Merge "[CVP] Remove 2 default parameters from cvp-tempest, rename job"
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 2e6362d..0e940a0 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -26,6 +26,8 @@
     openstack_rabbitmq_x509_enabled: False
     # RabbitMQ
     rabbitmq_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    # Galera
+    galera_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     # Openstack memcache
     openstack_memcached_server_bind_address: 0.0.0.0
     openstack_memcache_security_enabled: False
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index c164d75..ed90acf 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -27,6 +27,7 @@
                 - ${_param:gerrit_ssh_publish_port}:29418
               volumes:
                 - /srv/volumes/gerrit:/var/gerrit/review_site
+                - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
               depends_on:
                 - db
               environment:
@@ -50,7 +51,7 @@
                 GERRIT_ADMIN_PWD: ${_param:gerrit_admin_password}
                 GERRIT_ADMIN_EMAIL: ${_param:gerrit_admin_email}
                 CANLOADINIFRAME: "true"
-                JAVA_OPTIONS: ${_param:gerrit_extra_opts}
+                JAVA_OPTIONS: "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:gerrit_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
                 no_proxy: ${_param:docker_no_proxy}
diff --git a/docker/swarm/stack/jenkins/master.yml b/docker/swarm/stack/jenkins/master.yml
index 921f111..6ec6afb 100644
--- a/docker/swarm/stack/jenkins/master.yml
+++ b/docker/swarm/stack/jenkins/master.yml
@@ -17,7 +17,7 @@
             master:
               environment:
                 JENKINS_HOME: ${_param:jenkins_home_dir_path}
-                JAVA_OPTS: " -server -XX:+AlwaysPreTouch -Xloggc:${_param:jenkins_home_dir_path}/gc-%t.log -XX:NumberOfGCLogFiles=5 -XX:+UseGCLogFileRotation -XX:GCLogFileSize=20m -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintGCCause -XX:+PrintTenuringDistribution -XX:+PrintReferenceGC -XX:+PrintAdaptiveSizePolicy -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:+UseCGroupMemoryLimitForHeap -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1 -Djenkins.install.runSetupWizard=false -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -Dhudson.footerURL=https://www.mirantis.com ${_param:jenkins_master_extra_opts}"
+                JAVA_OPTS: " -server -XX:+AlwaysPreTouch -Xloggc:${_param:jenkins_home_dir_path}/gc-%t.log -XX:NumberOfGCLogFiles=5 -XX:+UseGCLogFileRotation -XX:GCLogFileSize=20m -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintGCCause -XX:+PrintTenuringDistribution -XX:+PrintReferenceGC -XX:+PrintAdaptiveSizePolicy -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:+UseCGroupMemoryLimitForHeap -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1 -Djenkins.install.runSetupWizard=false -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -Dhudson.footerURL=https://www.mirantis.com -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:jenkins_master_extra_opts}"
                 JENKINS_NUM_EXECUTORS: ${_param:jenkins_master_executors_num}
                 JENKINS_OPTS: " --handlerCountMax=${_param:jenkins_master_max_concurent_requests}"
                 https_proxy: ${_param:docker_https_proxy}
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index b785711..1e12a4a 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -21,13 +21,24 @@
               volumes:
                 - /srv/volumes/openldap/database:/var/lib/ldap
                 - /srv/volumes/openldap/config:/etc/ldap/slapd.d
+                - ${_param:openldap_tls:keyfile}:/container/service/slapd/assets/certs/drivetrain_ldap.key:ro
+                - ${_param:openldap_tls:certfile}:/container/service/slapd/assets/certs/drivetrain_ldap.crt:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/slapd/assets/certs/ca.crt:ro
+              # copy to /container/run/service to avoid issues with owning certs as openldap user
+              # https://github.com/osixia/docker-openldap/issues/59
+              command: --copy-service
               environment:
                 HOSTNAME: ldap01.${_param:openldap_domain}
                 LDAP_ORGANISATION: "${_param:openldap_organisation}"
                 LDAP_DOMAIN: "${_param:openldap_domain}"
                 LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
                 LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
-                LDAP_TLS: "false"
+                LDAP_TLS: "true"
+                LDAP_TLS_VERIFY_CLIENT: try
+                LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
+                LDAP_TLS_CRT_FILENAME: drivetrain_ldap.crt
+                LDAP_TLS_KEY_FILENAME: drivetrain_ldap.key
+                LDAP_TLS_CA_CRT_FILENAME: ca.crt
             admin:
               networks:
                 - ldap
@@ -38,9 +49,19 @@
               depends_on:
                 - server
               hostname: ldap
+              command: --copy-service
+              volumes:
+                - ${_param:openldap_tls:keyfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.key:ro
+                - ${_param:openldap_tls:certfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.crt:ro
+                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/ldap-client/assets/certs/ca.crt:ro
               environment:
                 PHPLDAPADMIN_LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
-                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
+                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'host': 'ldaps://${_param:cicd_control_address}', 'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
+                PHPLDAPADMIN_LDAP_CLIENT_TLS: "true"
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: drivetrain_ldap.crt
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: drivetrain_ldap.key
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: ca.crt
+                PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: 'try'
                 PHPLDAPADMIN_HTTPS: "false"
                 PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
                 PHPLDAPADMIN_SERVER_ADMIN: ${_param:admin_email}
diff --git a/docker/swarm/stack/monitoring/pushgateway.yml b/docker/swarm/stack/monitoring/pushgateway.yml
index 461eb0b..582dc93 100644
--- a/docker/swarm/stack/monitoring/pushgateway.yml
+++ b/docker/swarm/stack/monitoring/pushgateway.yml
@@ -15,7 +15,7 @@
               networks:
                 - monitoring
               deploy:
-                replicas: 2
+                replicas: 1
                 labels:
                   com.mirantis.monitoring: "pushgateway"
                 restart_policy:
diff --git a/galera/server/cluster.yml b/galera/server/cluster.yml
index e215910..a4b3f0a 100644
--- a/galera/server/cluster.yml
+++ b/galera/server/cluster.yml
@@ -2,3 +2,4 @@
 - service.haproxy.proxy.single
 - system.haproxy.proxy.listen.openstack.galera
 - system.keepalived.cluster.instance.galera_vip
+- system.galera.upgrade
diff --git a/galera/upgrade/init.yml b/galera/upgrade/init.yml
new file mode 100644
index 0000000..dd49ff2
--- /dev/null
+++ b/galera/upgrade/init.yml
@@ -0,0 +1,4 @@
+parameters:
+  galera:
+    upgrade:
+      enabled: ${_param:galera_upgrade_enabled}
diff --git a/haproxy/proxy/listen/openstack/heat.yml b/haproxy/proxy/listen/openstack/heat.yml
index 649ce99..708c97a 100644
--- a/haproxy/proxy/listen/openstack/heat.yml
+++ b/haproxy/proxy/listen/openstack/heat.yml
@@ -29,6 +29,9 @@
         heat_api:
           type: openstack-service
           service_name: heat
+          timeout:
+            client: '2m'
+            server: '2m'
           binds:
           - address: ${_param:cluster_vip_address}
             port: 8004
diff --git a/haproxy/proxy/listen/openstack/heat_large.yml b/haproxy/proxy/listen/openstack/heat_large.yml
index 899a691..d23947a 100644
--- a/haproxy/proxy/listen/openstack/heat_large.yml
+++ b/haproxy/proxy/listen/openstack/heat_large.yml
@@ -37,6 +37,9 @@
         heat_api:
           type: openstack-service
           service_name: heat
+          timeout:
+            client: '2m'
+            server: '2m'
           binds:
           - address: ${_param:cluster_vip_address}
             port: 8004
diff --git a/haproxy/proxy/listen/phpldapadmin.yml b/haproxy/proxy/listen/phpldapadmin.yml
index b2b7f93..6bbb885 100644
--- a/haproxy/proxy/listen/phpldapadmin.yml
+++ b/haproxy/proxy/listen/phpldapadmin.yml
@@ -2,6 +2,9 @@
   _param:
     haproxy_phpldapadmin_bind_host: ${_param:haproxy_bind_address}
     haproxy_phpldapadmin_bind_port: 8089
+    haproxy_phpldapadmin_ssl:
+      enabled: true
+      pem_file: /etc/haproxy/ssl/drivetrain.pem
   haproxy:
     proxy:
       listen:
@@ -12,9 +15,13 @@
             - httpclose
             - httplog
           balance: source
+          http_request:
+            - action: "add-header X-Forwarded-Proto https"
+              condition: "if { ssl_fc }"
           binds:
             - address: ${_param:haproxy_phpldapadmin_bind_host}
               port: ${_param:haproxy_phpldapadmin_bind_port}
+              ssl: ${_param:haproxy_phpldapadmin_ssl}
           servers:
             - name: ${_param:cluster_node01_name}
               host: ${_param:cluster_node01_address}
diff --git a/jenkins/client/credential/source_git.yml b/jenkins/client/credential/source_git.yml
new file mode 100644
index 0000000..ec350f0
--- /dev/null
+++ b/jenkins/client/credential/source_git.yml
@@ -0,0 +1,10 @@
+parameters:
+  _param:
+    pipeline_library_source_credentials: source_git
+  jenkins:
+    client:
+      credential:
+        source_git:
+          desc: Credentials to source git repositories for pipelines
+          username: ${_param:source_git_username}
+          password: ${_param:source_git_password}
diff --git a/jenkins/client/job/deploy/backupninja_backup.yml b/jenkins/client/job/deploy/backupninja_backup.yml
index 881934a..ab5caf0 100644
--- a/jenkins/client/job/deploy/backupninja_backup.yml
+++ b/jenkins/client/job/deploy/backupninja_backup.yml
@@ -14,7 +14,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: ${_param:jenkins_gerrit_credentials}
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: backupninja-backup-pipeline.groovy
           param:
             SALT_MASTER_CREDENTIALS:
diff --git a/jenkins/client/job/deploy/backupninja_restore.yml b/jenkins/client/job/deploy/backupninja_restore.yml
index 7769425..192f5dc 100644
--- a/jenkins/client/job/deploy/backupninja_restore.yml
+++ b/jenkins/client/job/deploy/backupninja_restore.yml
@@ -15,7 +15,7 @@
             type: git
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
-            credentials: ${_param:jenkins_gerrit_credentials}
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: backupninja-restore-pipeline.groovy
           param:
             SALT_MASTER_CREDENTIALS:
diff --git a/jenkins/client/job/deploy/kqueen.yml b/jenkins/client/job/deploy/kqueen.yml
index 1935a43..ff4a35f 100644
--- a/jenkins/client/job/deploy/kqueen.yml
+++ b/jenkins/client/job/deploy/kqueen.yml
@@ -33,7 +33,7 @@
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: ${_param:jenkins_gerrit_credentials}
             STACK_TEMPLATE_BRANCH:
               type: string
               default: "master"
@@ -93,7 +93,7 @@
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: ${_param:jenkins_gerrit_credentials}
             STACK_TEMPLATE_BRANCH:
               type: string
               default: "master"
diff --git a/jenkins/client/job/deploy/lab/mom_deploy.yml b/jenkins/client/job/deploy/lab/mom_deploy.yml
index c6bbbc5..f03b485 100644
--- a/jenkins/client/job/deploy/lab/mom_deploy.yml
+++ b/jenkins/client/job/deploy/lab/mom_deploy.yml
@@ -100,7 +100,7 @@
               default: "master"
             STACK_TEMPLATE_CREDENTIALS:
               type: string
-              default: "gerrit"
+              default: "${_param:jenkins_gerrit_credentials}"
             STACK_TEMPLATE_URL:
               type: string
               default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index 753894e..c7a843f 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -4,6 +4,8 @@
   - system.jenkins.client.job.deploy.update.update_mirror_image
   - system.jenkins.client.job.deploy.update.update_ceph
   - system.jenkins.client.job.deploy.update.upgrade
+  - system.jenkins.client.job.deploy.update.upgrade_rabbitmq
+  - system.jenkins.client.job.deploy.update.upgrade_galera
   - system.jenkins.client.job.deploy.update.upgrade_compute
   - system.jenkins.client.job.deploy.update.upgrade_mcp_release
   - system.jenkins.client.job.deploy.update.upgrade_ovs_gateway
diff --git a/jenkins/client/job/deploy/update/upgrade_galera.yml b/jenkins/client/job/deploy/update/upgrade_galera.yml
new file mode 100644
index 0000000..8864529
--- /dev/null
+++ b/jenkins/client/job/deploy/update/upgrade_galera.yml
@@ -0,0 +1,49 @@
+#
+# Jobs to upgrade Galera packages on given Salt master environment
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        deploy-upgrade-galera:
+          type: workflow-scm
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Deploy - upgrade Galera cluster"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: ${_param:jenkins_gerrit_credentials}
+            script: openstack-galera-upgrade.groovy
+          param:
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            SHUTDOWN_CLUSTER:
+              type: boolean
+              default: 'false'
+              description: "Shutdown all mysql instances on target nodes during upgrade"
+            OS_DIST_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+            OS_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade all installed applications (apt-get upgrade)"
+            INTERACTIVE:
+              type: boolean
+              default: 'true'
+              description: "Ask interactive questions during pipeline run (bool)"
+            TARGET_SERVERS:
+              type: string
+              default: 'dbs*'
+              description: "Salt compound expression to get mysql servers to upgrade."
diff --git a/jenkins/client/job/git-mirrors/downstream/init.yml b/jenkins/client/job/git-mirrors/downstream/init.yml
index 5a6257c..92a3d6d 100644
--- a/jenkins/client/job/git-mirrors/downstream/init.yml
+++ b/jenkins/client/job/git-mirrors/downstream/init.yml
@@ -19,18 +19,21 @@
               type: git
               url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
               branch: "${_param:jenkins_pipelines_branch}"
-              credentials: ${_param:jenkins_gerrit_credentials}
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: git-mirror-pipeline.groovy
             param:
               SOURCE_URL:
                 type: string
                 default: "{{upstream}}"
+              SOURCE_CREDENTIALS:
+                type: string
+                default: "{{source_credentials}}"
               TARGET_URL:
                 type: string
                 default: "${_param:jenkins_gerrit_url}/{{downstream}}"
               CREDENTIALS_ID:
                 type: string
-                default: "gerrit"
+                default: ${_param:jenkins_gerrit_credentials}
               BRANCHES:
                 type: string
                 default: "{{branches}}"
diff --git a/jenkins/client/job/git-mirrors/downstream/pipelines.yml b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
index fbec27c..ea9cbe1 100644
--- a/jenkins/client/job/git-mirrors/downstream/pipelines.yml
+++ b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
@@ -4,12 +4,17 @@
   _param:
     gerrit_pipeline_library_repo: https://github.com/Mirantis/pipeline-library
     gerrit_mk_pipelines_repo: https://github.com/Mirantis/mk-pipelines
+    pipeline_library_source_credentials: ""
+    mk_pipelines_source_credentials: ${_param:pipeline_library_source_credentials}
+    vnf_onboaring_source_credentials: ${_param:pipeline_library_source_credentials}
     jenkins_git_mirror_downstream_jobs:
       - name: pipeline-library
         downstream: mcp-ci/pipeline-library
         upstream: "${_param:gerrit_pipeline_library_repo}"
         branches: "*"
+        source_credentials: "${_param:pipeline_library_source_credentials}"
       - name: mk-pipelines
         downstream: mk/mk-pipelines
         upstream: "${_param:gerrit_mk_pipelines_repo}"
-        branches: "*"
\ No newline at end of file
+        branches: "*"
+        source_credentials: "${_param:mk_pipelines_source_credentials}"
\ No newline at end of file
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index 8cc8728..27b8eea 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -417,7 +417,7 @@
               default: |
                 envs:
                   - tests_set=''
-                  - image_name='Ubuntu'
+                  - image_name=Ubuntu
                   - networks=10.101.0.0/24
               description: 'YAML context with additional parameters. Additional params: HW_NODES, CMP_HOSTS, salt_timeout, skipped_nodes, nova_timeout, iperf_prep_string, IMAGE_SIZE_MB'
         cvp-shaker:
diff --git a/nginx/server/proxy/cicd/gerrit.yml b/nginx/server/proxy/cicd/gerrit.yml
index 0baf26c..72d0e12 100644
--- a/nginx/server/proxy/cicd/gerrit.yml
+++ b/nginx/server/proxy/cicd/gerrit.yml
@@ -15,7 +15,7 @@
           proxy:
             host: ${_param:nginx_proxy_gerrit_server_proxy_host}
             port: ${_param:nginx_proxy_gerrit_server_proxy_port}
-            protocol: http
+            protocol: https
           host:
             name: ${_param:nginx_proxy_gerrit_server_site_host}
             port: ${_param:nginx_proxy_gerrit_server_site_port}
diff --git a/nginx/server/proxy/cicd/jenkins.yml b/nginx/server/proxy/cicd/jenkins.yml
index bd270f2..b348f26 100644
--- a/nginx/server/proxy/cicd/jenkins.yml
+++ b/nginx/server/proxy/cicd/jenkins.yml
@@ -15,7 +15,7 @@
           proxy:
             host: ${_param:nginx_proxy_jenkins_server_proxy_host}
             port: ${_param:nginx_proxy_jenkins_server_proxy_port}
-            protocol: http
+            protocol: https
           host:
             name: ${_param:nginx_proxy_jenkins_server_site_host}
             port: ${_param:nginx_proxy_jenkins_server_site_port}
diff --git a/octavia/api/cluster.yml b/octavia/api/cluster.yml
index 31989b0..e698481 100644
--- a/octavia/api/cluster.yml
+++ b/octavia/api/cluster.yml
@@ -11,6 +11,7 @@
       bind:
         address: ${_param:cluster_local_address}
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -20,6 +21,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/api/single.yml b/octavia/api/single.yml
index c42009d..b359885 100644
--- a/octavia/api/single.yml
+++ b/octavia/api/single.yml
@@ -10,6 +10,7 @@
       bind:
         address: ${_param:single_address}
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -19,6 +20,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/manager/cluster.yml b/octavia/manager/cluster.yml
index f86dd80..c10e800 100644
--- a/octavia/manager/cluster.yml
+++ b/octavia/manager/cluster.yml
@@ -12,6 +12,7 @@
         user: octavia
         group: octavia
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -21,6 +22,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/octavia/manager/single.yml b/octavia/manager/single.yml
index e1e356b..51671eb 100644
--- a/octavia/manager/single.yml
+++ b/octavia/manager/single.yml
@@ -17,6 +17,7 @@
         user: octavia
         group: octavia
       database:
+        user: ${_param:mysql_octavia_username}
         host: ${_param:openstack_database_address}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
@@ -26,6 +27,7 @@
         ssl:
           enabled: ${_param:galera_ssl_enabled}
       identity:
+        user: ${_param:keystone_octavia_username}
         region: ${_param:openstack_region}
         protocol: ${_param:cluster_internal_protocol}
       message_queue:
diff --git a/opencontrail/control/analytics4_0.yml b/opencontrail/control/analytics4_0.yml
index 19fefcc..91868d3 100644
--- a/opencontrail/control/analytics4_0.yml
+++ b/opencontrail/control/analytics4_0.yml
@@ -94,6 +94,7 @@
                 - /var/crashes:/var/crashes
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -117,6 +118,7 @@
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/cluster4_0.yml b/opencontrail/control/cluster4_0.yml
index 6859b9c..bbba05c 100644
--- a/opencontrail/control/cluster4_0.yml
+++ b/opencontrail/control/cluster4_0.yml
@@ -162,6 +162,7 @@
                 - /var/log/journal/contrail-controller:/var/log/journal
                 - ${_param:opencontrail_host_configdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_configdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
@@ -178,6 +179,7 @@
                 - /etc/redis/redis.conf:/etc/redis/redis.conf
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -201,6 +203,7 @@
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_analyticsdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index bc37f8e..67c91e2 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -120,6 +120,7 @@
                 - /var/log/journal/contrail-controller:/var/log/journal
                 - ${_param:opencontrail_host_configdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
                 - ${_param:opencontrail_host_configdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/opencontrail/control/single4_0.yml b/opencontrail/control/single4_0.yml
index 89768d3..7612638 100644
--- a/opencontrail/control/single4_0.yml
+++ b/opencontrail/control/single4_0.yml
@@ -173,6 +173,7 @@
                 - /etc/zookeeper/conf/log4j.properties:/etc/zookeeper/conf/log4j.properties
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-controller:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
@@ -189,6 +190,7 @@
                 - /etc/redis/redis.conf:/etc/redis/redis.conf
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               env_file:
                 - contrail.env
             analyticsdb:
@@ -210,6 +212,7 @@
                 - /etc/zookeeper/conf/log4j.properties:/etc/zookeeper/conf/log4j.properties
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analyticsdb:/var/log/journal
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               network_mode: "host"
               privileged: true
               restart: always
diff --git a/openldap/client/init.yml b/openldap/client/init.yml
index 25812f6..c0c20a8 100644
--- a/openldap/client/init.yml
+++ b/openldap/client/init.yml
@@ -3,7 +3,10 @@
 parameters:
   _param:
     openldap_server: ${_param:cluster_vip_address}
-    openldap_tls: false
+    openldap_tls:
+      starttls: true
+      keyfile: /etc/haproxy/ssl/drivetrain.key
+      certfile: /etc/haproxy/ssl/drivetrain.crt
   openldap:
     client:
       server:
diff --git a/openssh/server/team/members/gmani.yml b/openssh/server/team/members/gmani.yml
new file mode 100644
index 0000000..7a25132
--- /dev/null
+++ b/openssh/server/team/members/gmani.yml
@@ -0,0 +1,20 @@
+parameters:
+  linux:
+    system:
+      user:
+        gmani:
+          enabled: true
+          name: gmani
+          sudo: ${_param:linux_system_user_sudo}
+          full_name: Gautam Mani
+          home: /home/gmani
+          email: gmani@mirantis.com
+  openssh:
+    server:
+      user:
+        gmani:
+          enabled: true
+          public_keys:
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+k2aPVLU8M9AfAGoJU7m48yjBIB/AxNzqiyMi2yPy9BaH3q4zPCTY0e8CLX6W0vU/uATBOoLjtWgLUmBqW6eOTD09zb60CKJy+vQUYVLZEEV1Aa2hxJ6zl0ruwCinmKDnLFkLe5HQmcLPWHccO3IvxaKAYCKeI9LFpiV/NwzYpjqrSP35jw36cMvxK8pvkw0YEZNz/+ApSB5JQWpFPM3563b6W0oH1/sX97MdxUuggRGNmS5Xd5TrxOPiQAipIXGGBNlafT7/IfWnJGhlIWYe2yQrbefOQ9RjaUA3VlU+YGAlcTLu5VWg3rKfMgdvNsA56doxYquRc6w+Sv/C8Eip gmani@1153-MBP15.local 
+          user: ${linux:system:user:gmani}
+
diff --git a/openssh/server/team/members/someara.yml b/openssh/server/team/members/someara.yml
new file mode 100644
index 0000000..eab2c90
--- /dev/null
+++ b/openssh/server/team/members/someara.yml
@@ -0,0 +1,20 @@
+parameters:
+  linux:
+    system:
+      user:
+        someara:
+          enabled: true
+          name: someara
+          sudo: ${_param:linux_system_user_sudo}
+          full_name: Shaun OMeara
+          home: /home/someara
+          email: someara@mirantis.com
+  openssh:
+    server:
+      user:
+        someara:
+          enabled: true
+          public_keys:
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwH33yz82vYBUYFlJ5LJT+4NFJNUTzeBobJVlEtv6Hwd1t+xGrze5F3RZ/M1U24YOjnXoN4SutC7nciPfvUUYhLEBKA6/0n4v+yRf+pnovmH2RA6FJ4D9lKAbmdr7O0BRrzE++iUwzCnZIsDdfc+pQPfis2IYpN878x/F8jfvkMCvQRSN8Oyn3IeB2Yc/RMBWObNYD9Cm0KjtmZxwpyP+J6tzxj34e5kJRDCIAAYnS3Gmr9SJpJBx/Z80meeT44HdGz5RnKT2ouxAZUf7hxGKH6h0fYjwdwcs89QsyCBTvrXXuWPADFuBjvJcqTf5PmcqOZTIgM9lyI7rlzw6ynkxn shauno@Shauns-MacBook-Pro.local 
+          user: ${linux:system:user:someara}
+
diff --git a/openssh/server/team/pm_team.yml b/openssh/server/team/pm_team.yml
new file mode 100644
index 0000000..af18aca
--- /dev/null
+++ b/openssh/server/team/pm_team.yml
@@ -0,0 +1,7 @@
+classes:
+- system.openssh.server.team.members.someara
+- system.openssh.server.team.members.gmani
+
+parameters:
+  _param:
+    linux_system_user_sudo: true
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index a826155..3ab9ed5 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -11,11 +11,11 @@
         instances: "'Instances','avg(sum(avg_over_time(openstack_nova_instances{state=\"active\"}[24h])) by (instance))'"
         compute_nodes: "'Compute Nodes','avg(sum(openstack_nova_services{binary=~\"nova.compute\"}) by (instance))'"
         tenants: "'Tenants','avg(sum(avg_over_time(openstack_keystone_tenants_total[24h])) by (instance))'"
-        cinder_api: "'Cinder API','avg(avg_over_time(openstack_api_check_status{name=\"cinderv2\"}[24h]))'"
-        nova_api: "'Nova API','avg(avg_over_time(openstack_api_check_status{name=\"nova\"}[24h]))'"
-        keystone_api: "'Keystone API','avg(avg_over_time(openstack_api_check_status{name=\"keystone\"}[24h]))'"
-        glance_api: "'Glance API','avg(avg_over_time(openstack_api_check_status{name=\"glance\"}[24h]))'"
-        neutron_api: "'Neutron API','avg(avg_over_time(openstack_api_check_status{name=\"neutron\"}[24h]))'"
+        cinder_api: "'Cinder API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"cinderv2\"}[24h])'"
+        nova_api: "'Nova API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"nova\"}[24h])'"
+        keystone_api: "'Keystone API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"keystone\"}[24h])'"
+        glance_api: "'Glance API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"glance\"}[24h])'"
+        neutron_api: "'Neutron API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"neutron\"}[24h])'"
         compute_instance_create_start: "'VM creation start','sum(compute_instance_create_start_event_doc_count)'"
         compute_instance_create_end: "'VM creation end','sum(compute_instance_create_end_event_doc_count)'"
         compute_instance_create_error: "'VM creation error','sum(compute_instance_create_error_event_doc_count)'"
diff --git a/salt/master/single.yml b/salt/master/single.yml
index c007031..64ddf88 100644
--- a/salt/master/single.yml
+++ b/salt/master/single.yml
@@ -4,11 +4,12 @@
 parameters:
   linux:
     system:
-      sysctl:
-        net.core.rmem_max: 16777216
-        net.core.wmem_max: 16777216
-        net.ipv4.tcp_rmem: 4096 87380 16777216
-        net.ipv4.tcp_wmem: 4096 87380 16777216
+      kernel:
+        sysctl:
+          net.core.rmem_max: 16777216
+          net.core.wmem_max: 16777216
+          net.ipv4.tcp_rmem: 4096 87380 16777216
+          net.ipv4.tcp_wmem: 4096 87380 16777216
   salt:
     master:
       accept_policy: auto_accept
diff --git a/salt/minion/cert/proxy/drivetrain_ssl.yml b/salt/minion/cert/proxy/drivetrain_ssl.yml
index aecb5fb..5e7cf5f 100644
--- a/salt/minion/cert/proxy/drivetrain_ssl.yml
+++ b/salt/minion/cert/proxy/drivetrain_ssl.yml
@@ -2,7 +2,7 @@
   salt:
     minion:
       cert:
-        gerrit:
+        drivetrain:
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
           common_name: drivetrain
diff --git a/telegraf/agent/init.yml b/telegraf/agent/init.yml
index 64ef566..213d3ba 100644
--- a/telegraf/agent/init.yml
+++ b/telegraf/agent/init.yml
@@ -1,5 +1,6 @@
 classes:
 - service.telegraf.agent
+- system.telegraf.agent.input.internal
 - system.telegraf.agent.input.http_listener
 - system.telegraf.agent.output.prometheus_client
 - system.telegraf.sudo
diff --git a/telegraf/agent/input/internal.yml b/telegraf/agent/input/internal.yml
new file mode 100644
index 0000000..aba90c8
--- /dev/null
+++ b/telegraf/agent/input/internal.yml
@@ -0,0 +1,5 @@
+parameters:
+  telegraf:
+    agent:
+      input:
+        internal:
diff --git a/vnf_onboarding/common/init.yml b/vnf_onboarding/common/init.yml
index f988897..88ade04 100644
--- a/vnf_onboarding/common/init.yml
+++ b/vnf_onboarding/common/init.yml
@@ -1,7 +1,6 @@
 parameters:
   _param:
     mcp_docker_registry: 'docker-dev-local.docker.mirantis.net'
-    vnf_gerrit_credentials: "gerrit"
     vnf_openstack_api_url: "${_param:cluster_public_protocol}://${_param:cluster_public_host}:5000/v2.0"
     vnf_openstack_api_credentials: "test-openstack"
     vnf_openstack_api_admin_credentials: "admin-openstack"
diff --git a/vnf_onboarding/common/jenkins_job.yml b/vnf_onboarding/common/jenkins_job.yml
index b63aa34..a928d2f 100644
--- a/vnf_onboarding/common/jenkins_job.yml
+++ b/vnf_onboarding/common/jenkins_job.yml
@@ -12,7 +12,7 @@
           scm:
             type: git
             url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-            credentials: "${_param:vnf_gerrit_credentials}"
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: deploy_cloudify.groovy
           param:
             OPENSTACK_API_URL:
@@ -33,7 +33,7 @@
               default: "master"
             NFV_PLATFORM_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             CFM_IMAGE:
               type: string
               default: "cloudify-manager-4.3.1ga"
diff --git a/vnf_onboarding/common/mirrors.yml b/vnf_onboarding/common/mirrors.yml
index 83d11c0..c830d85 100644
--- a/vnf_onboarding/common/mirrors.yml
+++ b/vnf_onboarding/common/mirrors.yml
@@ -9,7 +9,9 @@
         downstream: vnf-onboarding/pipelines
         upstream: ${_param:gerrit_vnf_onboaring_pipelines_repo}
         branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
       - name: nfv-platform
         downstream: vnf-onboarding/nfv-platform
         upstream: ${_param:gerrit_vnf_onboaring_nfv_platform_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml b/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
index 54d82fc..c4ad531 100644
--- a/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
+++ b/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
@@ -17,7 +17,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials: "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -59,7 +59,7 @@
                 default: "test-avi"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -75,7 +75,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
diff --git a/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml b/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
index c74bda3..0b47570 100644
--- a/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
+++ b/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
@@ -7,4 +7,5 @@
       - name: avi-loadbalancer
         downstream: vnf-onboarding/avi-loadbalancer
         upstream: ${_param:gerrit_vnf_onboaring_avi_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml b/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
index e480d46..709ab38 100644
--- a/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
+++ b/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
@@ -14,7 +14,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials:  "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -53,7 +53,7 @@
                 default: "test-metaswitch"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -70,7 +70,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
@@ -146,7 +146,7 @@
           scm:
             type: git
             url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-            credentials: "${_param:vnf_gerrit_credentials}"
+            credentials: "${_param:jenkins_gerrit_credentials}"
             script: test_platform.groovy
           param:
             OPENSTACK_API_CREDENTIALS:
@@ -202,7 +202,7 @@
               default: "master"
             VNF_PLATFORM_TESTS_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             TEMPEST_IMAGE_DOCKER_REGISTRY_PATH:
               type: string
               description: "Path for docker image with testing tool.  If empty, image will be build using VNF_PLATFORM_TESTS_* parameters."
@@ -221,7 +221,7 @@
               default: "${_param:jenkins_gerrit_url}/vnf-onboarding/nfv-platform"
             ELASTIC_TRANSFER_REPO_CREDENTIALS:
               type: string
-              default: "${_param:vnf_gerrit_credentials}"
+              default: "${_param:jenkins_gerrit_credentials}"
             ELASTIC_TRANSFER_REPO_BRANCH:
               type: string
               default: "master"
diff --git a/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml b/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
index 0a0c300..f032fb4 100644
--- a/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
+++ b/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
@@ -9,7 +9,9 @@
         downstream: vnf-onboarding/metaswitch-vsbc
         upstream: ${_param:gerrit_vnf_onboaring_metaswitch_repo}
         branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
       - name: platform-tests
         downstream: vnf-onboarding/platform-tests
         upstream: ${_param:gerrit_vnf_onboaring_platform_tests_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml b/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
index e2f4cbd..b72994e 100644
--- a/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
+++ b/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
@@ -18,7 +18,7 @@
             scm:
               type: git
               url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
-              credentials: "${_param:vnf_gerrit_credentials}"
+              credentials: "${_param:jenkins_gerrit_credentials}"
               script: test_vnf_onboarding.groovy
             trigger:
               gerrit:
@@ -60,7 +60,7 @@
                 default: "test-nginx"
               GERRIT_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               ELASTIC_URL:
                 type: string
                 default: "${_param:vnf_elastic_url}"
@@ -77,7 +77,7 @@
                 default: "master"
               NFV_PLATFORM_REPO_CREDENTIALS:
                 type: string
-                default: "${_param:vnf_gerrit_credentials}"
+                default: "${_param:jenkins_gerrit_credentials}"
               CONTRAIL_ENABLED:
                 type: boolean
                 default: false
diff --git a/vnf_onboarding/vnf/mock_nginx/mirrors.yml b/vnf_onboarding/vnf/mock_nginx/mirrors.yml
index 6aff50c..76ca94c 100644
--- a/vnf_onboarding/vnf/mock_nginx/mirrors.yml
+++ b/vnf_onboarding/vnf/mock_nginx/mirrors.yml
@@ -7,4 +7,5 @@
       - name: nginx-vnf
         downstream: vnf-onboarding/nginx-vnf
         upstream: ${_param:gerrit_vnf_onboaring_nginx_repo}
-        branches: master
\ No newline at end of file
+        branches: master
+        source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file