Merge "Implement X.509 auth for MySQL and Manila"
diff --git a/galera/server/database/ssl/panko.yml b/galera/server/database/ssl/panko.yml
new file mode 100644
index 0000000..ce1c504
--- /dev/null
+++ b/galera/server/database/ssl/panko.yml
@@ -0,0 +1,4 @@
+parameters:
+  _param:
+    mysql_panko_ssl_option:
+      - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/panko.yml b/galera/server/database/x509/panko.yml
new file mode 100644
index 0000000..15c37bf
--- /dev/null
+++ b/galera/server/database/x509/panko.yml
@@ -0,0 +1,7 @@
+parameters:
+  _param:
+    mysql_panko_client_ssl_x509_subject: '/C=cz/CN=mysql-panko-client/L=Prague/O=Mirantis'
+    mysql_panko_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+    mysql_panko_ssl_option:
+      - SUBJECT: ${_param:mysql_panko_client_ssl_x509_subject}
+      - ISSUER: ${_param:mysql_panko_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/gnocchi/common/storage/ceph.yml b/gnocchi/common/storage/ceph.yml
new file mode 100644
index 0000000..5af2456
--- /dev/null
+++ b/gnocchi/common/storage/ceph.yml
@@ -0,0 +1,11 @@
+parameters:
+  _param:
+    gnocchi_storage_ceph_pool: gnocchi
+    gnocchi_storage_ceph_user: gnocchi
+    gnocchi_storage_driver: ceph
+  gnocchi:
+    common:
+      storage:
+        driver: ${_param:gnocchi_storage_driver}
+        ceph_pool: ${_param:gnocchi_storage_ceph_pool}
+        ceph_username: ${_param:gnocchi_storage_ceph_user}
\ No newline at end of file
diff --git a/gnocchi/common/storage/incoming/ceph.yml b/gnocchi/common/storage/incoming/ceph.yml
new file mode 100644
index 0000000..9937d29
--- /dev/null
+++ b/gnocchi/common/storage/incoming/ceph.yml
@@ -0,0 +1,12 @@
+parameters:
+  _param:
+    gnocchi_storage_incoming_ceph_pool: gnocchi_incoming
+    gnocchi_storage_incoming_ceph_user: gnocchi
+    gnocchi_storage_incoming_driver: ceph
+  gnocchi:
+    common:
+      storage:
+        incoming:
+          driver: ${_param:gnocchi_storage_incoming_driver}
+          ceph_pool: ${_param:gnocchi_storage_incoming_ceph_pool}
+          ceph_username: ${_param:gnocchi_storage_incoming_ceph_user}
\ No newline at end of file
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index 01fdf2a..f4f5630 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -29,27 +29,19 @@
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
-            STAGE_TEST_UPGRADE:
-              type: boolean
-              default: 'true'
-              description: "Test if syncdb and APIs succeed"
-            STAGE_REAL_UPGRADE:
-              type: boolean
-              default: 'true'
-              description: "Run real control upgrade"
-            STAGE_ROLLBACK_UPGRADE:
-              type: boolean
-              default: 'true'
-              description: "Rollback if control upgrade fails"
-            OPERATING_SYSTEM_RELEASE_UPGRADE:
+            OS_DIST_UPGRADE:
               type: boolean
               default: 'false'
-              description: "Set to true if operating system release upgrade is desired. For ex. from Ubuntu 14.04 currently running on ctl and prx nodes to Ubuntu 16.04"
-            SKIP_VM_RELAUNCH:
+              description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+            OS_UPGRADE:
               type: boolean
               default: 'false'
-              description: "Set to true if vms should not be recreated"
+              description: "Upgrade all installed applications (apt-get upgrade)"
             INTERACTIVE:
               type: boolean
               default: 'true'
               description: "Ask interactive questions during pipeline run (bool)"
+            TARGET_SERVERS:
+              type: string
+              default: 'ctl*'
+              description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index 706863d..b4628fa 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -21,7 +21,7 @@
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
             credentials: "gerrit"
-            script: openstack-compute-upgrade.groovy
+            script: openstack-data-upgrade.groovy
           param:
             SALT_MASTER_URL:
               type: string
@@ -29,18 +29,19 @@
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
-            TARGET_SERVERS:
-              type: string
-              default: "cmp*"
-              description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
-            TARGET_SUBSET_TEST:
-              type: string
-              description: Number of nodes to list package updates, empty string means all targetted nodes.
-            TARGET_SUBSET_LIVE:
-              type: string
-              default: '1'
-              description: Number of selected nodes to live apply upgrade.
+            OS_DIST_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+            OS_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade all installed applications (apt-get upgrade)"
             INTERACTIVE:
               type: boolean
               default: 'true'
               description: "Ask interactive questions during pipeline run (bool)"
+            TARGET_SERVERS:
+              type: string
+              default: 'cmp*'
+              description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index b0c92b7..4753cea 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -21,7 +21,7 @@
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
             credentials: "gerrit"
-            script: ovs-gateway-upgrade.groovy
+            script: openstack-data-upgrade.groovy
           param:
             SALT_MASTER_URL:
               type: string
@@ -29,18 +29,19 @@
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
-            TARGET_SERVERS:
-              type: string
-              default: "gtw*"
-              description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
-            TARGET_SUBSET_TEST:
-              type: string
-              description: Number of nodes to list package updates, empty string means all targetted nodes.
-            TARGET_SUBSET_LIVE:
-              type: string
-              default: '1'
-              description: Number of selected nodes to live apply upgrade.
+            OS_DIST_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+            OS_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade all installed applications (apt-get upgrade)"
             INTERACTIVE:
               type: boolean
               default: 'true'
               description: "Ask interactive questions during pipeline run (bool)"
+            TARGET_SERVERS:
+              type: string
+              default: 'ctl*'
+              description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/image/centos.yml b/jenkins/client/job/image/centos.yml
deleted file mode 100644
index 5358d92..0000000
--- a/jenkins/client/job/image/centos.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-classes:
-  - system.jenkins.client.job.image
-parameters:
-  _param:
-    jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
-  jenkins:
-    client:
-      job:
-        build-image-centos-7:
-          type: workflow-scm
-          concurrent: false
-          discard:
-            build:
-              keep_num: 5
-            artifact:
-              keep_num: 5
-          scm:
-            type: git
-            url: "${_param:jenkins_packer_pipeline}"
-            credentials: "gerrit"
-          display_name: "[Images] Build Centos 7"
-          param:
-            BUILD_OS:
-              type: string
-              default: "centos-7"
-            BUILD_ONLY:
-              type: string
-              default: "qemu"
-            PACKER_DEBUG:
-              type: boolean
-              default: "false"
-            PACKER_URL:
-              type: string
-              default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
-            PACKER_ZIP:
-              type: string
-              default: "packer_0.8.6_linux_amd64.zip"
-            PACKER_ZIP_MD5:
-              type: string
-              default: "4cda1c44cf666fada495dd8e01522e1c"
-            PACKER_ARGS:
-              type: string
-              default: ""
-            UPLOAD_URL:
-              type: string
-              default: "${_param:jenkins_packer_upload_url}"
-            SKIP_UPLOAD:
-              type: boolean
-              default: "false"
-            CLEANUP_OLD:
-              type: boolean
-              default: "true"
-            CLEANUP_KEEP:
-              type: string
-              default: "3"
-            GLANCE_UPLOAD:
-              type: boolean
-              default: "true"
-            GLANCE_IMG_TYPES:
-              type: string
-              default: "qcow2"
-            GLANCE_URL:
-              type: string
-              default: "https://cloud-cz.bud.mirantis.net:5000"
-            GLANCE_CREDENTIALS_ID:
-              type: string
-              default: "openstack-devcloud-credentials"
-            GLANCE_PROJECT:
-              type: string
-              default: "mcp-mk"
-            GLANCE_ARGS:
-              type: string
-              default: ""
-            GLANCE_PUBLIC:
-              type: boolean
-              default: "true"
-            OPENSTACK_API_CLIENT:
-              type: string
-              default: ""
-            IMAGE_NAME:
-              type: string
-              default: centos-7-x64
-            EXTRA_VARIABLES:
-              type: text
-              default: ""
\ No newline at end of file
diff --git a/jenkins/client/job/image/debian.yml b/jenkins/client/job/image/debian.yml
deleted file mode 100644
index eef4740..0000000
--- a/jenkins/client/job/image/debian.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-classes:
-  - system.jenkins.client.job.image
-parameters:
-  _param:
-    jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
-  jenkins:
-    client:
-      job:
-        build-image-debian-8:
-          type: workflow-scm
-          concurrent: false
-          discard:
-            build:
-              keep_num: 5
-            artifact:
-              keep_num: 5
-          scm:
-            type: git
-            url: "${_param:jenkins_packer_pipeline}"
-            credentials: "gerrit"
-          display_name: "[Images] Build Debian 8 image"
-          param:
-            BUILD_OS:
-              type: string
-              default: "debian-8"
-            BUILD_ONLY:
-              type: string
-              default: "qemu"
-            PACKER_DEBUG:
-              type: boolean
-              default: "false"
-            PACKER_URL:
-              type: string
-              default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
-            PACKER_ZIP:
-              type: string
-              default: "packer_0.8.6_linux_amd64.zip"
-            PACKER_ZIP_MD5:
-              type: string
-              default: "4cda1c44cf666fada495dd8e01522e1c"
-            PACKER_ARGS:
-              type: string
-              default: ""
-            UPLOAD_URL:
-              type: string
-              default: "${_param:jenkins_packer_upload_url}"
-            SKIP_UPLOAD:
-              type: boolean
-              default: "false"
-            CLEANUP_OLD:
-              type: boolean
-              default: "true"
-            CLEANUP_KEEP:
-              type: string
-              default: "3"
-            GLANCE_UPLOAD:
-              type: boolean
-              default: "true"
-            GLANCE_IMG_TYPES:
-              type: string
-              default: "qcow2"
-            GLANCE_URL:
-              type: string
-              default: "https://cloud-cz.bud.mirantis.net:5000"
-            GLANCE_CREDENTIALS_ID:
-              type: string
-              default: "openstack-devcloud-credentials"
-            GLANCE_PROJECT:
-              type: string
-              default: "mcp-mk"
-            GLANCE_ARGS:
-              type: string
-              default: ""
-            GLANCE_PUBLIC:
-              type: boolean
-              default: "true"
-            OPENSTACK_API_CLIENT:
-              type: string
-              default: ""
-            IMAGE_NAME:
-              type: string
-              default: debian-8-x64
-            EXTRA_VARIABLES:
-              type: text
-              default: ""
diff --git a/jenkins/client/job/image/ubuntu.yml b/jenkins/client/job/image/ubuntu.yml
deleted file mode 100644
index e4a8251..0000000
--- a/jenkins/client/job/image/ubuntu.yml
+++ /dev/null
@@ -1,166 +0,0 @@
-classes:
-  - system.jenkins.client.job.image
-parameters:
-  _param:
-    jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
-  jenkins:
-    client:
-      job:
-        build-image-ubuntu-14-04:
-          type: workflow-scm
-          concurrent: false
-          discard:
-            build:
-              keep_num: 5
-              keep_days: 5
-            artifact:
-              keep_num: 6
-              keep_days: 6
-          scm:
-            type: git
-            url: "${_param:jenkins_packer_pipeline}"
-            credentials: "gerrit"
-          display_name: "[Images] Build Ubuntu 14.04 image"
-          param:
-            BUILD_OS:
-              type: string
-              default: "ubuntu-14.04"
-            BUILD_ONLY:
-              type: string
-              default: "qemu"
-            PACKER_DEBUG:
-              type: boolean
-              default: "false"
-            PACKER_URL:
-              type: string
-              default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
-            PACKER_ZIP:
-              type: string
-              default: "packer_0.8.6_linux_amd64.zip"
-            PACKER_ZIP_MD5:
-              type: string
-              default: "4cda1c44cf666fada495dd8e01522e1c"
-            PACKER_ARGS:
-              type: string
-              default: ""
-            UPLOAD_URL:
-              type: string
-              default: "${_param:jenkins_packer_upload_url}"
-            SKIP_UPLOAD:
-              type: boolean
-              default: "false"
-            CLEANUP_OLD:
-              type: boolean
-              default: "true"
-            CLEANUP_KEEP:
-              type: string
-              default: "3"
-            GLANCE_UPLOAD:
-              type: boolean
-              default: "true"
-            GLANCE_IMG_TYPES:
-              type: string
-              default: "qcow2"
-            GLANCE_URL:
-              type: string
-              default: "https://cloud-cz.bud.mirantis.net:5000"
-            GLANCE_CREDENTIALS_ID:
-              type: string
-              default: "openstack-devcloud-credentials"
-            GLANCE_PROJECT:
-              type: string
-              default: "mcp-mk"
-            GLANCE_ARGS:
-              type: string
-              default: ""
-            GLANCE_PUBLIC:
-              type: boolean
-              default: "true"
-            OPENSTACK_API_CLIENT:
-              type: string
-              default: ""
-            IMAGE_NAME:
-              type: string
-              default: ubuntu-14-04-x64
-            EXTRA_VARIABLES:
-              type: text
-              default: ""
-        build-image-ubuntu-16-04:
-          type: workflow-scm
-          concurrent: false
-          discard:
-            build:
-              keep_num: 5
-              keep_days: 5
-            artifact:
-              keep_num: 6
-              keep_days: 6
-          scm:
-            type: git
-            url: "${_param:jenkins_packer_pipeline}"
-            credentials: "gerrit"
-          display_name: "[Images] Build Ubuntu 16.04 image"
-          param:
-            BUILD_OS:
-              type: string
-              default: "ubuntu-16.04"
-            BUILD_ONLY:
-              type: string
-              default: "qemu"
-            PACKER_DEBUG:
-              type: boolean
-              default: "false"
-            PACKER_URL:
-              type: string
-              default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
-            PACKER_ZIP:
-              type: string
-              default: "packer_0.8.6_linux_amd64.zip"
-            PACKER_ZIP_MD5:
-              type: string
-              default: "4cda1c44cf666fada495dd8e01522e1c"
-            PACKER_ARGS:
-              type: string
-              default: ""
-            UPLOAD_URL:
-              type: string
-              default: "${_param:jenkins_packer_upload_url}"
-            SKIP_UPLOAD:
-              type: boolean
-              default: "false"
-            CLEANUP_OLD:
-              type: boolean
-              default: "true"
-            CLEANUP_KEEP:
-              type: string
-              default: "3"
-            GLANCE_UPLOAD:
-              type: boolean
-              default: "true"
-            GLANCE_IMG_TYPES:
-              type: string
-              default: "qcow2"
-            GLANCE_URL:
-              type: string
-              default: "https://cloud-cz.bud.mirantis.net:5000"
-            GLANCE_CREDENTIALS_ID:
-              type: string
-              default: "openstack-devcloud-credentials"
-            GLANCE_PROJECT:
-              type: string
-              default: "mcp-mk"
-            GLANCE_ARGS:
-              type: string
-              default: ""
-            GLANCE_PUBLIC:
-              type: boolean
-              default: "true"
-            OPENSTACK_API_CLIENT:
-              type: string
-              default: ""
-            IMAGE_NAME:
-              type: string
-              default: ubuntu-16-04-x64
-            EXTRA_VARIABLES:
-              type: text
-              default: ""
\ No newline at end of file
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
index f6b2350..8424f6a 100644
--- a/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
+++ b/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
@@ -21,7 +21,7 @@
           trigger:
             gerrit:
               project:
-                kubernetes/kubernetes:
+                kubernetes/dashboard:
                   branches:
                     - compare_type: "ANT"
                       name: "**mcp**"
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
index f6a3162..c4f2af0 100644
--- a/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
+++ b/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
@@ -21,7 +21,7 @@
           trigger:
             gerrit:
               project:
-                kubernetes/kubernetes:
+                kubernetes/metallb:
                   branches:
                     - compare_type: "ANT"
                       name: "**mcp**"
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index 983a88b..145cfa9 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -272,37 +272,39 @@
               COOKIECUTTER_TEMPLATE_URL:
                 type: string
                 default: "${_param:jenkins_gerrit_url}/mk/{{cookiecutter_template}}"
-              CREDENTIALS_ID:
-                type: string
-                default: gerrit
               COOKIECUTTER_TEMPLATE_BRANCH:
                 type: string
                 default: master
-              RECLASS_MODEL_URL:
+                description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH"
+              COOKIECUTTER_TEMPLATE_REF:
+                type: string
+                default: ""
+                description: "Example: refs/changes/49/25549/1"
+              RECLASS_SYSTEM_URL:
                 type: string
                 default: "${_param:jenkins_gerrit_url}/salt-models/reclass-system"
-              RECLASS_MODEL_BRANCH:
+              RECLASS_SYSTEM_BRANCH:
                 type: string
                 default: master
+                description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH"
+              RECLASS_SYSTEM_GIT_REF:
+                type: string
+                default: ""
+                description: "Example: refs/changes/49/25549/1"
               DISTRIB_REVISION:
                 type: string
                 default: 'nightly'
-              SYSTEM_GIT_URL:
-                type: string
-                default: ""
-              SYSTEM_GIT_REF:
-                type: string
-                default: ""
-              PARALLEL_NODE_GROUP_SIZE:
-                type: string
-                default: "1"
+                description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH. Version of bin-artifacts,passed to test-env"
               EXTRA_FORMULAS:
                 type: string
-                default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
+                default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openscap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
               RECLASS_VERSION:
                 type: string
                 default: 'v1.5.4'
-                description: "Version (branch) of Reclass we will use"
+                description: "Version (branch) of reclass PACKAGE we will use"
+              CREDENTIALS_ID:
+                type: string
+                default: gerrit
       job:
         test-salt-model-node:
           name: test-salt-model-node
@@ -385,7 +387,7 @@
             build:
               keep_num: 300
             artifact:
-              keep_num: 30
+              keep_num: 300
           type: workflow-scm
           concurrent: true
           plugin_properties:
@@ -402,5 +404,5 @@
             script: test-cookiecutter-reclass-chunk.groovy
           param:
             EXTRA_VARIABLES_YAML:
-              type: string
+              type: text
               default: ""
diff --git a/kubernetes/common.yml b/kubernetes/common.yml
index 9151987..bf5886b 100644
--- a/kubernetes/common.yml
+++ b/kubernetes/common.yml
@@ -18,7 +18,7 @@
     kubernetes_metallb_repo: metallb
     kubernetes_sriov_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/sriov-cni
     kubernetes_cniplugins_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/containernetworking-plugins
-    kubernetes_dashboard_repo: k8s.gcr.io
+    kubernetes_dashboard_repo: ${_param:mcp_docker_registry}/mirantis/kubernetes
     kubernetes_coredns_repo: coredns
 
     # component docker images
@@ -50,10 +50,10 @@
     kubernetes_sriov_source_hash: md5=c0cc33202afd02e4cc44b977a8faf6e7
     kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/cni-plugins_v0.7.1-48-g696b1f9.tar.gz
     kubernetes_cniplugins_source_hash: md5=5ec1cf5e989097c6127ea5365e277b02
-    kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.8.3
+    kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.10.0-4
     kubernetes_fluentd_aggregator_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-elasticsearch
     kubernetes_fluentd_logger_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-stackdriver
-    kubernetes_telegraf_image: docker.io/telegraf:1.5.3
+    kubernetes_telegraf_image: ${_param:mcp_docker_registry}/openstack-docker/telegraf:2018.8.0
     kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:1.2.0
 
     kubelet_fail_on_swap: true
diff --git a/manila/control/single.yml b/manila/control/single.yml
index 262a158..b2036d3 100644
--- a/manila/control/single.yml
+++ b/manila/control/single.yml
@@ -2,11 +2,14 @@
  - system.manila.common.cluster
  - system.apache.server.site.manila
 parameters:
+  _param:
+    openstack_node_role: primary
   manila:
     common:
       dhss: false
       version: ${_param:openstack_version}
     api:
+      role: ${_param:openstack_node_role}
       enabled: true
       version: ${_param:openstack_version}
       role: ${_param:openstack_node_role}
diff --git a/neutron/control/openvswitch/single.yml b/neutron/control/openvswitch/single.yml
index baa710e..da8dee0 100644
--- a/neutron/control/openvswitch/single.yml
+++ b/neutron/control/openvswitch/single.yml
@@ -13,8 +13,10 @@
     neutron_enable_bgp_vpn: False
     neutron_bgp_vpn_driver: bagpipe
     internal_protocol: 'http'
+    openstack_node_role: primary
   neutron:
     server:
+      role: ${_param:openstack_node_role}
       global_physnet_mtu: ${_param:neutron_global_physnet_mtu}
       l3_ha: ${_param:neutron_l3_ha}
       dvr: ${_param:neutron_control_dvr}
diff --git a/openscap/server/init.yml b/openscap/server/init.yml
new file mode 100644
index 0000000..0f2a76f
--- /dev/null
+++ b/openscap/server/init.yml
@@ -0,0 +1,2 @@
+classes:
+- service.openscap.cis
diff --git a/panko/server/cluster.yml b/panko/server/cluster.yml
index 3a4cb65..9715456 100644
--- a/panko/server/cluster.yml
+++ b/panko/server/cluster.yml
@@ -4,6 +4,7 @@
 - system.apache.server.site.panko
 - system.haproxy.proxy.listen.openstack.panko
 - system.keepalived.cluster.instance.openstack_telemetry_vip
+- system.salt.minion.cert.mysql.clients.openstack.panko
 parameters:
   _param:
     panko_memcached_node01_address: ${_param:cluster_node01_address}
@@ -11,6 +12,8 @@
     panko_memcached_node03_address: ${_param:cluster_node03_address}
     # Keep events in database for 30 days
     panko_event_time_to_live: 2592000
+    openstack_mysql_x509_enabled: False
+    galera_ssl_enabled: False
   linux:
     system:
       cron:
@@ -25,6 +28,13 @@
         host: ${_param:openstack_control_address}
       database:
         host: ${_param:openstack_database_address}
+        x509:
+          enabled: ${_param:openstack_mysql_x509_enabled}
+          ca_file: ${_param:mysql_panko_ssl_ca_file}
+          key_file: ${_param:mysql_panko_client_ssl_key_file}
+          cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+        ssl:
+          enabled: ${_param:galera_ssl_enabled}
       cache:
         engine: memcached
         members:
diff --git a/panko/server/single.yml b/panko/server/single.yml
index 4ba2787..cb1a449 100644
--- a/panko/server/single.yml
+++ b/panko/server/single.yml
@@ -1,10 +1,13 @@
 classes:
 - service.panko.server.single
 - system.apache.server.site.panko
+- system.salt.minion.cert.mysql.clients.openstack.panko
 parameters:
   _param:
     # Keep events in database for 30 days
     panko_event_time_to_live: 2592000
+    openstack_mysql_x509_enabled: False
+    galera_ssl_enabled: False
   linux:
     system:
       cron:
@@ -13,6 +16,14 @@
             enabled: true
   panko:
     server:
+      database:
+        x509:
+          enabled: ${_param:openstack_mysql_x509_enabled}
+          ca_file: ${_param:mysql_panko_ssl_ca_file}
+          key_file: ${_param:mysql_panko_client_ssl_key_file}
+          cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+        ssl:
+          enabled: ${_param:galera_ssl_enabled}
       role: ${_param:openstack_node_role}
       event_time_to_live: ${_param:panko_event_time_to_live}
       # Check for expired events every day at 2 AM
diff --git a/salt/control/placement/stacklight/medium.yml b/salt/control/placement/stacklight/medium.yml
index 7f54f4d..7f35fe9 100644
--- a/salt/control/placement/stacklight/medium.yml
+++ b/salt/control/placement/stacklight/medium.yml
@@ -37,7 +37,7 @@
               image: ${_param:salt_control_xenial_image}
               provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
               size: stacklight.log
-            lop02:
+            log02:
               name: ${_param:stacklight_log_node02_hostname}
               image: ${_param:salt_control_xenial_image}
               provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
@@ -61,4 +61,4 @@
               name: ${_param:stacklight_monitor_node03_hostname}
               image: ${_param:salt_control_xenial_image}
               provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
-              size: stacklight.server
\ No newline at end of file
+              size: stacklight.server
diff --git a/salt/master/formula/git/openscap.yml b/salt/master/formula/git/openscap.yml
new file mode 100644
index 0000000..a091ffe
--- /dev/null
+++ b/salt/master/formula/git/openscap.yml
@@ -0,0 +1,10 @@
+parameters:
+  salt:
+    master:
+      environment:
+        dev:
+          formula:
+            openscap:
+              source: git
+              address: '${_param:salt_master_environment_repository}/salt-formula-openscap.git'
+              revision: ${_param:salt_master_environment_revision}
diff --git a/salt/master/formula/pkg/openscap.yml b/salt/master/formula/pkg/openscap.yml
new file mode 100644
index 0000000..ebb6e86
--- /dev/null
+++ b/salt/master/formula/pkg/openscap.yml
@@ -0,0 +1,9 @@
+parameters:
+  salt:
+    master:
+      environment:
+        prd:
+          formula:
+            openscap:
+              source: pkg
+              name: salt-formula-openscap
diff --git a/salt/minion/cert/mysql/clients/openstack/panko.yml b/salt/minion/cert/mysql/clients/openstack/panko.yml
new file mode 100644
index 0000000..0593ae2
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/panko.yml
@@ -0,0 +1,27 @@
+parameters:
+  _param:
+    salt_minion_ca_host: cfg01.${_param:cluster_domain}
+    salt_minion_ca_authority: salt_master_ca
+    mysql_panko_client_ssl_key_file: /etc/panko/ssl/mysql/client-key.pem
+    mysql_panko_client_ssl_cert_file: /etc/panko/ssl/mysql/client-cert.pem
+    mysql_panko_ssl_ca_file: /etc/panko/ssl/mysql/ca-cert.pem
+  salt:
+    minion:
+      cert:
+        mysql-panko-client:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: mysql-panko-client
+          signing_policy: cert_client
+          alternative_names: >
+            IP:${_param:cluster_local_address},
+            DNS:${_param:cluster_local_address},
+            DNS:${linux:system:name},
+            DNS:${linux:network:fqdn}
+          key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+          key_file: ${_param:mysql_panko_client_ssl_key_file}
+          cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+          ca_file: ${_param:mysql_panko_ssl_ca_file}
+          user: panko
+          group: panko
+          mode: 640