02_address}
             keepalived_vip_priority: 102
             opencontrail_database_id: 2
+            opencontrail_node_role: secondary
         opencontrail_analytics_node03:
           name: ${_param:opencontrail_analytics_node03_hostname}
           domain: ${_param:cluster_domain}
@@ -40,3 +42,4 @@
             single_address: ${_param:opencontrail_analytics_node03_address}
             keepalived_vip_priority: 101
             opencontrail_database_id: 3
+            opencontrail_node_role: secondary
diff --git a/reclass/storage/system/opencontrail_control_cluster.yml b/reclass/storage/system/opencontrail_control_cluster.yml
index f752c83..64214e1 100644
--- a/reclass/storage/system/opencontrail_control_cluster.yml
+++ b/reclass/storage/system/opencontrail_control_cluster.yml
@@ -18,6 +18,7 @@
             single_address: ${_param:opencontrail_control_node01_address}
             keepalived_vip_priority: 103
             opencontrail_database_id: 1
+            opencontrail_node_role: primary
         opencontrail_control_node02:
           name: ${_param:opencontrail_control_node02_hostname}
           domain: ${_param:cluster_domain}
@@ -29,6 +30,7 @@
             single_address: ${_param:opencontrail_control_node02_address}
             keepalived_vip_priority: 102
             opencontrail_database_id: 2
+            opencontrail_node_role: secondary
         opencontrail_control_node03:
           name: ${_param:opencontrail_control_node03_hostname}
           domain: ${_param:cluster_domain}
@@ -40,3 +42,4 @@
             single_address: ${_param:opencontrail_control_node03_address}
             keepalived_vip_priority: 101
             opencontrail_database_id: 3
+            opencontrail_node_role: secondary
diff --git a/reclass/storage/system/opencontrail_gateway_single.yml b/reclass/storage/system/opencontrail_gateway_single.yml
index 30c7043..a545465 100644
--- a/reclass/storage/system/opencontrail_gateway_single.yml
+++ b/reclass/storage/system/opencontrail_gateway_single.yml
@@ -14,3 +14,4 @@
             salt_master_host: ${_param:reclass_config_master}
             linux_system_codename: ${_param:opencontrail_gateway_system_codename}
             single_address: ${_param:opencontrail_gateway_address}
+            opencontrail_node_role: primary
\ No newline at end of file
diff --git a/reclass/storage/system/opencontrail_tor_cluster.yml b/reclass/storage/system/opencontrail_tor_cluster.yml
index 1fa2ad0..513b83f 100644
--- a/reclass/storage/system/opencontrail_tor_cluster.yml
+++ b/reclass/storage/system/opencontrail_tor_cluster.yml
@@ -19,6 +19,7 @@
             single_address: ${_param:opencontrail_tor01_node01_address}
             tenant_address: ${_param:opencontrail_tor01_node01_tenant_address}
             keepalived_vip_priority: 103
+            opencontrail_node_role: primary
         opencontrail_tor01_node02:
           name: ${_param:opencontrail_tor01_node02_hostname}
           domain: ${_param:cluster_domain}
@@ -30,3 +31,4 @@
             single_address: ${_param:opencontrail_tor01_node02_address}
             tenant_address: ${_param:opencontrail_tor01_node02_tenant_address}
             keepalived_vip_priority: 102
+            opencontrail_node_role: secondary