Merge "Add key additional key for user aminasyan"
diff --git a/cinder/control/cluster.yml b/cinder/control/cluster.yml
index 7f8e2d7..286f2ad 100644
--- a/cinder/control/cluster.yml
+++ b/cinder/control/cluster.yml
@@ -52,6 +52,8 @@
         user: cinder
         password: ${_param:keystone_cinder_password}
         protocol: ${_param:cluster_internal_protocol}
+      service_user:
+        enabled: ${_param:cinder_service_user_enabled}
       glance:
         host: ${_param:cluster_vip_address}
         port: 9292
diff --git a/cinder/control/single.yml b/cinder/control/single.yml
index b8f670d..2d662f9 100644
--- a/cinder/control/single.yml
+++ b/cinder/control/single.yml
@@ -31,6 +31,8 @@
       identity:
         protocol: ${_param:internal_protocol}
         region: ${_param:openstack_region}
+      service_user:
+        enabled: ${_param:cinder_service_user_enabled}
       barbican:
         enabled: ${_param:barbican_integration_enabled}
       message_queue:
diff --git a/cinder/volume/local.yml b/cinder/volume/local.yml
index 301946b..e42eef3 100644
--- a/cinder/volume/local.yml
+++ b/cinder/volume/local.yml
@@ -33,6 +33,8 @@
       identity:
         host: ${_param:single_address}
         region: ${_param:openstack_region}
+      service_user:
+        enabled: ${_param:cinder_service_user_enabled}
       cache:
         security:
           enabled: ${_param:cinder_memcache_security_enabled}
diff --git a/cinder/volume/single.yml b/cinder/volume/single.yml
index 9531aa4..a865722 100644
--- a/cinder/volume/single.yml
+++ b/cinder/volume/single.yml
@@ -44,6 +44,8 @@
         host: ${_param:openstack_control_address}
         protocol: ${_param:cluster_internal_protocol}
         region: ${_param:openstack_region}
+      service_user:
+        enabled: ${_param:cinder_service_user_enabled}
       cache:
         security:
           enabled: ${_param:cinder_memcache_security_enabled}
diff --git a/defaults/backup.yml b/defaults/backup.yml
new file mode 100644
index 0000000..66e5173
--- /dev/null
+++ b/defaults/backup.yml
@@ -0,0 +1,7 @@
+parameters:
+  _param:
+    backup_min: "0"
+    backup_hour: "*/12"
+    backup_day_of_month: "*"
+    backup_month: "*"
+    backup_day_of_week: "*"
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index 8207c87..8db61a5 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -27,6 +27,7 @@
     docker_image_alerta: "${_param:mcp_docker_registry}/mirantis/external/alerta-web:${_param:mcp_version}"
     docker_image_alertmanager: "${_param:mcp_docker_registry}/openstack-docker/alertmanager:${_param:mcp_version}"
     docker_image_grafana: "${_param:mcp_docker_registry}/openstack-docker/grafana:${_param:mcp_version}"
+    docker_image_prometheus_es_exporter: "${_param:mcp_docker_registry}/mirantis/external/braedon/prometheus-es-exporter:0.5.1"
     docker_image_prometheus: "${_param:mcp_docker_registry}/openstack-docker/prometheus:${_param:mcp_version}"
     docker_image_prometheus_gainsight: "${_param:mcp_docker_registry}/openstack-docker/gainsight:${_param:mcp_version}"
     docker_image_prometheus_gainsight_elasticsearch: "${_param:mcp_docker_registry}/openstack-docker/gainsight_elasticsearch:${_param:mcp_version}"
@@ -134,6 +135,10 @@
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
           name: gainsight_elasticsearch:${_param:mcp_version}
+        - registry: ${_param:mcp_docker_registry}/mirantis/external/braedon
+          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/braedon
+          name: prometheus-es-exporter:0.5.1
+
         # QA\CVP tool-set's
         - registry: ${_param:mcp_docker_registry}/mirantis/oss
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/oss
diff --git a/defaults/init.yml b/defaults/init.yml
index 90d5f7f..978671c 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -22,6 +22,7 @@
 - system.defaults.salt
 - system.defaults.stacklight
 - system.defaults.xtrabackup
+- system.defaults.backup
 parameters:
   _param:
     mcp_version: stable
@@ -42,6 +43,7 @@
     # Other
     salt_control_xenial_image_backend: /var/lib/libvirt/images/backends/xenial.qcow2
     salt_control_trusty_image_backend: /var/lib/libvirt/images/backends/trusty.qcow2
+    salt_master_api_port: 6969
     salt_master_worker_threads: 40
     salt_minion_ca_host: cfg01.${_param:cluster_domain}
     # Make sure this global variable is defined everywhere, where used it is already set on cluster level
diff --git a/defaults/jenkins.yml b/defaults/jenkins.yml
index 36bcbfb..eddf216 100644
--- a/defaults/jenkins.yml
+++ b/defaults/jenkins.yml
@@ -3,3 +3,4 @@
     jenkins_master_port: 8081
     jenkins_master_protocol: http
     jenkins_pipelines_branch: "master"
+    jenkins_salt_api_url: "http://${_param:salt_master_host}:${_param:salt_master_api_port}"
diff --git a/defaults/linux_system_file.yml b/defaults/linux_system_file.yml
index c37c030..8af3075 100644
--- a/defaults/linux_system_file.yml
+++ b/defaults/linux_system_file.yml
@@ -13,16 +13,23 @@
           name: /srv/http/images.mirantis.com/ubuntu-16-04-x64-mcp${_param:mcp_version}.qcow2.md5
           source: ${_param:mcp_static_images_url}/ubuntu-16-04-x64-mcp${_param:mcp_version}.qcow2.md5
         amphora-x64-haproxy-pike.qcow2:
-          source: ${_param:mcp_binary_registry}/mirantis/openstack/octavia/images/${_param:mcp_version}/pike/amphora-x64-haproxy.qcow2
-          name: /srv/http/artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/openstack/octavia/images/${_param:mcp_version}/pike/amphora-x64-haproxy.qcow2
-          hash: ${_param:mcp_binary_registry}/mirantis/openstack/octavia/images/${_param:mcp_version}/pike/amphora-x64-haproxy.qcow2.md5
+          name: /srv/http/images.mirantis.com/octavia/amphora-x64-haproxy-pike-${_param:mcp_version}.qcow2
+          source: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-pike-${_param:mcp_version}.qcow2
+          hash: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-pike-${_param:mcp_version}.qcow2.md5
         amphora-x64-haproxy-pike.qcow2.md5:
-          source: ${_param:mcp_binary_registry}/mirantis/openstack/octavia/images/${_param:mcp_version}/pike/amphora-x64-haproxy.qcow2.md5
-          name: /srv/http/artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/openstack/octavia/images/${_param:mcp_version}/pike/amphora-x64-haproxy.qcow2.md5
+          name: /srv/http/images.mirantis.com/octavia/amphora-x64-haproxy-pike-${_param:mcp_version}.qcow2.md5
+          source: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-pike-${_param:mcp_version}.qcow2.md5
         amphora-x64-haproxy-queens.qcow2:
-          source: ${_param:mcp_binary_registry}/mirantis/openstack/octavia/images/${_param:mcp_version}/queens/amphora-x64-haproxy.qcow2
-          name: /srv/http/artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/openstack/octavia/images/${_param:mcp_version}/queens/amphora-x64-haproxy.qcow2
-          hash: ${_param:mcp_binary_registry}/mirantis/openstack/octavia/images/${_param:mcp_version}/queens/amphora-x64-haproxy.qcow2.md5
+          name: /srv/http/images.mirantis.com/octavia/amphora-x64-haproxy-queens-${_param:mcp_version}.qcow2
+          source: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-queens-${_param:mcp_version}.qcow2
+          hash: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-queens-${_param:mcp_version}.qcow2.md5
         amphora-x64-haproxy-queens.qcow2.md5:
-          source: ${_param:mcp_binary_registry}/mirantis/openstack/octavia/images/${_param:mcp_version}/queens/amphora-x64-haproxy.qcow2.md5
-          name: /srv/http/artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/openstack/octavia/images/${_param:mcp_version}/queens/amphora-x64-haproxy.qcow2.md5
+          name: /srv/http/images.mirantis.com/octavia/amphora-x64-haproxy-queens-${_param:mcp_version}.qcow2.md5
+          source: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-queens-${_param:mcp_version}.qcow2.md5
+        amphora-x64-haproxy-rocky.qcow2:
+          name: /srv/http/images.mirantis.com/octavia/amphora-x64-haproxy-rocky-${_param:mcp_version}.qcow2
+          source: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-rocky-${_param:mcp_version}.qcow2
+          hash: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-rocky-${_param:mcp_version}.qcow2.md5
+        amphora-x64-haproxy-rocky.qcow2.md5:
+          name: /srv/http/images.mirantis.com/octavia/amphora-x64-haproxy-rocky-${_param:mcp_version}.qcow2.md5
+          source: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-rocky-${_param:mcp_version}.qcow2.md5
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 75bb601..8a6db83 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -13,6 +13,7 @@
     openstack_share_service_host: ${_param:openstack_share_service_hostname}.${linux:system:domain}
     openstack_kmn_service_host: ${_param:openstack_kmn_service_hostname}.${linux:system:domain}
     openstack_telemetry_service_host: ${_param:openstack_telemetry_service_hostname}.${linux:system:domain}
+    openstack_service_user_enabled: True
     # SSL
     ceilometer_agent_ssl_enabled: False
     openstack_mysql_x509_enabled: False
@@ -34,6 +35,7 @@
     cinder_old_version: ${_param:openstack_old_version}
     cinder_version: ${_param:openstack_version}
     cinder_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    cinder_service_user_enabled: ${_param:openstack_service_user_enabled}
     # Nova
     nova_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     nova_memcache_secret_key: ''
@@ -41,6 +43,7 @@
     nova_version: ${_param:openstack_version}
     nova_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     nova_instance_build_timeout: 3600
+    nova_service_user_enabled: ${_param:openstack_service_user_enabled}
     # Glance
     glance_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     glance_memcache_secret_key: ''
@@ -99,6 +102,24 @@
     keystone_old_version: ${_param:openstack_old_version}
     keystone_version: ${_param:openstack_version}
     keystone_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    # (obryndzii) Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys``
+    # set too low, will cause tokens to become invalid prior to their expiration.
+    # As tokens may be fetched beyond their initial expiration period (nova live migration,
+    # cider volume backup), keys should not be fully rotated within the period of
+    # ``[token] expiration``+``[token] allow_expired_window`` seconds to prevent the tokens
+    # becoming unavailable.
+    # The max_active_keys default value was adjusted according to the following defaults:
+    # [token]/allow_expired_window = 172800 (48 hours)
+    # [token]/expiration = 3600 (1 hour)
+    # rotation_frequency = 1 hour (keystone_fernet_rotate_rsync_minute/hour 0 *)
+    # max_active_keys = (allow_expired_window + expiration)/rotation_frequency + 2
+    # In case of changing those defaults the keystone_tokens_max_active_keys value should be
+    # calculated according to the definition above.
+    keystone_tokens_expiration: 3600
+    keystone_tokens_max_active_keys: 51
+    keystone_tokens_allow_expired_window: 172800
+    keystone_fernet_rotate_rsync_minute: 0
+    keystone_fernet_rotate_rsync_hour: '*'
     # Manila
     manila_old_version: ${_param:openstack_old_version}
     manila_version: ${_param:openstack_version}
@@ -147,7 +168,7 @@
     octavia_health_manager_node03_address: 192.168.10.12
     #
     amphora_image_name: amphora-x64-haproxy
-    amphora_image_url: "${_param:mcp_binary_registry}/mirantis/openstack/octavia/images/${_param:mcp_version}/${_param:openstack_version}/amphora-x64-haproxy.qcow2"
+    amphora_image_url: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-${_param:openstack_version}-${_param:mcp_version}.qcow2
     # HAproxy
     haproxy_openstack_web_bind_port: ${_param:horizon_public_port}
     #
diff --git a/defaults/salt/init.yml b/defaults/salt/init.yml
index 61d9866..e71f560 100644
--- a/defaults/salt/init.yml
+++ b/defaults/salt/init.yml
@@ -48,3 +48,10 @@
 
     salt_control_trusty_image: ${_param:mcp_static_images_url}/ubuntu-14-04-x64-mcp${_param:mcp_version}.qcow2
     salt_control_xenial_image: ${_param:mcp_static_images_url}/ubuntu-16-04-x64-mcp${_param:mcp_version}.qcow2
+
+    salt_master_api_permissions:
+    - '.*'
+    - '@local'
+    - '@wheel'   # to allow access to all wheel modules
+    - '@runner'  # to allow access to all runner modules
+    - '@jobs'    # to allow access to the jobs runner and/or wheel mo
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index fbb74bc..b785711 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -39,7 +39,8 @@
                 - server
               hostname: ldap
               environment:
-                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '${_param:openldap_admin_password}'}]}]}]"
+                PHPLDAPADMIN_LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
+                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
                 PHPLDAPADMIN_HTTPS: "false"
                 PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
                 PHPLDAPADMIN_SERVER_ADMIN: ${_param:admin_email}
diff --git a/etcd/server/cluster.yml b/etcd/server/cluster.yml
index d9c1c8b..af210d7 100644
--- a/etcd/server/cluster.yml
+++ b/etcd/server/cluster.yml
@@ -4,10 +4,10 @@
 - service.etcd.linux
 parameters:
   _param:
-    docker_image_etcd: quay.io/coreos/etcd:v3.3.10
+    docker_image_etcd: quay.io/coreos/etcd:v3.3.12
     kubernetes_etcd_repo: https://github.com/etcd-io/etcd/releases/download
-    kubernetes_etcd_source: ${_param:kubernetes_etcd_repo}/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
-    kubernetes_etcd_source_hash: md5=dbbe0d021ba497bf9d9cc9963d0c7a4b
+    kubernetes_etcd_source: ${_param:kubernetes_etcd_repo}/v3.3.12/etcd-v3.3.12-linux-amd64.tar.gz
+    kubernetes_etcd_source_hash: md5=079af00546443b686df31e7ec605135e
   etcd:
     server:
       enabled: true
diff --git a/jenkins/client/init.yml b/jenkins/client/init.yml
index 77e328f..676fe4d 100644
--- a/jenkins/client/init.yml
+++ b/jenkins/client/init.yml
@@ -24,6 +24,9 @@
           url: ${_param:jenkins_gerrit_url}/mcp-ci/pipeline-library
           credential_id: gerrit
           branch: ${_param:jenkins_pipelines_branch}
+      theme:
+        css_url: '/userContent/theme/mirantis.css'
+        js_url: '/userContent/theme/mirantis.js'
       view:
         Mirrors:
           enabled: true
diff --git a/jenkins/client/job/ceph/add-node.yml b/jenkins/client/job/ceph/add-node.yml
index 29af563..763b859 100644
--- a/jenkins/client/job/ceph/add-node.yml
+++ b/jenkins/client/job/ceph/add-node.yml
@@ -20,7 +20,7 @@
             SALT_MASTER_URL:
               type: string
               description: URL of Salt master
-              default: "http://${_param:salt_master_host}:6969"
+              default: "${_param:jenkins_salt_api_url}"
             SALT_MASTER_CREDENTIALS:
               type: string
               description: Credentials for login to Salt API
diff --git a/jenkins/client/job/ceph/backend-migration.yml b/jenkins/client/job/ceph/backend-migration.yml
index ab3f639..c0a7c45 100644
--- a/jenkins/client/job/ceph/backend-migration.yml
+++ b/jenkins/client/job/ceph/backend-migration.yml
@@ -20,7 +20,7 @@
             SALT_MASTER_URL:
               type: string
               description: URL of Salt master
-              default: "http://${_param:salt_master_host}:6969"
+              default: "${_param:jenkins_salt_api_url}"
             SALT_MASTER_CREDENTIALS:
               type: string
               description: Credentials for login to Salt API
diff --git a/jenkins/client/job/ceph/remove-node.yml b/jenkins/client/job/ceph/remove-node.yml
index 901e319..d6fd128 100644
--- a/jenkins/client/job/ceph/remove-node.yml
+++ b/jenkins/client/job/ceph/remove-node.yml
@@ -20,7 +20,7 @@
             SALT_MASTER_URL:
               type: string
               description: URL of Salt master
-              default: "http://${_param:salt_master_host}:6969"
+              default: "${_param:jenkins_salt_api_url}"
             SALT_MASTER_CREDENTIALS:
               type: string
               description: Credentials for login to Salt API
diff --git a/jenkins/client/job/ceph/remove-osd.yml b/jenkins/client/job/ceph/remove-osd.yml
index 99dcb37..3af5a96 100644
--- a/jenkins/client/job/ceph/remove-osd.yml
+++ b/jenkins/client/job/ceph/remove-osd.yml
@@ -20,7 +20,7 @@
             SALT_MASTER_URL:
               type: string
               description: URL of Salt master
-              default: "http://${_param:salt_master_host}:6969"
+              default: "${_param:jenkins_salt_api_url}"
             SALT_MASTER_CREDENTIALS:
               type: string
               description: Credentials for login to Salt API
diff --git a/jenkins/client/job/ceph/replace-failed-osd.yml b/jenkins/client/job/ceph/replace-failed-osd.yml
index a342ffb..395b5e5 100644
--- a/jenkins/client/job/ceph/replace-failed-osd.yml
+++ b/jenkins/client/job/ceph/replace-failed-osd.yml
@@ -20,7 +20,7 @@
             SALT_MASTER_URL:
               type: string
               description: URL of Salt master
-              default: "http://${_param:salt_master_host}:6969"
+              default: "${_param:jenkins_salt_api_url}"
             SALT_MASTER_CREDENTIALS:
               type: string
               description: Credentials for login to Salt API
diff --git a/jenkins/client/job/ceph/upgrade.yml b/jenkins/client/job/ceph/upgrade.yml
index 7717761..0c07b46 100644
--- a/jenkins/client/job/ceph/upgrade.yml
+++ b/jenkins/client/job/ceph/upgrade.yml
@@ -20,7 +20,7 @@
             SALT_MASTER_URL:
               type: string
               description: URL of Salt master
-              default: "http://${_param:salt_master_host}:6969"
+              default: "${_param:jenkins_salt_api_url}"
             SALT_MASTER_CREDENTIALS:
               type: string
               description: Credentials for login to Salt API
diff --git a/jenkins/client/job/deploy/galera_database_backup.yml b/jenkins/client/job/deploy/galera_database_backup.yml
new file mode 100644
index 0000000..e78c29b
--- /dev/null
+++ b/jenkins/client/job/deploy/galera_database_backup.yml
@@ -0,0 +1,33 @@
+parameters:
+  jenkins:
+    client:
+      job:
+        galera_backup_database:
+          type: workflow-scm
+          name: galera-database-backup
+          display_name: "Galera database backup"
+          discard:
+            build:
+              keep_num: 50
+          concurrent: true
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: galera-database-backup-pipeline.groovy
+          param:
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            OVERRIDE_BACKUP_NODE:
+              type: string
+              default: "none"
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
+            ASK_CONFIRMATION:
+              type: boolean
+              default: 'true'
+          triggers:
+            - timed: "${_param:backup_min} ${_param:backup_hour} ${_param:backup_day_of_month} ${_param:backup_month} ${_param:backup_day_of_week}"
diff --git a/jenkins/client/job/deploy/galera_verify_restore.yml b/jenkins/client/job/deploy/galera_verify_restore.yml
index 492d76f..73e312a 100644
--- a/jenkins/client/job/deploy/galera_verify_restore.yml
+++ b/jenkins/client/job/deploy/galera_verify_restore.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/openstack.yml b/jenkins/client/job/deploy/openstack.yml
index d5ed556..b265161 100644
--- a/jenkins/client/job/deploy/openstack.yml
+++ b/jenkins/client/job/deploy/openstack.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/try_mcp.yml b/jenkins/client/job/deploy/try_mcp.yml
index 9c161ff..3ad2878 100644
--- a/jenkins/client/job/deploy/try_mcp.yml
+++ b/jenkins/client/job/deploy/try_mcp.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/cloud_update.yml b/jenkins/client/job/deploy/update/cloud_update.yml
index aef20ce..f3fe8ef 100644
--- a/jenkins/client/job/deploy/update/cloud_update.yml
+++ b/jenkins/client/job/deploy/update/cloud_update.yml
@@ -2,8 +2,6 @@
 # Jobs to update cloud packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/config.yml b/jenkins/client/job/deploy/update/config.yml
index 47ec321..5eafd70 100644
--- a/jenkins/client/job/deploy/update/config.yml
+++ b/jenkins/client/job/deploy/update/config.yml
@@ -2,8 +2,6 @@
 # Jobs to run given states on given Salt master environment's
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/kubernetes_update.yml b/jenkins/client/job/deploy/update/kubernetes_update.yml
index 454d92b..ee77583 100644
--- a/jenkins/client/job/deploy/update/kubernetes_update.yml
+++ b/jenkins/client/job/deploy/update/kubernetes_update.yml
@@ -2,8 +2,6 @@
 # Jobs to update cloud packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/package.yml b/jenkins/client/job/deploy/update/package.yml
index a485c3e..cb25892 100644
--- a/jenkins/client/job/deploy/update/package.yml
+++ b/jenkins/client/job/deploy/update/package.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/reclass_update_check.yml b/jenkins/client/job/deploy/update/reclass_update_check.yml
index cec8d79..dd279b3 100644
--- a/jenkins/client/job/deploy/update/reclass_update_check.yml
+++ b/jenkins/client/job/deploy/update/reclass_update_check.yml
@@ -2,8 +2,6 @@
 # Jobs to to check new Reclass package version compatibility with model
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/restore_cassandra.yml b/jenkins/client/job/deploy/update/restore_cassandra.yml
index 34179af..8b18eb1 100644
--- a/jenkins/client/job/deploy/update/restore_cassandra.yml
+++ b/jenkins/client/job/deploy/update/restore_cassandra.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/restore_zookeeper.yml b/jenkins/client/job/deploy/update/restore_zookeeper.yml
index ebb57f7..3d0dc05 100644
--- a/jenkins/client/job/deploy/update/restore_zookeeper.yml
+++ b/jenkins/client/job/deploy/update/restore_zookeeper.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/saltenv.yml b/jenkins/client/job/deploy/update/saltenv.yml
index 734a4e5..f2b38d2 100644
--- a/jenkins/client/job/deploy/update/saltenv.yml
+++ b/jenkins/client/job/deploy/update/saltenv.yml
@@ -3,7 +3,6 @@
 #
 parameters:
   _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
     jenkins_salt_model_name: "salt"
     jenkins_salt_model_branch: "master"
   jenkins:
diff --git a/jenkins/client/job/deploy/update/update_ceph.yml b/jenkins/client/job/deploy/update/update_ceph.yml
index dd8bf58..4b7603b 100644
--- a/jenkins/client/job/deploy/update/update_ceph.yml
+++ b/jenkins/client/job/deploy/update/update_ceph.yml
@@ -2,8 +2,6 @@
 # Jobs to run given states on given Salt master environment's
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/update_mirror_image.yml b/jenkins/client/job/deploy/update/update_mirror_image.yml
index 73fd434..96e905c 100644
--- a/jenkins/client/job/deploy/update/update_mirror_image.yml
+++ b/jenkins/client/job/deploy/update/update_mirror_image.yml
@@ -2,8 +2,6 @@
 # Jobs to update Salt master environment (formulas and models)
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
@@ -67,4 +65,4 @@
               default: 'true'
             UPDATE_FILES:
               type: boolean
-              default: 'true'
\ No newline at end of file
+              default: 'true'
diff --git a/jenkins/client/job/deploy/update/update_opencontrail4.yml b/jenkins/client/job/deploy/update/update_opencontrail4.yml
index 72ea870..e89d622 100644
--- a/jenkins/client/job/deploy/update/update_opencontrail4.yml
+++ b/jenkins/client/job/deploy/update/update_opencontrail4.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index f4f5630..e3b60e1 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index b4628fa..ed5a222 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
index 577e6ac..3fbd6c0 100644
--- a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
+++ b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
@@ -2,8 +2,6 @@
 # Jobs to upgrade MCP release
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
index 0b0d945..64c3aff 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
index c1f448c..2d7ed69 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index 76bf436..9d31352 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_stacklight.yml b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
index d7279a6..578fd28 100644
--- a/jenkins/client/job/deploy/update/upgrade_stacklight.yml
+++ b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
@@ -2,8 +2,6 @@
 # Jobs to process Stacklight update
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/virt_snapshot.yml b/jenkins/client/job/deploy/update/virt_snapshot.yml
index be92c8d..22c8880 100644
--- a/jenkins/client/job/deploy/update/virt_snapshot.yml
+++ b/jenkins/client/job/deploy/update/virt_snapshot.yml
@@ -2,8 +2,6 @@
 # Job to manage libvirt live snapshots
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index 9f20fc9..ad3ab9e 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       view:
@@ -408,8 +406,12 @@
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
             credentials: "gerrit"
-            script: cvp-stacklight.groovy
+            script: cvp-runner.groovy
           param:
+            IMAGE:
+              type: string
+              default: ${_param:docker_image_cvp_sanity_checks}
+              description: Docker image with tests and all pip dependecies to use for testing
             SALT_MASTER_URL:
               type: string
               default: "${_param:jenkins_salt_api_url}"
@@ -417,22 +419,12 @@
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
-            TESTS_REPO:
-              type: string
-              default: "https://github.com/Mirantis/stacklight-pytest -b cvp_stacklight"
-              description: Url for cvp-stacklight-tests
-            TESTS_SETTINGS:
-              type: string
-              default: "SL_AUTOCONF=True"
-              description: "Additional environment variables to export"
-            TESTS_SET:
-              type: string
-              default: "stacklight-pytest/stacklight_tests/tests/prometheus/"
-              description: "Leave as is for full run or add a filename, e.g. _default_path_/test_dashboards.py"
-            PROXY:
-              type: string
-              default: ""
-              description: "Proxy address to use to access the Internet."
+            EXTRA_PARAMS:
+              type: text
+              default: |
+                envs:
+                  - SL_AUTOCONF=True
+              description: YAML context with additional parameters
         cvp-spt:
           type: workflow-scm
           name: cvp-spt
diff --git a/keepalived/cluster/instance/kdt_kube_api_server_vip.yml b/keepalived/cluster/instance/kdt_kube_api_server_vip.yml
new file mode 100644
index 0000000..a26748a
--- /dev/null
+++ b/keepalived/cluster/instance/kdt_kube_api_server_vip.yml
@@ -0,0 +1,28 @@
+applications:
+- keepalived
+classes:
+- service.keepalived.support
+parameters:
+  _param:
+    keepalived_vip_priority: 101
+    keepalived_kdt_kube_apiserver_vrrp_script_content: "pidof haproxy && systemctl status kube-apiserver.service --quiet --no-pager"
+    keepalived_kdt_k8s_apiserver_vip_interface: ens3
+    keepalived_kdt_k8s_apiserver_vip_address: ${_param:kdt_control_address}
+    keepalived_kdt_k8s_apiserver_vip_password: password
+  keepalived:
+    cluster:
+      vrrp_scripts:
+        kdt_vip:
+          content: ${_param:keepalived_kdt_kube_apiserver_vrrp_script_content}
+          interval: 10
+          rise: 1
+          fall: 1
+      enabled: true
+      instance:
+        kdt_kube_apiserver_vip:
+          address: ${_param:keepalived_kdt_k8s_apiserver_vip_address}
+          password: ${_param:keepalived_kdt_k8s_apiserver_vip_password}
+          interface: ${_param:keepalived_kdt_k8s_apiserver_vip_interface}
+          virtual_router_id: 70
+          priority: ${_param:keepalived_vip_priority}
+          track_script: kdt_vip
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index d64a6cb..7e9ea1b 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -11,7 +11,6 @@
 - system.keystone.client.os_client_config.admin_identity
 parameters:
   _param:
-    keystone_tokens_expiration: 3600
     openstack_node_role: primary
     keystone_service_protocol: ${_param:cluster_internal_protocol}
   linux:
@@ -58,7 +57,8 @@
       tokens:
         engine: fernet
         expiration: ${_param:keystone_tokens_expiration}
-        max_active_keys: 3
+        max_active_keys: ${_param:keystone_tokens_max_active_keys}
+        allow_expired_window: ${_param:keystone_tokens_allow_expired_window}
         location: /var/lib/keystone/fernet-keys
       credential:
         location: /var/lib/keystone/credential-keys
diff --git a/keystone/server/fernet_rotation/cluster.yml b/keystone/server/fernet_rotation/cluster.yml
index c34c4f8..cf7b328 100644
--- a/keystone/server/fernet_rotation/cluster.yml
+++ b/keystone/server/fernet_rotation/cluster.yml
@@ -36,7 +36,8 @@
           command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
           enabled: true
           user: keystone
-          minute: 0
+          minute: ${_param:keystone_fernet_rotate_rsync_minute}
+          hour: ${_param:keystone_fernet_rotate_rsync_hour}
         keystone_credential_rotate_rsync:
           command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
           enabled: true
diff --git a/keystone/server/fernet_rotation/single.yml b/keystone/server/fernet_rotation/single.yml
index 8a3d6fb..7514086 100644
--- a/keystone/server/fernet_rotation/single.yml
+++ b/keystone/server/fernet_rotation/single.yml
@@ -22,7 +22,8 @@
           command: '/var/lib/keystone/keystone_keys_rotate.sh -r -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
           enabled: true
           user: keystone
-          minute: 0
+          minute: ${_param:keystone_fernet_rotate_rsync_minute}
+          hour: ${_param:keystone_fernet_rotate_rsync_hour}
         keystone_credential_rotate_rsync:
           command: '/var/lib/keystone/keystone_keys_rotate.sh -r -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
           enabled: true
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 6996968..9663488 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -13,7 +13,6 @@
     mysql_admin_user: root
     mysql_admin_password: password
     mysql_keystone_password: password
-    keystone_tokens_expiration: 3600
     openstack_node_role: primary
     keystone_service_protocol: ${_param:cluster_internal_protocol}
   linux:
@@ -57,7 +56,8 @@
       tokens:
         engine: fernet
         expiration: ${_param:keystone_tokens_expiration}
-        max_active_keys: 3
+        max_active_keys: ${_param:keystone_tokens_max_active_keys}
+        allow_expired_window: ${_param:keystone_tokens_allow_expired_window}
         location: /var/lib/keystone/fernet-keys
       credential:
         location: /var/lib/keystone/credential-keys
diff --git a/kubernetes/common/init.yml b/kubernetes/common/init.yml
index 0555271..952e5c8 100644
--- a/kubernetes/common/init.yml
+++ b/kubernetes/common/init.yml
@@ -41,7 +41,7 @@
     kubernetes_hyperkube_source: ${_param:kubernetes_hyperkube_repo}/hyperkube_v1.13.2-1_1549961718696
     kubernetes_hyperkube_source_hash: md5=802e0ee43fd2a41e9ed84b0f867e70a2
     kubernetes_pause_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/pause-amd64:v1.13.2-1
-    kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.4.4
+    kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.5.0
     kubernetes_criproxy_version: v0.14.0
     kubernetes_criproxy_checksum: md5=f0fa669295a156a588f3480c9909e6fd
     kubernetes_netchecker_agent_image: ${_param:kubernetes_netchecker_agent_repo}/k8s-netchecker-agent:v1.2.2
diff --git a/kubernetes/master/kdt_cluster.yml b/kubernetes/master/kdt_cluster.yml
new file mode 100644
index 0000000..00b0cce
--- /dev/null
+++ b/kubernetes/master/kdt_cluster.yml
@@ -0,0 +1,15 @@
+classes:
+- service.kubernetes.master.cluster
+- service.haproxy.proxy.single
+- system.haproxy.proxy.listen.kubernetes.apiserver
+- system.keepalived.cluster.instance.kdt_kube_api_server_vip
+- system.kubernetes.master.common
+parameters:
+  kubernetes:
+    master:
+      network:
+        calico:
+          prometheus:
+            enabled: true
+          policy:
+            enabled: false
diff --git a/nova/compute/cluster.yml b/nova/compute/cluster.yml
index 7896a97..6df13f5 100644
--- a/nova/compute/cluster.yml
+++ b/nova/compute/cluster.yml
@@ -72,6 +72,8 @@
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
+      service_user:
+        enabled: ${_param:nova_service_user_enabled}
       barbican:
         enabled: ${_param:barbican_integration_enabled}
       message_queue:
diff --git a/nova/compute/single.yml b/nova/compute/single.yml
index 836886e..16a3d06 100644
--- a/nova/compute/single.yml
+++ b/nova/compute/single.yml
@@ -73,6 +73,8 @@
         region: ${_param:openstack_region}
       barbican:
         enabled: ${_param:barbican_integration_enabled}
+      service_user:
+        enabled: ${_param:nova_service_user_enabled}
       message_queue:
         engine: rabbitmq
         host: ${_param:control_address}
diff --git a/nova/compute_ironic/cluster.yml b/nova/compute_ironic/cluster.yml
index 4d49198..6d827b6 100644
--- a/nova/compute_ironic/cluster.yml
+++ b/nova/compute_ironic/cluster.yml
@@ -26,6 +26,8 @@
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
+      service_user:
+        enabled: ${_param:nova_service_user_enabled}
       message_queue:
         engine: rabbitmq
         port: 5672
diff --git a/nova/compute_ironic/single.yml b/nova/compute_ironic/single.yml
index befc742..3ddcc18 100644
--- a/nova/compute_ironic/single.yml
+++ b/nova/compute_ironic/single.yml
@@ -26,6 +26,8 @@
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
+      service_user:
+        enabled: ${_param:nova_service_user_enabled}
       message_queue:
         engine: rabbitmq
         port: 5672
diff --git a/nova/control/cluster.yml b/nova/control/cluster.yml
index 72bb558..779acae 100644
--- a/nova/control/cluster.yml
+++ b/nova/control/cluster.yml
@@ -63,6 +63,8 @@
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
+      service_user:
+        enabled: ${_param:nova_service_user_enabled}
       barbican:
         enabled: ${_param:barbican_integration_enabled}
       message_queue:
diff --git a/nova/control/single.yml b/nova/control/single.yml
index d2cb013..0108af6 100644
--- a/nova/control/single.yml
+++ b/nova/control/single.yml
@@ -26,6 +26,8 @@
       identity:
         protocol: ${_param:cluster_internal_protocol}
         region: ${_param:openstack_region}
+      service_user:
+        enabled: ${_param:nova_service_user_enabled}
       network:
         protocol: ${_param:cluster_internal_protocol}
         region: ${_param:openstack_region}
diff --git a/openssh/server/team/mcp_qa.yml b/openssh/server/team/mcp_qa.yml
index f06e0ba..6ecefa5 100644
--- a/openssh/server/team/mcp_qa.yml
+++ b/openssh/server/team/mcp_qa.yml
@@ -17,6 +17,7 @@
 - system.openssh.server.team.members.vryzhenkin
 - system.openssh.server.team.members.sturivnyi
 - system.openssh.server.team.members.ylobankov
+- system.openssh.server.team.members.ozhurba
 # Deprecated users
 - system.openssh.server.team.members.deprecated.ababich
 - system.openssh.server.team.members.deprecated.akalach
diff --git a/openssh/server/team/members/avolkov.yml b/openssh/server/team/members/avolkov.yml
new file mode 100644
index 0000000..f435ca9
--- /dev/null
+++ b/openssh/server/team/members/avolkov.yml
@@ -0,0 +1,19 @@
+parameters:
+  linux:
+    system:
+      user:
+        avolkov:
+          email: avolkov@mirantis.com
+          enabled: true
+          full_name: Andrey Volkov
+          home: /home/avolkov
+          name: avolkov
+          sudo: ${_param:linux_system_user_sudo}
+  openssh:
+    server:
+      user:
+        avolkov:
+          enabled: true
+          public_keys:
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUd3Qs1HNKgLF1B6qFntcnv4YMvGH6l4kBRdxvUWbTBwMekSFbJ0pnILNVQ8bC7oxFyCUOY/d074BtYcGILjwAbGBNztfi+g97GJYMkwsmmKVPucOy1ojakMg0s6ketQr3AM8YA7z0sbYMP7nbioaJMPhGKai0HRM4vPMSyH/3n9vFzkH9amBZEnTB15ZiXnUzLliyBMgyDUKvEOX072soYXR9TDWvE/TwAHiZdPh6gCMl4+yCinwS7baf9JuaQXn2P9SgCyx6uigAwvfn/XEwDqKFsso+4U53vR4RyktqzdSdFcf2UBUQlRMwvISwJTnLPfBsspQTRNlGqfAP+fd amadev@quasimodo
+          user: ${linux:system:user:avolkov}
diff --git a/openssh/server/team/members/brucemathews.yml b/openssh/server/team/members/brucemathews.yml
index 0fc9b63..466ca1a 100644
--- a/openssh/server/team/members/brucemathews.yml
+++ b/openssh/server/team/members/brucemathews.yml
@@ -15,6 +15,6 @@
         bmathews:
           enabled: true
           public_keys:
-          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1tsh+T2JRsyblZBrF17b/Q2AelpY+gTc9BaMQMj1J/Y/aJZUjD22knG8away01DQ+Qew5/Kcx5k4AvmxWkncRX+7ye9sVJA6BQhwewkN/MiiDJ3hC8hNFfk8ki8arqPxasXZOWacT2DDXw7/gc+/DA4F35UvsMmD+JLVr4fkdzQuHre2QPbqs+6+KdHIl0nI+d3hCCd9Zsd1mYlJkDU7oLC085oIsIqToWTYKw6HFKMqocYzuN4TQKI3dySFpkjMXLz8SK8UVjXA+Lyu0ymIVmvGnVDNAImc9ZMeU+l6W4gpuLY30Zw5/8q8FkKBw5FYWgllmoixlwhNRJJ1Hf7tJ
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdAYo193PNG03Da0EuqfKu+cFM8SqPCYs8rniu+RIhJtlEiezfdYX95zO8omR675pjmw0CgZQB6Bsv9G4eMLS+qpmL0gFWI3/qwDacZGgsLr5iCo6bnIgWx92Ze56O7T4drho8ZK2cnmlUtVK5fhAgKHv/fzssmumzUkyD0+n0qJZIvA9eUm4T55X3IRFqxe321wLQDmQOxUkSv+zAClIEbsR8IUkRiTT6y0IbozrTXJaUUwrBhd+qr68NQXnAiMIP7v9S2TYcL1Ufl2M2W7RB18sGeLmz9cEXNQ+2SZv4ZVeK2O6VnLnQoJjCwkyVBJ2nIuTqZNy51Std3xpkh0ah bmathews@1205-W541
           user: ${linux:system:user:bmathews}
 
diff --git a/openssh/server/team/members/cdodda.yml b/openssh/server/team/members/cdodda.yml
new file mode 100644
index 0000000..d4228b2
--- /dev/null
+++ b/openssh/server/team/members/cdodda.yml
@@ -0,0 +1,19 @@
+parameters:
+  linux:
+    system:
+      user:
+        cdodda:
+          enabled: true
+          name: cdodda
+          sudo: ${_param:linux_system_user_sudo}
+          full_name: Chandra Dodda
+          home: /home/cdodda
+          email: cdodda@mirantis.com
+  openssh:
+    server:
+      user:
+        cdodda:
+          enabled: true
+          public_keys:
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbU3LETmZst5dcLl7iPdAeVTtSQoJZoQ3Nza6DHlpv3wtHHvoh8Fd0QFhIkR81a+5563qBcUiFfI9n3vufyJWzc9x+8G2/WJXkKg6D3tnvPqmlT+3Cqj1vNZbjVvXFdVb24pR9jdAa8CEHInWLVNCdL/WShKDSHBQ/cloymzzGhpJOYMXjPzEBxDbiodKMD0TAvw7IKQSY9trlxOXBtQLcHWYxrdxG1ir7TjD6PXdXae8PRxOwh35leot9kWo27icxGIKdJunrvQZI3VB7FSf6hhWajgnmD4yREF9sCLaknl5Xx1J3c/6P0JDeX3DDT4Nv3Bl1cLIdMa0+iDeCPvGz
+          user: ${linux:system:user:cdodda}
diff --git a/openssh/server/team/members/deprecated/ryanday.yml b/openssh/server/team/members/deprecated/ryanday.yml
new file mode 100644
index 0000000..2034598
--- /dev/null
+++ b/openssh/server/team/members/deprecated/ryanday.yml
@@ -0,0 +1,16 @@
+parameters:
+  linux:
+    system:
+      user:
+        rday:
+          email: disabled
+          enabled: false
+          full_name: disabled
+          home: /home/rday
+          name: rday
+  openssh:
+    server:
+      user:
+        rday:
+          enabled: false
+          user: ${linux:system:user:rday}
diff --git a/openssh/server/team/members/npliashechnikov.yml b/openssh/server/team/members/npliashechnikov.yml
new file mode 100644
index 0000000..a5c8504
--- /dev/null
+++ b/openssh/server/team/members/npliashechnikov.yml
@@ -0,0 +1,19 @@
+parameters:
+  linux:
+    system:
+      user:
+        npliashechnikov:
+          email: npliashechnikov@mirantis.com
+          enabled: true
+          full_name: Nikolay Pliashechnykov
+          home: /home/npliashechnikov
+          name: npliashechnikov
+          sudo: ${_param:linux_system_user_sudo}
+  openssh:
+    server:
+      user:
+        npliashechnikov:
+          enabled: true
+          public_keys:
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxy9ZNE+36U1W3vPxzMx++AujS8Ay9ZgJrfaa6YsWl1FeN87VuGucslHjLqFfiIYJLQl3m7tSLiAujQ/izBKDbfA5hd5z7JaCRB1LE+CehmCL0UVwsHflAi0tPn1tDrTcVGf/BRH0FsoZJo+KpOwohYGN8BMOpUIAP2SkGrE7cGbPrd9NbRqPW80iyIzsNIqzVKTcsh0CcJcr05V5n3or0GvteDMxl+mjAi6hpfx06a/bEfPLV10Ftl4+nIkbXr0KWA68uy7XmTlH+qgVUCMGwRP4mFaU63+uX45WboLKQ0aacPX833qvZJTIPe2FhAygoVoBwgOKBzrbnicBa9U+AQ== dkth1p3@lxf01p581
+          user: ${linux:system:user:npliashechnikov}
diff --git a/openssh/server/team/members/ozhurba.yml b/openssh/server/team/members/ozhurba.yml
new file mode 100644
index 0000000..3e9d779
--- /dev/null
+++ b/openssh/server/team/members/ozhurba.yml
@@ -0,0 +1,19 @@
+parameters:
+  linux:
+    system:
+      user:
+        ozhurba:
+          email: ozhurba@mirantis.com
+          enabled: true
+          full_name: Oleksii Zhurba
+          home: /home/ozhurba
+          name: ozhurba
+          sudo: ${_param:linux_system_user_sudo}
+  openssh:
+    server:
+      user:
+        ozhurba:
+          enabled: true
+          public_keys:
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUwubPT8GWUeuPCdPeYlIuN8OaD0umc0JuyKWf5ViVhX3VqB6CwS6/ddm9fpbAedV/8J5l/Sl/usK/WuCPVBgKEuGtidRcrABxRt49q+aum5WRd6bsYv4UxFZmaDHKgg6g8LR7Ii26GPM/HdM1CdqnxpVicz7QRj3pgLDYLippg7RAktKkp4Jw7gkBFNR7UXGHr/5qX08VoUadbgWQP7OdHdgSxysqkSiN1Rr9URWEpwZ5wfblkbEzR1JBg6kYJAP3sTJvOQguFvFCVu6++/UX2wbrrc0+0eAO31lFUAIjboYLpWDj5Sj/ER3uwTX0dJw0wpSsa9lHn/LSZrJhrA5v ozhurba@zhurba-mac
+          user: ${linux:system:user:ozhurba}
diff --git a/openssh/server/team/members/ryanday.yml b/openssh/server/team/members/ryanday.yml
deleted file mode 100644
index 455e4aa..0000000
--- a/openssh/server/team/members/ryanday.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-parameters:
-  linux:
-    system:
-      user:
-        rday:
-          enabled: true
-          name: rday
-          sudo: ${_param:linux_system_user_sudo}
-          full_name: Ryan Day
-          home: /home/rday
-          email: rday@mirantis.com
-  openssh:
-    server:
-      user:
-        rday:
-          enabled: true
-          public_keys:
-          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5WnQjTI+Elg3I3MeuP1T9Y8FKjuLZSj9qiMbetVb9+AbvjbYqjtam7xWzLxsqeH15d/ZSRHnU4E8f0/Wvk1z9Bl+GKl9+IpLvurewl3WXe2yaeZl4Ey3G9goTLfhluB2BbLqf7gu7t02aei68NhYNkp0Ry1FDBQ75frN1EcUoDubHl4HWJWkTsGJFoiaBTmlNRIkbQBYSEGoY331c4e++W0ZLV+q1rjbXVWcWjzuK+i3wCBrDdAjm4LyPjD60yJ/0n8FO4ChlhnGowhkHxQf7Bt80/QhM8VZuWPG4sQReJ2uMBvkFWRYKf8p2h7MaouFLmUOzW0k/EcILBBZgssekaUhDDyXe3c0Qd6yC2Eb8CCRKgIuhTW9+xTfJhZAFLCPDYN/CDybzvgJSgRCa6esxfCQB+i4aRJOeL5IePXdkO+LY1GMbDzVhIxfPviN4/7NRidvtPHEYwLGvaIQUb/XWX4ILXAhdw/ilfOOu9DQkPzpBTQaAGl9+e2edRP3WAe4fjgCPmeTIruwSRqxJFLdLG19m1JaoRwc7H1cIiUQ1i/lMYq2ntA/60FZRQ/xsLdX5LT+wo896bc3pRxore+zs2o2sATEc84u5eCEFk3wMZvfeJdDz/l489G/1kp1SUKMI1ouyBWoP7qO/fI9m+TXg3jYJ3JOd3pYO7jd3kDBuZQ==
-          user: ${linux:system:user:rday}
-
diff --git a/openssh/server/team/members/ryanday.yml b/openssh/server/team/members/ryanday.yml
new file mode 120000
index 0000000..3f04d20
--- /dev/null
+++ b/openssh/server/team/members/ryanday.yml
@@ -0,0 +1 @@
+deprecated/ryanday.yml
\ No newline at end of file
diff --git a/openssh/server/team/oscore_devops.yml b/openssh/server/team/oscore_devops.yml
index ad35e7d..8a0f8cb 100644
--- a/openssh/server/team/oscore_devops.yml
+++ b/openssh/server/team/oscore_devops.yml
@@ -17,6 +17,7 @@
 - system.openssh.server.team.members.vmarkov
 - system.openssh.server.team.members.opetrenko
 - system.openssh.server.team.members.apodrepnyi
+- system.openssh.server.team.members.avolkov
 parameters:
   _param:
     linux_system_user_sudo: true
diff --git a/openssh/server/team/services.yml b/openssh/server/team/services.yml
index b735090..371c254 100644
--- a/openssh/server/team/services.yml
+++ b/openssh/server/team/services.yml
@@ -23,6 +23,7 @@
 - system.openssh.server.team.members.pbasov
 - system.openssh.server.team.members.alis
 - system.openssh.server.team.members.isviridov
+- system.openssh.server.team.members.cdodda
 parameters:
   _param:
     linux_system_user_sudo: true
diff --git a/openssh/server/team/services_qa.yml b/openssh/server/team/services_qa.yml
index 682dd8a..553e6a7 100644
--- a/openssh/server/team/services_qa.yml
+++ b/openssh/server/team/services_qa.yml
@@ -1,50 +1,9 @@
+classes:
+- system.openssh.server.team.members.npliashechnikov
+- system.openssh.server.team.members.mchernik
+- system.openssh.server.team.members.osavatieiev
+- system.openssh.server.team.members.dkruglov
+
 parameters:
   _param:
     linux_system_user_sudo: true
-  linux:
-    system:
-      user:
-        npliashechnikov:
-          enabled: true
-          name: npliashechnikov
-          sudo: true
-          full_name: Nikolay Pliashechnykov
-          home: /home/npliashechnikov
-        mchernik:
-          enabled: true
-          name: mchernik
-          sudo: true
-          full_name: Mikhail Chernik
-          home: /home/mchernik
-        ozhurba:
-          enabled: true
-          name: ozhurba
-          sudo: true
-          full_name: Oleksii Zhurba
-          home: /home/ozhurba
-  openssh:
-    server:
-      enabled: true
-      user:
-        npliashechnikov:
-          enabled: true
-          public_keys:
-          - ${public_keys:npliashechnikov}
-          user: ${linux:system:user:npliashechnikov}
-        mchernik:
-          enabled: true
-          public_keys:
-          - ${public_keys:mchernik}
-          user: ${linux:system:user:mchernik}
-        ozhurba:
-          enabled: true
-          public_keys:
-          - ${public_keys:ozhurba}
-          user: ${linux:system:user:ozhurba}
-  public_keys:
-    npliashechnikov:
-      key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxy9ZNE+36U1W3vPxzMx++AujS8Ay9ZgJrfaa6YsWl1FeN87VuGucslHjLqFfiIYJLQl3m7tSLiAujQ/izBKDbfA5hd5z7JaCRB1LE+CehmCL0UVwsHflAi0tPn1tDrTcVGf/BRH0FsoZJo+KpOwohYGN8BMOpUIAP2SkGrE7cGbPrd9NbRqPW80iyIzsNIqzVKTcsh0CcJcr05V5n3or0GvteDMxl+mjAi6hpfx06a/bEfPLV10Ftl4+nIkbXr0KWA68uy7XmTlH+qgVUCMGwRP4mFaU63+uX45WboLKQ0aacPX833qvZJTIPe2FhAygoVoBwgOKBzrbnicBa9U+AQ== dkth1p3@lxf01p581
-    mchernik:
-      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiYzcWNIP1K3DnSfztIZdMTl6zSr133eixsHDWWqI71Fj5UOny4kMH2P/qYk0WHhm7P9kwBNDgmJBY/eO5jb00D2w9BGHyvsOnkpAgzw5neL4ivRT7qLWkRdbcLo8AAFQN7VW+bgMb8gFfYWfttHyfkbJOQlU2xmi8fvhQ+2IM/12S0f0lP2uIYgVn8g9f+1OmtXKOWi/cKx0+6NYsuFjM2oVRlBhwlhPD2mI00rSL6zYjz/8GapPPkylQnds09NueNmrScjsPmJl6lPzU8maxHABZ/KctIZW/0ucMolv/3Ybm5FJIsj6YGUdz7AWzdE9o4tSfugFR3P7Ng/scxXpZ migel@mungo
-    ozhurba:
-      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUwubPT8GWUeuPCdPeYlIuN8OaD0umc0JuyKWf5ViVhX3VqB6CwS6/ddm9fpbAedV/8J5l/Sl/usK/WuCPVBgKEuGtidRcrABxRt49q+aum5WRd6bsYv4UxFZmaDHKgg6g8LR7Ii26GPM/HdM1CdqnxpVicz7QRj3pgLDYLippg7RAktKkp4Jw7gkBFNR7UXGHr/5qX08VoUadbgWQP7OdHdgSxysqkSiN1Rr9URWEpwZ5wfblkbEzR1JBg6kYJAP3sTJvOQguFvFCVu6++/UX2wbrrc0+0eAO31lFUAIjboYLpWDj5Sj/ER3uwTX0dJw0wpSsa9lHn/LSZrJhrA5v ozhurba@zhurba-mac
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index 877ad32..40a804b 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -8,7 +8,7 @@
         vstorage_free: "'vStorage Free','avg(sum(avg_over_time(openstack_nova_free_disk[24h])) by (instance))'"
         vram_used: "'vRAM Used','avg(sum(avg_over_time(openstack_nova_used_ram[24h])) by (instance))'"
         vram_free: "'vRAM Free','avg(sum(avg_over_time(openstack_nova_free_ram[24h])) by (instance))'"
-        instances: "'Active Instances','avg(sum(avg_over_time(openstack_nova_instances{state=\"active\"}[24h])) by (instance))'"
+        instances: "'Instances','avg(sum(avg_over_time(openstack_nova_instances{state=\"active\"}[24h])) by (instance))'"
         compute_nodes: "'Compute Nodes','avg(sum(openstack_nova_services{binary=~\"nova.compute\"}) by (instance))'"
         tenants: "'Tenants','avg(sum(avg_over_time(openstack_keystone_tenants_total[24h])) by (instance))'"
         cinder_api: "'Cinder API','avg(avg_over_time(openstack_api_check_status{name=\"cinderv2\"}[24h]))'"
diff --git a/salt/master/api.yml b/salt/master/api.yml
index b5ede2f..f0fa081 100644
--- a/salt/master/api.yml
+++ b/salt/master/api.yml
@@ -1,12 +1,4 @@
 parameters:
-  _param:
-    salt_master_api_port: 6969
-    salt_master_api_permissions:
-    - '.*'
-    - '@local'
-    - '@wheel'   # to allow access to all wheel modules
-    - '@runner'  # to allow access to all runner modules
-    - '@jobs'    # to allow access to the jobs runner and/or wheel mo
   salt:
     api:
       enabled: true
diff --git a/xtrabackup/client/single.yml b/xtrabackup/client/single.yml
index 25fa6d2..cf88e28 100644
--- a/xtrabackup/client/single.yml
+++ b/xtrabackup/client/single.yml
@@ -6,4 +6,5 @@
     xtrabackup_client_throttle: 0 # disabled
   xtrabackup:
     client:
+      cron: false
       throttle: ${_param:xtrabackup_client_throttle}
diff --git a/xtrabackup/server/single.yml b/xtrabackup/server/single.yml
index 92d9fc3..34ba45d 100644
--- a/xtrabackup/server/single.yml
+++ b/xtrabackup/server/single.yml
@@ -3,6 +3,7 @@
 parameters:
   xtrabackup:
     server:
+      cron: false
       backup_dir: /srv/volumes/backup/xtrabackup
       key:
         xtrabackup_pub_key: