diff --git a/aodh/server/coordination/redis.yml b/aodh/server/coordination/redis.yml
index e013e0f..16e2838 100644
--- a/aodh/server/coordination/redis.yml
+++ b/aodh/server/coordination/redis.yml
@@ -1,7 +1,20 @@
 classes:
 - service.redis.server.single
 parameters:
+  _param:
+    aodh_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
   aodh:
     server:
       coordination_backend:
-        url:  redis://${_param:single_address}:6379/${_param:cluster_node01_address}
+        url: ${_param:aodh_coordination_url}
+        engine: redis
+        redis:
+          password: ${_param:openstack_telemetry_redis_password}
+          user: openstack
+          db: ${_param:aodh_redis_db}
+          sentinel:
+            host: ${_param:redis_sentinel_node01_address}
+            master_name: ${_param:aodh_redis_sentinel_mastername}
+            fallback:
+              - host: ${_param:redis_sentinel_node02_address}
+              - host: ${_param:redis_sentinel_node03_address}
diff --git a/billometer/server/single.yml b/billometer/server/single.yml
index 8152202..c606303 100644
--- a/billometer/server/single.yml
+++ b/billometer/server/single.yml
@@ -7,16 +7,8 @@
 - service.supervisor.server.single
 parameters:
   _param:
-    billometer_secret_key: billometer
     keystone_billometer_address: localhost
-    keystone_billometer_password: password
-    postgresql_billometer_password: password
-    postgresql_graphite_password: password
     rabbitmq_admin_name: admin
-    rabbitmq_admin_password: password
-    rabbitmq_secret_key: rabbitmq
-    rabbitmq_billometer_password: password
-    rabbitmq_graphite_password: password
   postgresql:
     server:
       database:
diff --git a/ceilometer/server/coordination/redis.yml b/ceilometer/server/coordination/redis.yml
index e8610f3..7b0edac 100644
--- a/ceilometer/server/coordination/redis.yml
+++ b/ceilometer/server/coordination/redis.yml
@@ -1,7 +1,20 @@
 classes:
 - service.redis.server.single
 parameters:
+  _param:
+    ceilometer_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
   ceilometer:
     server:
       coordination_backend:
-        url:  redis://${_param:single_address}:6379/${_param:cluster_node01_address}
+        url: ${_param:ceilometer_coordination_url}
+        engine: redis
+        redis:
+          password: ${_param:openstack_telemetry_redis_password}
+          user: openstack
+          db: ${_param:ceilometer_redis_db}
+          sentinel:
+            host: ${_param:redis_sentinel_node01_address}
+            master_name: ${_param:ceilometer_redis_sentinel_mastername}
+            fallback:
+              - host: ${_param:redis_sentinel_node02_address}
+              - host: ${_param:redis_sentinel_node03_address}
diff --git a/cinder/control/cluster.yml b/cinder/control/cluster.yml
index 7f8e2d7..8aa97c4 100644
--- a/cinder/control/cluster.yml
+++ b/cinder/control/cluster.yml
@@ -27,6 +27,8 @@
       backend: {}
       version: ${_param:cinder_version}
       role: ${_param:openstack_node_role}
+      # set 'image_conversion_dir' option in case of ceph deployment volume and controller running on the same node
+      image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
       osapi:
         host: ${_param:cluster_local_address}
       database:
diff --git a/cinder/control/single.yml b/cinder/control/single.yml
index b8f670d..bae7bfc 100644
--- a/cinder/control/single.yml
+++ b/cinder/control/single.yml
@@ -19,6 +19,8 @@
       backend: {}
       default_volume_type: ''
       role: ${_param:openstack_node_role}
+      # set 'image_conversion_dir' option in case of ceph deployment volume and controller running on the same node
+      image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
       database:
         host: ${_param:single_address}
         x509:
diff --git a/cinder/volume/local.yml b/cinder/volume/local.yml
index 301946b..cd07d4d 100644
--- a/cinder/volume/local.yml
+++ b/cinder/volume/local.yml
@@ -7,6 +7,7 @@
   cinder:
     volume:
       enabled: True
+      image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
       database:
         host: ${_param:single_address}
         x509:
diff --git a/cinder/volume/single.yml b/cinder/volume/single.yml
index 9531aa4..34f5744 100644
--- a/cinder/volume/single.yml
+++ b/cinder/volume/single.yml
@@ -13,6 +13,7 @@
   cinder:
     volume:
       enabled: True
+      image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
       database:
         host: ${_param:openstack_database_address}
         x509:
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index 1c43a70..a4f7fc2 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -23,29 +23,29 @@
     docker_image_operations_api: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-api:${_param:mcp_version}"
     docker_image_operations_ui: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-ui:${_param:mcp_version}"
     # OpenContrail
-    opencontrail_docker_image_tag: "2019.2.3"
+    opencontrail_docker_image_tag: "2019.2.4"
     # stacklight
     # 6.5.0 version, from 11/29/2018, differ from latest upstream 6.5.0 - update next cycle
     docker_image_alerta: "${_param:mcp_docker_registry}/mirantis/external/alerta-web:${_param:mcp_version}"
-    docker_image_alertmanager: "${_param:mcp_docker_registry}/openstack-docker/alertmanager:${_param:mcp_version}"
+    docker_image_alertmanager: "${_param:mcp_docker_registry}/openstack-docker/alertmanager:2019.2.4"
     docker_image_grafana: "${_param:mcp_docker_registry}/openstack-docker/grafana:${_param:mcp_version}"
-    docker_image_prometheus_es_exporter: "${_param:mcp_docker_registry}/mirantis/external/braedon/prometheus-es-exporter:0.5.1"
+    docker_image_prometheus_es_exporter: "${_param:mcp_docker_registry}/openstack-docker/prometheus-es-exporter:2019.2.4"
     docker_image_prometheus: "${_param:mcp_docker_registry}/openstack-docker/prometheus:${_param:mcp_version}"
-    docker_image_prometheus_gainsight: "${_param:mcp_docker_registry}/openstack-docker/gainsight:2019.2.3"
+    docker_image_prometheus_gainsight: "${_param:mcp_docker_registry}/openstack-docker/gainsight:2019.2.4"
     docker_image_prometheus_gainsight_elasticsearch: "${_param:mcp_docker_registry}/openstack-docker/gainsight_elasticsearch:${_param:mcp_version}"
     docker_image_prometheus_relay: "${_param:mcp_docker_registry}/openstack-docker/prometheus_relay:${_param:mcp_version}"
     docker_image_pushgateway: "${_param:mcp_docker_registry}/openstack-docker/pushgateway:${_param:mcp_version}"
-    docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:${_param:mcp_version}"
+    docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.4"
     docker_image_remote_collector: "${_param:mcp_docker_registry}/openstack-docker/heka:${_param:mcp_version}"
     docker_image_remote_storage_adapter: "${_param:mcp_docker_registry}/openstack-docker/remote_storage_adapter:${_param:mcp_version}"
-    docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:2019.2.3"
+    docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:2019.2.4"
     ##
     docker_image_cockroachdb: "${_param:mcp_docker_registry}/mirantis/external/cockroach/cockroach:v2.1.1"
     # keycloak
     docker_image_keycloak_server: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:4.5.0.Final"
     docker_image_keycloak_proxy: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:3.4.2.Final"
     # CVP
-    docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.3
+    docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.4
     docker_image_cvp_shaker_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-shaker:2019.2.3
     # aptly
     docker_image_aptly:
@@ -134,13 +134,13 @@
           name: elasticsearch:${_param:mcp_version}
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
-          name: sf_notifier:${_param:mcp_version}
+          name: sf_notifier:2019.2.4
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
           name: gainsight_elasticsearch:${_param:mcp_version}
         - registry: ${_param:mcp_docker_registry}/mirantis/external/braedon
-          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/braedon
-          name: prometheus-es-exporter:0.5.1
+          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
+          name: prometheus-es-exporter:2019.2.4
 
         # QA\CVP tool-set's
         - registry: ${_param:mcp_docker_registry}/mirantis/oss
diff --git a/defaults/glusterfs.yml b/defaults/glusterfs.yml
new file mode 100644
index 0000000..72a68da
--- /dev/null
+++ b/defaults/glusterfs.yml
@@ -0,0 +1,4 @@
+parameters:
+  _param:
+    glusterfs_allow_ips: '*'
+    glusterfs_reject_ips: none
diff --git a/defaults/haproxy/elasticsearch.yml b/defaults/haproxy/elasticsearch.yml
new file mode 100644
index 0000000..07db053
--- /dev/null
+++ b/defaults/haproxy/elasticsearch.yml
@@ -0,0 +1,6 @@
+parameters:
+  _param:
+    haproxy_elasticsearch_http_bind_port: 9200
+    haproxy_elasticsearch_http_exposed_port: 9200
+    haproxy_elasticsearch_binary_bind_port: 9300
+    haproxy_elasticsearch_binary_exposed_port: 9300
diff --git a/defaults/haproxy/init.yml b/defaults/haproxy/init.yml
new file mode 100644
index 0000000..499e085
--- /dev/null
+++ b/defaults/haproxy/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.defaults.haproxy.elasticsearch
diff --git a/defaults/init.yml b/defaults/init.yml
index 733bfe2..c90c404 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -10,8 +10,11 @@
 - system.defaults.linux_system_file
 - system.defaults.backupninja
 - system.defaults.git
+- system.defaults.glusterfs
+- system.defaults.nginx
 - system.defaults.jenkins
 - system.defaults.maas
+- system.defaults.opencontrail
 - system.defaults.openstack
 - system.defaults.galera
 - system.defaults.rabbitmq
@@ -20,8 +23,10 @@
 - system.defaults.gerrit
 - system.defaults.keepalived
 - system.defaults.salt
+- system.defaults.secrets
 - system.defaults.stacklight
 - system.defaults.xtrabackup
+- system.defaults.haproxy
 parameters:
   _param:
     mcp_version: stable
@@ -51,3 +56,6 @@
     # Cloudwatch api removed from Queens
     openstack_heat_cloudwatch_api_enabled: True
 
+    salt_master_host: '127.0.0.1'
+    infra_config_address: '127.0.0.1'
+    reclass_config_master: '127.0.0.1'
diff --git a/defaults/jenkins.yml b/defaults/jenkins.yml
index 36bcbfb..d01bf4e 100644
--- a/defaults/jenkins.yml
+++ b/defaults/jenkins.yml
@@ -3,3 +3,4 @@
     jenkins_master_port: 8081
     jenkins_master_protocol: http
     jenkins_pipelines_branch: "master"
+    jenkins_salt_api_url: "https://${_param:salt_master_host}:${_param:nginx_proxy_salt_api_site_port}"
diff --git a/defaults/nginx.yml b/defaults/nginx.yml
new file mode 100644
index 0000000..dd47452
--- /dev/null
+++ b/defaults/nginx.yml
@@ -0,0 +1,5 @@
+parameters:
+  _param:
+    nginx_proxy_salt_api_proxy_protocol: 'http'
+    nginx_proxy_salt_api_site_port: 8969
+    nginx_proxy_salt_api_site_protocol: 'https'
diff --git a/defaults/opencontrail/init.yml b/defaults/opencontrail/init.yml
new file mode 100644
index 0000000..24cd68e
--- /dev/null
+++ b/defaults/opencontrail/init.yml
@@ -0,0 +1,6 @@
+parameters:
+  _param:
+    opencontrail_identity_protocol: http
+    opencontrail_identity_port: 35357
+    opencontrail_identity_version: '2.0'
+    opencontrail_admin_user: 'contrail'
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 711ab06..cc62919 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -14,12 +14,18 @@
     openstack_kmn_service_host: ${_param:openstack_kmn_service_hostname}.${linux:system:domain}
     openstack_telemetry_service_host: ${_param:openstack_telemetry_service_hostname}.${linux:system:domain}
     openstack_service_user_enabled: True
+    openstack_upgrade_enabled: False
+    openstack_telemetry_redis_db: '0'
+    openstack_telemetry_redis_sentinel_mastername: 'master_1'
+    openstack_region: RegionOne
     # SSL
     ceilometer_agent_ssl_enabled: False
     openstack_mysql_x509_enabled: False
     # for non-ssl use 5672 / for ssl 5671
     openstack_rabbitmq_port: 5672
     openstack_rabbitmq_x509_enabled: False
+    # RabbitMQ
+    rabbitmq_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     # Openstack memcache
     openstack_memcached_server_bind_address: 0.0.0.0
     openstack_memcache_security_enabled: False
@@ -28,12 +34,11 @@
     openstack_memcached_proto_udp_enabled: False
     openstack_version: queens
     openstack_old_version: ${_param:openstack_version}
-    openstack_upgrade_enabled: False
     # Security compliance user options
     openstack_service_user_options:
       ignore_change_password_upon_first_use: True
       ignore_password_expiry: True
-      ignore_lockout_failure_attempts: False
+      ignore_lockout_failure_attempts: True
       lock_password: False
     # Cinder
     cinder_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
@@ -42,6 +47,7 @@
     cinder_version: ${_param:openstack_version}
     cinder_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     cinder_service_user_enabled: ${_param:openstack_service_user_enabled}
+    cinder_image_conversion_dir_path: /var/tmp/cinder/conversion
     # Nova
     nova_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     nova_memcache_secret_key: ''
@@ -69,16 +75,22 @@
     aodh_old_version: ${_param:openstack_old_version}
     aodh_version: ${_param:openstack_version}
     aodh_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    aodh_redis_db: ${_param:openstack_telemetry_redis_db}
+    aodh_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
     # Ceilometer
     ceilometer_old_version: ${_param:openstack_old_version}
     ceilometer_version: ${_param:openstack_version}
     ceilometer_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    ceilometer_redis_db: ${_param:openstack_telemetry_redis_db}
+    ceilometer_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
     # Gnocchi
     gnocchi_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     gnocchi_memcache_secret_key: ''
     gnocchi_version: 4.0
     gnocchi_old_version: ${_param:gnocchi_version}
     gnocchi_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    gnocchi_redis_db: ${_param:openstack_telemetry_redis_db}
+    gnocchi_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
     # Panko
     panko_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     panko_memcache_secret_key: ''
diff --git a/defaults/salt/init.yml b/defaults/salt/init.yml
index 2e19089..d915fbe 100644
--- a/defaults/salt/init.yml
+++ b/defaults/salt/init.yml
@@ -48,3 +48,12 @@
     salt_control_trusty_image: ${_param:mcp_static_images_url}/ubuntu-14-04-x64-mcp${_param:mcp_version}.qcow2
     salt_control_xenial_image: ${_param:mcp_static_images_url}/ubuntu-16-04-x64-mcp${_param:mcp_version}.qcow2
 
+    salt_master_api_permissions:
+    - '.*'
+    - '@local'
+    - '@wheel'   # to allow access to all wheel modules
+    - '@runner'  # to allow access to all runner modules
+    - '@jobs'    # to allow access to the jobs runner and/or wheel mo
+
+    salt_minion_ca_authority: salt_master_ca
+    salt_master_api_bind_address: 0.0.0.0
diff --git a/defaults/secrets.yml b/defaults/secrets.yml
index 65b7bce..fe8a6a2 100644
--- a/defaults/secrets.yml
+++ b/defaults/secrets.yml
@@ -40,11 +40,19 @@
 #    jenkins_client_password: <<CHANGEME>>
 #    jenkins_security_ldap_manager_password: <<CHANGEME>>
 #    oss_jenkins_password: <<CHANGEME>>
+#    jenkins_slave_password: <<CHANGEME>>
 
 #   Gerrit/LDAP
     gerrit_ldap_bind_password: password
 
 #   Docker
+#    docker_mongodb_admin_password: <<CHANGEME>>
+#    janitor_monkey_mongodb_password: <<CHANGEME>>
+#    janitor_monkey_openstack:
+#      password: <<CHANGEME>>
+#    security_monkey_password: <<CHANGEME>>
+#    security_monkey_openstack:
+#      password: <<CHANGEME>>
 #    keycloak_admin_password: <<CHANGEME>>
 #    kqueen_api_ldap_password: <<CHANGEME>>
 #    kqueen_credentials:
@@ -60,7 +68,6 @@
 #    nova_compute_ssh_public: <<CHANGEME>>
 #    nova_compute_ssh_private: <<CHANGEME>>
 
-
 #   Grafana
 #    grafana_password: <<CHANGEME>>
 #    grafana_database_password: <<CHANGEME>>
@@ -76,7 +83,6 @@
 #   Galera
 #    galera_clustercheck_password: <<CHANGEME>>
 
-#    Generic
+#   Generic
 #    root_private_key:
 #    root_public_key:
-
diff --git a/defaults/stacklight.yml b/defaults/stacklight.yml
index 1abbb5e..625d20c 100644
--- a/defaults/stacklight.yml
+++ b/defaults/stacklight.yml
@@ -1,5 +1,10 @@
 parameters:
   _param:
+    # ELK settings
+    stacklight_notification_topic: stacklight_notifications
+    fluentd_elasticsearch_host: 127.0.0.1
+    fluentd_elasticsearch_port: 9200
+    fluentd_elasticsearch_scheme: http
     # ELK stack versions
     elasticsearch_version: 5
     kibana_version: 5
diff --git a/devops_portal/service/jenkins.yml b/devops_portal/service/jenkins.yml
index ee00912..b800188 100644
--- a/devops_portal/service/jenkins.yml
+++ b/devops_portal/service/jenkins.yml
@@ -1,7 +1,6 @@
 parameters:
   _param:
     oss_jenkins_user: admin
-    oss_jenkins_password: password
   devops_portal:
     config:
       service:
diff --git a/docker/client/compose/service/gerrit.yml b/docker/client/compose/service/gerrit.yml
index 69b2a2c..67af5eb 100644
--- a/docker/client/compose/service/gerrit.yml
+++ b/docker/client/compose/service/gerrit.yml
@@ -4,7 +4,6 @@
   _param:
     gerrit_ldap_server: ""
     gerrit_ldap_bind_user: ""
-    gerrit_ldap_bind_password: ""
     gerrit_ldap_account_base: ""
     gerrit_ldap_group_base: ""
     gerrit_http_listen_url: http://*:8080/
diff --git a/docker/client/compose/service/jenkins.yml b/docker/client/compose/service/jenkins.yml
index 55aacdc..7045b66 100644
--- a/docker/client/compose/service/jenkins.yml
+++ b/docker/client/compose/service/jenkins.yml
@@ -3,7 +3,7 @@
 parameters:
   _param:
     jenkins_master_extra_opts: ""
-    jenkins_master_executors_num: 4
+    jenkins_master_executors_num: 0
     jenkins_master_max_concurent_requests: 40
     jenkins_home_dir_path: /var/jenkins_home
   docker:
diff --git a/docker/host.yml b/docker/host.yml
index a88ff2f..894f6ee 100644
--- a/docker/host.yml
+++ b/docker/host.yml
@@ -14,6 +14,7 @@
         - ${_param:cluster_vip_address}:5000
         - ${_param:cluster_public_host}:5000
       options:
+        bridge: none
         ipv6: true
         fixed-cidr-v6: fc00::/7
         storage-driver: overlay2
diff --git a/docker/swarm/stack/dashboard.yml b/docker/swarm/stack/dashboard.yml
index 62a3e14..7b0eac5 100644
--- a/docker/swarm/stack/dashboard.yml
+++ b/docker/swarm/stack/dashboard.yml
@@ -6,7 +6,6 @@
     grafana_database_type: sqlite3
     grafana_database_host: localhost
     grafana_database_port: 3306
-    grafana_database_password: password
   docker:
     client:
       stack:
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index 964899d..42af606 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -4,7 +4,6 @@
   _param:
     gerrit_ldap_server: ""
     gerrit_ldap_bind_user: ""
-    gerrit_ldap_bind_password: ""
     gerrit_ldap_account_base: ""
     gerrit_ldap_group_base: ""
     gerrit_http_listen_url: http://*:8080/
diff --git a/docker/swarm/stack/janitor_monkey.yml b/docker/swarm/stack/janitor_monkey.yml
index 0cb8c43..79e9561 100644
--- a/docker/swarm/stack/janitor_monkey.yml
+++ b/docker/swarm/stack/janitor_monkey.yml
@@ -2,7 +2,6 @@
   _param:
     docker_janitor_monkey_replicas: 1
     docker_mongodb_admin_username: admin
-    docker_mongodb_admin_password: password
     docker_image_janitor_monkey: ${_param:mcp_docker_registry}/mirantis/oss/janitor-monkey
     janitor_monkey_bind_host: cleanup-service-api
     janitor_monkey_bind_port: 8080
@@ -17,7 +16,6 @@
     janitor_monkey_base_url: http://${_param:janitor_monkey_mongodb_host}:${_param:janitor_monkey_mongodb_port}
     janitor_monkey_mongodb_db: mcp_cloud
     janitor_monkey_mongodb_username: janitor
-    janitor_monkey_mongodb_password: password
     janitor_monkey_elasticsearch: ${_param:elasticsearch_bind_host}:${_param:elasticsearch_binary_bind_port}
     janitor_monkey_cloudfire_region: RegionOne
     janitor_monkey_cis_clustername: ${_param:elasticsearch_cluster_name}
@@ -30,7 +28,6 @@
       project_name: admin
       auth_url: http://yourcloud.com:5000/v3/auth/tokens
       username: admin
-      password: password
       endpoint_type: public
       ssl_verify: False
       source_credentials_dir: /srv/volumes/rundeck/storage
diff --git a/docker/swarm/stack/jenkins/master.yml b/docker/swarm/stack/jenkins/master.yml
index 6af8d3e..4647521 100644
--- a/docker/swarm/stack/jenkins/master.yml
+++ b/docker/swarm/stack/jenkins/master.yml
@@ -4,7 +4,7 @@
 parameters:
   _param:
     jenkins_master_extra_opts: ""
-    jenkins_master_executors_num: 4
+    jenkins_master_executors_num: 0
     jenkins_master_max_concurent_requests: 40
     jenkins_home_dir_path: /var/jenkins_home
   docker:
diff --git a/docker/swarm/stack/jenkins/slave01.yml b/docker/swarm/stack/jenkins/slave01.yml
index f616d89..73e8140 100644
--- a/docker/swarm/stack/jenkins/slave01.yml
+++ b/docker/swarm/stack/jenkins/slave01.yml
@@ -1,5 +1,4 @@
 classes:
-- system.docker
 - system.docker.swarm.stack.jenkins.slave_base
 parameters:
   _param:
@@ -14,12 +13,12 @@
                 JENKINS_URL: ${_param:jenkins_master_url}
                 JENKINS_AGENT_NAME: slave01
                 JENKINS_UPDATE_SLAVE: 'true'
-                JENKINS_LOGIN: ${_param:jenkins_slave_user}
-                JENKINS_PASSWORD: ${_param:jenkins_slave_password}
-                JAVA_OPTS: ${_param:jenkins_slave_extra_opts}
+                JENKINS_LOGIN: ${_param:jenkins_client_user}
+                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
-                no_proxy: ${_param:docker_no_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
               deploy:
                 restart_policy:
                   condition: any
@@ -28,7 +27,8 @@
                     - "node.hostname == ${_param:jenkins_slave01_node_name}"
               image: ${_param:docker_image_jenkins_slave}
               volumes:
-                - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+                - /etc/ssl/certs/:/etc/ssl/certs/:ro
+                - /dev/urandom:/dev/random:ro
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /usr/bin/docker:/usr/bin/docker:ro
                 - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave02.yml b/docker/swarm/stack/jenkins/slave02.yml
index cbece06..ee198cb 100644
--- a/docker/swarm/stack/jenkins/slave02.yml
+++ b/docker/swarm/stack/jenkins/slave02.yml
@@ -1,5 +1,4 @@
 classes:
-- system.docker
 - system.docker.swarm.stack.jenkins.slave_base
 parameters:
   _param:
@@ -14,12 +13,12 @@
                 JENKINS_URL: ${_param:jenkins_master_url}
                 JENKINS_AGENT_NAME: slave02
                 JENKINS_UPDATE_SLAVE: 'true'
-                JENKINS_LOGIN: ${_param:jenkins_slave_user}
-                JENKINS_PASSWORD: ${_param:jenkins_slave_password}
-                JAVA_OPTS: ${_param:jenkins_slave_extra_opts}
+                JENKINS_LOGIN: ${_param:jenkins_client_user}
+                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
-                no_proxy: ${_param:docker_no_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
               deploy:
                 restart_policy:
                   condition: any
@@ -28,7 +27,8 @@
                     - "node.hostname == ${_param:jenkins_slave02_node_name}"
               image: ${_param:docker_image_jenkins_slave}
               volumes:
-                - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+                - /etc/ssl/certs/:/etc/ssl/certs/:ro
+                - /dev/urandom:/dev/random:ro
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /usr/bin/docker:/usr/bin/docker:ro
                 - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave03.yml b/docker/swarm/stack/jenkins/slave03.yml
index 6ff900c..b04ea2a 100644
--- a/docker/swarm/stack/jenkins/slave03.yml
+++ b/docker/swarm/stack/jenkins/slave03.yml
@@ -1,5 +1,4 @@
 classes:
-- system.docker
 - system.docker.swarm.stack.jenkins.slave_base
 parameters:
   _param:
@@ -14,12 +13,12 @@
                 JENKINS_URL: ${_param:jenkins_master_url}
                 JENKINS_AGENT_NAME: slave03
                 JENKINS_UPDATE_SLAVE: 'true'
-                JENKINS_LOGIN: ${_param:jenkins_slave_user}
-                JENKINS_PASSWORD: ${_param:jenkins_slave_password}
-                JAVA_OPTS: ${_param:jenkins_slave_extra_opts}
+                JENKINS_LOGIN: ${_param:jenkins_client_user}
+                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
-                no_proxy: ${_param:docker_no_proxy}
+                no_proxy: "jenkins_master,${_param:docker_no_proxy}"
               deploy:
                 restart_policy:
                   condition: any
@@ -28,7 +27,8 @@
                     - "node.hostname == ${_param:jenkins_slave03_node_name}"
               image: ${_param:docker_image_jenkins_slave}
               volumes:
-                - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+                - /etc/ssl/certs/:/etc/ssl/certs/:ro
+                - /dev/urandom:/dev/random:ro
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /usr/bin/docker:/usr/bin/docker:ro
                 - /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave_base.yml b/docker/swarm/stack/jenkins/slave_base.yml
index 1c2d6f8..3de4765 100644
--- a/docker/swarm/stack/jenkins/slave_base.yml
+++ b/docker/swarm/stack/jenkins/slave_base.yml
@@ -1,10 +1,7 @@
 classes:
+- system.docker
 - system.docker.client.images.jenkins_slave
 parameters:
   _param:
-    jenkins_master_host: ${_param:control_vip_address}
-    jenkins_secret: "7c40abc1a7df2d26dd6b2e4421af17218df75a16fcbd5e3aa6017d9f47eaeabe"
-    jenkins_master_url: http://${_param:jenkins_master_host}:${_param:jenkins_master_port}
-    jenkins_slave_user: ${_param:jenkins_client_user}
-    jenkins_slave_password: ${_param:jenkins_client_password}
+    jenkins_master_url: http://jenkins_master:8080
     jenkins_slave_extra_opts: ""
diff --git a/docker/swarm/stack/keycloak.yml b/docker/swarm/stack/keycloak.yml
index 7dcb88a..3598282 100644
--- a/docker/swarm/stack/keycloak.yml
+++ b/docker/swarm/stack/keycloak.yml
@@ -6,7 +6,6 @@
     keycloak_proxy_bind_port: ${_param:haproxy_keycloak_proxy_bind_port}
     # Initial admin support
     keycloak_admin_username: admin
-    keycloak_admin_password: password
   docker:
     client:
       stack:
diff --git a/docker/swarm/stack/kqueen.yml b/docker/swarm/stack/kqueen.yml
index 0c61ed9..24166ed 100644
--- a/docker/swarm/stack/kqueen.yml
+++ b/docker/swarm/stack/kqueen.yml
@@ -10,7 +10,6 @@
     kqueen_api_prometheus_whitelist: '172.16.10.0/24' ##REcheck with network
     kqueen_api_ldap_uri: 'ldap://ldap'
     kqueen_api_ldap_dn: 'cn=admin,dc=example,dc=org'
-    kqueen_api_ldap_password: 'password'
     kqueen_api_auth_modules: 'local'
     docker_kqueen_ui_replicas: 1
     kqueen_ui_bind_port: ${_param:haproxy_kqueen_ui_bind_port}
@@ -26,7 +25,6 @@
       kqueen_ui_secret_key: 'pasteyoursecret'
       kqueen_api_bootstrap_admin: True
       kqueen_api_admin_username: admin
-      kqueen_api_admin_password: default
       kqueen_api_admin_organization: MirantisCloudPlatform
       kqueen_api_admin_namespace: mcp
   docker:
diff --git a/docker/swarm/stack/monitoring/elasticsearch_exporter.yml b/docker/swarm/stack/monitoring/elasticsearch_exporter.yml
index 5cbc05e..ce02782 100644
--- a/docker/swarm/stack/monitoring/elasticsearch_exporter.yml
+++ b/docker/swarm/stack/monitoring/elasticsearch_exporter.yml
@@ -12,7 +12,7 @@
                 encrypted: 1
           service:
             elasticsearch_exporter:
-              command: --es-cluster ${_param:stacklight_log_address}:9200 --nodes-stats-disable --cluster-health-disable --indices-stats-disable
+              command: --es-cluster ${_param:fluentd_elasticsearch_scheme}://${_param:stacklight_log_address}:9200 --nodes-stats-disable --cluster-health-disable --indices-stats-disable
               networks:
                 - monitoring
               deploy:
@@ -26,3 +26,4 @@
               image: ${_param:docker_image_prometheus_es_exporter}
               volumes:
                 - "${prometheus:elasticsearch_exporter:dir:config}/elasticsearch_exporter.cfg:/usr/src/app/exporter.cfg"
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
diff --git a/docker/swarm/stack/monitoring/prometheus/init.yml b/docker/swarm/stack/monitoring/prometheus/init.yml
index 65dd5b9..d7db52c 100644
--- a/docker/swarm/stack/monitoring/prometheus/init.yml
+++ b/docker/swarm/stack/monitoring/prometheus/init.yml
@@ -32,6 +32,7 @@
               volumes:
                 - ${prometheus:server:dir:config}:${_param:prometheus_server_config_directory}
                 - ${prometheus:server:dir:data}:${_param:prometheus_server_data_directory}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               environment:
                 PROMETHEUS_CONFIG_DIR: ${_param:prometheus_server_config_directory}
                 PROMETHEUS_DATA_DIR: ${_param:prometheus_server_data_directory}
diff --git a/docker/swarm/stack/monitoring/remote_agent/init.yml b/docker/swarm/stack/monitoring/remote_agent/init.yml
index 9e9455e..3d9fd62 100644
--- a/docker/swarm/stack/monitoring/remote_agent/init.yml
+++ b/docker/swarm/stack/monitoring/remote_agent/init.yml
@@ -23,3 +23,4 @@
               volumes:
                 - ${telegraf:remote_agent:dir:config}:/etc/telegraf
                 - ${telegraf:remote_agent:dir:config_d}:/etc/telegraf/telegraf.d
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
diff --git a/docker/swarm/stack/monitoring/sf_notifier.yml b/docker/swarm/stack/monitoring/sf_notifier.yml
index a171ce8..b8b2dd6 100644
--- a/docker/swarm/stack/monitoring/sf_notifier.yml
+++ b/docker/swarm/stack/monitoring/sf_notifier.yml
@@ -29,8 +29,6 @@
               image: ${_param:docker_image_sf_notifier}
               ports:
                 - 15018:5000
-              volumes:
-                - ${prometheus:sf_notifier:dir:logs}:/var/log/sf-notifier
               environment:
                 SF_NOTIFIER_WORKERS: ${_param:sf_notifier_workers}
                 SF_NOTIFIER_BUFFER_SIZE: ${_param:sf_notifier_buffer_size}
diff --git a/docker/swarm/stack/postgresql.yml b/docker/swarm/stack/postgresql.yml
index b3936c6..619e0c2 100644
--- a/docker/swarm/stack/postgresql.yml
+++ b/docker/swarm/stack/postgresql.yml
@@ -7,7 +7,6 @@
     postgresql_ssl:
       enabled: false
     postgresql_admin_user: postgres
-    postgresql_admin_user_password: postgrespassword
   docker:
     client:
       stack:
diff --git a/docker/swarm/stack/pushkin.yml b/docker/swarm/stack/pushkin.yml
index 2ee26e4..3bb1e17 100644
--- a/docker/swarm/stack/pushkin.yml
+++ b/docker/swarm/stack/pushkin.yml
@@ -13,13 +13,11 @@
     pushkin_smtp_port: 587
     pushkin_smtp_use_tls: true
     webhook_from: your_sender@mail.com
-    pushkin_email_sender_password: your_sender_password
     webhook_recipients: "recepient1@mail.com,recepient2@mail.com"
     webhook_login_id: 13
     webhook_application_id: 24
     sfdc_auth_url: https://login.salesforce.com/services/oauth2/token
     sfdc_username: user@example.net
-    sfdc_password: secret
     sfdc_consumer_key: example_consumer_key
     sfdc_consumer_secret: example_consumer_secret
     sfdc_organization_id: example_organization_id
diff --git a/docker/swarm/stack/security_monkey.yml b/docker/swarm/stack/security_monkey.yml
index 5db205e..5b7046c 100644
--- a/docker/swarm/stack/security_monkey.yml
+++ b/docker/swarm/stack/security_monkey.yml
@@ -13,7 +13,6 @@
     security_monkey_db: secmonkey
     notification_service_url: http://${_param:pushkin_bind_host}:${_param:haproxy_pushkin_bind_port}/post_notification_json
     security_monkey_user: devopsportal@devopsportal.local
-    security_monkey_password: devopsportal
     security_monkey_role: Justify
     security_monkey_fqdn: ${_param:security_monkey_bind_host}
     security_monkey_web_port: ${_param:security_monkey_bind_port}
@@ -26,7 +25,6 @@
       os_account_name: mcp_cloud
       auth_url: http://yourcloud.com:5000/v3/auth/tokens
       username: admin
-      password: password
       project_domain_name: Default
       project_name: admin
       user_domain_name: Default
diff --git a/elasticsearch/client/ssl.yml b/elasticsearch/client/ssl.yml
new file mode 100644
index 0000000..9f0f9c2
--- /dev/null
+++ b/elasticsearch/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+  elasticsearch:
+    client:
+      server:
+        scheme: https
diff --git a/elasticsearch/server/cluster.yml b/elasticsearch/server/cluster.yml
index 76774aa..155cfdf 100644
--- a/elasticsearch/server/cluster.yml
+++ b/elasticsearch/server/cluster.yml
@@ -5,7 +5,7 @@
   _param:
     java_environment_version: "8"
     java_environment_platform: openjdk
-    elasticsearch_cluster_name: elasticsearch
+    elasticsearch_cluster_name: ${_param:cluster_name}
   linux:
     system:
       sysctl:
@@ -17,7 +17,6 @@
   elasticsearch:
     server:
       version: ${_param:elasticsearch_version}
-      name: ${_param:elasticsearch_cluster_name}
       enabled: true
       master: true
       data: true
@@ -35,6 +34,7 @@
         recover_after_nodes: 2
         recover_after_time: 5m
       cluster:
+        name: ${_param:elasticsearch_cluster_name}
         multicast: false
         minimum_master_nodes: 2
         members:
diff --git a/fluentd/label/default_metric/prometheus_ssl.yml b/fluentd/label/default_metric/prometheus_ssl.yml
new file mode 100644
index 0000000..292c481
--- /dev/null
+++ b/fluentd/label/default_metric/prometheus_ssl.yml
@@ -0,0 +1,9 @@
+parameters:
+  fluentd:
+    agent:
+      config:
+        input:
+          prometheus:
+            metric:
+              ssl:
+                enabled: True
diff --git a/fluentd/label/default_output/elasticsearch.yml b/fluentd/label/default_output/elasticsearch.yml
index 398ea8c..daf95dd 100644
--- a/fluentd/label/default_output/elasticsearch.yml
+++ b/fluentd/label/default_output/elasticsearch.yml
@@ -2,9 +2,6 @@
 - service.fluentd.agent.output.elasticsearch
 - system.fluentd.label.default_output.filter.common
 parameters:
-  _param:
-    fluentd_elasticsearch_host: 127.0.0.1
-    elasticsearch_port: 9200
   fluentd:
     agent:
       config:
@@ -13,4 +10,5 @@
             match:
               elasticsearch_output:
                 host: ${_param:fluentd_elasticsearch_host}
-                port: ${_param:elasticsearch_port}
+                port: ${_param:fluentd_elasticsearch_port}
+                scheme: ${_param:fluentd_elasticsearch_scheme}
diff --git a/fluentd/label/notifications/audit.yml b/fluentd/label/notifications/audit.yml
new file mode 100644
index 0000000..f0cabaa
--- /dev/null
+++ b/fluentd/label/notifications/audit.yml
@@ -0,0 +1,50 @@
+parameters:
+  fluentd:
+    agent:
+      config:
+        label:
+          audit_messages:
+            filter:
+              get_payload_values:
+                tag: audit
+                type: record_transformer
+                enable_ruby: true
+                record:
+                  - name: Logger
+                    value: ${fluentd:dollar}{ record.dig("publisher_id") }
+                  - name: Severity
+                    value: ${fluentd:dollar}{ {'TRACE'=>7,'DEBUG'=>7,'INFO'=>6,'AUDIT'=>6,'WARNING'=>4,'ERROR'=>3,'CRITICAL'=>2}[record['priority']].to_i }
+                  - name: Timestamp
+                    value: ${fluentd:dollar}{ DateTime.strptime(record.dig("payload", "eventTime"), "%Y-%m-%dT%H:%M:%S.%N%z").strftime("%Y-%m-%dT%H:%M:%S.%3NZ") }
+                  - name: notification_type
+                    value: ${fluentd:dollar}{ record.dig("event_type") }
+                  - name: severity_label
+                    value: ${fluentd:dollar}{ record.dig("priority") }
+                  - name: environment_label
+                    value: ${_param:cluster_domain}
+
+                  - name: action
+                    value: ${fluentd:dollar}{ record.dig("payload", "action") }
+                  - name: event_type
+                    value: ${fluentd:dollar}{ record.dig("payload", "eventType") }
+                  - name: outcome
+                    value: ${fluentd:dollar}{ record.dig("payload", "outcome") }
+              pack_payload_to_json:
+                tag: audit
+                require:
+                  - get_payload_values
+                type: record_transformer
+                enable_ruby: true
+                remove_keys: '["payload", "timestamp", "publisher_id", "priority"]'
+                record:
+                  - name: Payload
+                    value: ${fluentd:dollar}{ record["payload"].to_json }
+            match:
+              audit_output:
+                tag: audit
+                type: elasticsearch
+                host: ${_param:fluentd_elasticsearch_host}
+                port: ${_param:fluentd_elasticsearch_port}
+                scheme: ${_param:fluentd_elasticsearch_scheme}
+                es_index_name: audit
+                tag_key: Type
diff --git a/fluentd/label/notifications/init.yml b/fluentd/label/notifications/init.yml
new file mode 100644
index 0000000..e4e57f8
--- /dev/null
+++ b/fluentd/label/notifications/init.yml
@@ -0,0 +1,4 @@
+classes:
+- system.fluentd.label.notifications.input_rabbitmq
+- system.fluentd.label.notifications.notifications
+- system.fluentd.label.notifications.audit
diff --git a/fluentd/label/notifications/input_rabbitmq.yml b/fluentd/label/notifications/input_rabbitmq.yml
new file mode 100644
index 0000000..7f97648
--- /dev/null
+++ b/fluentd/label/notifications/input_rabbitmq.yml
@@ -0,0 +1,105 @@
+parameters:
+  fluentd:
+    agent:
+      config:
+        label:
+          rabbitmq_notifications:
+            input:
+              tail_rabbitmq_info:
+                tag: raw_notifications
+                type: rabbitmq
+                host: ${_param:openstack_message_queue_address}
+                user: openstack
+                pass: ${_param:rabbitmq_openstack_password}
+                vhost: /openstack
+                queue: ${_param:stacklight_notification_topic}.info
+                routing_key: ${_param:stacklight_notification_topic}.info
+                parser:
+                  type: json
+              tail_rabbitmq_warn:
+                tag: raw_notifications
+                type: rabbitmq
+                host: ${_param:openstack_message_queue_address}
+                user: openstack
+                pass: ${_param:rabbitmq_openstack_password}
+                vhost: /openstack
+                queue: ${_param:stacklight_notification_topic}.warn
+                routing_key: ${_param:stacklight_notification_topic}.warn
+                parser:
+                  type: json
+              tail_rabbitmq_error:
+                tag: raw_notifications
+                type: rabbitmq
+                host: ${_param:openstack_message_queue_address}
+                user: openstack
+                pass: ${_param:rabbitmq_openstack_password}
+                vhost: /openstack
+                queue: ${_param:stacklight_notification_topic}.error
+                routing_key: ${_param:stacklight_notification_topic}.error
+                parser:
+                  type: json
+            filter:
+              parse_json:
+                tag: raw_notifications
+                type: parser
+                key_name: oslo.message
+                reserve_data: false
+                hash_value_field: parsed
+                parser:
+                  type: json
+              remove_context:
+                tag: raw_notifications
+                require:
+                  - parse_json
+                type: record_transformer
+                enable_ruby: true
+                remove_keys: _dummy_1
+                record:
+                  - name: _dummy_1
+                    value: ${fluentd:dollar}{record['parsed'].delete_if { |k,_| k.include?('_context_') }; nil}
+              pack_parsed_to_json:
+                tag: raw_notifications
+                require:
+                  - remove_context
+                type: record_transformer
+                enable_ruby: true
+                record:
+                  - name: parsed
+                    value: ${fluentd:dollar}{record["parsed"].to_json}
+              unpack_on_top_level:
+                tag: raw_notifications
+                require:
+                  - pack_parsed_to_json
+                type: parser
+                key_name: parsed
+                reserve_data: false
+                parser:
+                  type: json
+              detect_audit_notification:
+                tag: raw_notifications
+                require:
+                  - unpack_on_top_level
+                type: record_transformer
+                enable_ruby: true
+                record:
+                  - name: notification_type
+                    value: '${fluentd:dollar}{ record["payload"]["eventType"] && record["payload"]["eventTime"] ? "audit" : "notification" }'
+            match:
+              rewrite_message_tag:
+                tag: raw_notifications
+                type: rewrite_tag_filter
+                rule:
+                  - name: notification_type
+                    regexp: 'audit'
+                    result: audit
+                  - name: notification_type
+                    regexp: '/.+/'
+                    result: notification
+              forward_notification:
+                tag: notification
+                type: relabel
+                label: notification_messages
+              forward_audit:
+                tag: audit
+                type: relabel
+                label: audit_messages
diff --git a/fluentd/label/notifications/notifications.yml b/fluentd/label/notifications/notifications.yml
new file mode 100644
index 0000000..7d1e5c6
--- /dev/null
+++ b/fluentd/label/notifications/notifications.yml
@@ -0,0 +1,123 @@
+parameters:
+  fluentd:
+    agent:
+      config:
+        label:
+          notification_messages:
+            filter:
+              parse_publuisher_host:
+                tag: notification
+                type: parser
+                key_name: publisher_id
+                reserve_data: true
+                parser:
+                  type: regexp
+                  format: (?<publisher>\w+).(?<hostname>\w+)
+              save_hostname:
+                tag: notification
+                require:
+                  - parse_publuisher_host
+                type: record_transformer
+                enable_ruby: true
+                record:
+                  - name: Hostname
+                    value: ${fluentd:dollar}{ record["hostname"] }
+              parse_source:
+                tag: notification
+                require:
+                  - save_hostname
+                type: parser
+                key_name: event_type
+                reserve_data: true
+                parser:
+                  type: regexp
+                  format: (?<event_type_logger>\w+).+
+              map_logger:
+                tag: notification
+                require:
+                  - parse_source
+                type: record_transformer
+                enable_ruby: true
+                remove_keys: event_type_logger
+                record:
+                  - name: Logger
+                    value: ${fluentd:dollar}{ {'volume'=>'cinder', 'snapshot'=>'cinder', 'image'=>'glance', 'orchestration'=>'heat', 'identity'=>'keystone', 'compute'=>'nova', 'compute_task'=>'nova', 'scheduler'=>'nova', 'keypair'=>'nova', 'floatingip' =>'neutron', 'security_group' =>'neutron', 'security_group_rule' =>'neutron', 'network' =>'neutron', 'port' =>'neutron', 'router' =>'neutron', 'subnet' =>'neutron', 'sahara' =>'sahara'}[record["event_type_logger"]] }
+              get_payload_values:
+                tag: notification
+                require:
+                  - map_logger
+                type: record_transformer
+                enable_ruby: true
+                record:
+                  - name: Timestamp
+                    value: ${fluentd:dollar}{ DateTime.strptime(record['timestamp'], '%Y-%m-%d %H:%M:%S.%N').strftime('%Y-%m-%dT%H:%M:%S.%3NZ') }
+                  - name: severity_label
+                    value: ${fluentd:dollar}{ record["priority"] }
+                  - name: Severity
+                    value: ${fluentd:dollar}{ {'TRACE'=>7,'DEBUG'=>7,'INFO'=>6,'AUDIT'=>6,'WARNING'=>4,'ERROR'=>3,'CRITICAL'=>2}[record['priority']].to_i }
+                  - name: Hostname
+                    value: '${fluentd:dollar}{ record["payload"].has_key?("host") ? record["payload"]["host"] : record["Hostname"] }'
+                  - name: environment_label
+                    value: ${_param:cluster_domain}
+
+                  - name: tenant_id
+                    value: ${fluentd:dollar}{ record.dig("payload", "tenant_id") }
+                  - name: user_id
+                    value: ${fluentd:dollar}{ record.dig("payload", "user_id") }
+                  - name: display_name
+                    value: ${fluentd:dollar}{ record.dig("payload", "display_name") }
+                  - name: vcpus
+                    value: ${fluentd:dollar}{ record.dig("payload", "vcpus") }
+                  - name: availability_zone
+                    value: ${fluentd:dollar}{ record.dig("payload", "availability_zone") }
+                  - name: instance_id
+                    value: ${fluentd:dollar}{ record.dig("payload", "instance_id") }
+                  - name: instance_type
+                    value: ${fluentd:dollar}{ record.dig("payload", "instance_type") }
+                  - name: image_name
+                    value: ${fluentd:dollar}{ record.dig("payload", "image_name") }
+                  - name: memory_mb
+                    value: ${fluentd:dollar}{ record.dig("payload", "memory_mb") }
+                  - name: disk_gb
+                    value: ${fluentd:dollar}{ record.dig("payload", "disk_gb") }
+                  - name: state
+                    value: ${fluentd:dollar}{ record.dig("payload", "state") }
+                  - name: old_state
+                    value: ${fluentd:dollar}{ record.dig("payload", "old_state") }
+                  - name: old_task_state
+                    value: ${fluentd:dollar}{ record.dig("payload", "old_task_state") }
+                  - name: new_task_state
+                    value: ${fluentd:dollar}{ record.dig("payload", "new_task_state") }
+                  - name: network_id
+                    value: ${fluentd:dollar}{ record.dig("payload", "network_id") }
+                  - name: subnet_id
+                    value: ${fluentd:dollar}{ record.dig("payload", "subnet_id") }
+                  - name: port_id
+                    value: ${fluentd:dollar}{ record.dig("payload", "port_id") }
+                  - name: volume_id
+                    value: ${fluentd:dollar}{ record.dig("payload", "volume_id") }
+                  - name: size
+                    value: ${fluentd:dollar}{ record.dig("payload", "size") }
+                  - name: status
+                    value: ${fluentd:dollar}{ record.dig("payload", "status") }
+                  - name: replication_status
+                    value: ${fluentd:dollar}{ record.dig("payload", "replication_status") }
+              pack_payload_to_json:
+                tag: notification
+                require:
+                  - get_payload_values
+                type: record_transformer
+                enable_ruby: true
+                remove_keys: '["timestamp", "publisher_id", "priority", "notification_type", "payload"]'
+                record:
+                  - name: Payload
+                    value: ${fluentd:dollar}{ record["payload"].to_json }
+            match:
+              notifications_output:
+                tag: notification
+                type: elasticsearch
+                host: ${_param:fluentd_elasticsearch_host}
+                port: ${_param:fluentd_elasticsearch_port}
+                scheme: ${_param:fluentd_elasticsearch_scheme}
+                es_index_name: notification
+                tag_key: Type
diff --git a/galera/server/clustercheck.yml b/galera/server/clustercheck.yml
index a5d7137..6213c58 100644
--- a/galera/server/clustercheck.yml
+++ b/galera/server/clustercheck.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    galera_clustercheck_password: clustercheck
   galera:
     clustercheck:
       enabled: True
diff --git a/glance/client/image/octavia.yml b/glance/client/image/octavia.yml
index 3160cdd..2a00375 100644
--- a/glance/client/image/octavia.yml
+++ b/glance/client/image/octavia.yml
@@ -3,6 +3,7 @@
 parameters:
   glance:
     client:
+      cloud_name: admin_identity
       identity:
         admin_identity:
           endpoint_type: internalURL
diff --git a/glance/control/cluster.yml b/glance/control/cluster.yml
index a75f8c5..3eb7866 100644
--- a/glance/control/cluster.yml
+++ b/glance/control/cluster.yml
@@ -82,4 +82,3 @@
       storage:
         engine: file
       images: []
-      show_multiple_locations: True
diff --git a/glance/control/single.yml b/glance/control/single.yml
index ee2ae1a..24e9c3f 100644
--- a/glance/control/single.yml
+++ b/glance/control/single.yml
@@ -31,7 +31,6 @@
         protocol: ${_param:internal_protocol}
       registry:
         protocol: ${_param:internal_protocol}
-      show_multiple_locations: True
       barbican:
         enabled: ${_param:barbican_integration_enabled}
       message_queue:
diff --git a/glusterfs/server/volume/aptly.yml b/glusterfs/server/volume/aptly.yml
index 9c9e518..095ed8e 100644
--- a/glusterfs/server/volume/aptly.yml
+++ b/glusterfs/server/volume/aptly.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/aptly
             - ${_param:cluster_node03_address}:/srv/glusterfs/aptly
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/artifactory.yml b/glusterfs/server/volume/artifactory.yml
index f70d2f0..c903d5f 100644
--- a/glusterfs/server/volume/artifactory.yml
+++ b/glusterfs/server/volume/artifactory.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/artifactory
             - ${_param:cluster_node03_address}:/srv/glusterfs/artifactory
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/backup.yml b/glusterfs/server/volume/backup.yml
index 22e59e2..3c86bb0 100644
--- a/glusterfs/server/volume/backup.yml
+++ b/glusterfs/server/volume/backup.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/backup
             - ${_param:cluster_node03_address}:/srv/glusterfs/backup
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/decapod.yml b/glusterfs/server/volume/decapod.yml
index e8f4c99..9a39eaa 100644
--- a/glusterfs/server/volume/decapod.yml
+++ b/glusterfs/server/volume/decapod.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/decapod
             - ${_param:cluster_node03_address}:/srv/glusterfs/decapod
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/devops_portal.yml b/glusterfs/server/volume/devops_portal.yml
index a2f00ba..e2116cb 100644
--- a/glusterfs/server/volume/devops_portal.yml
+++ b/glusterfs/server/volume/devops_portal.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/devops_portal
             - ${_param:cluster_node03_address}:/srv/glusterfs/devops_portal
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/elasticsearch.yml b/glusterfs/server/volume/elasticsearch.yml
index 65cf76e..e66a388 100644
--- a/glusterfs/server/volume/elasticsearch.yml
+++ b/glusterfs/server/volume/elasticsearch.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/elasticsearch
             - ${_param:cluster_node03_address}:/srv/glusterfs/elasticsearch
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/etcd.yml b/glusterfs/server/volume/etcd.yml
index 874119e..6300593 100644
--- a/glusterfs/server/volume/etcd.yml
+++ b/glusterfs/server/volume/etcd.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/etcd
             - ${_param:cluster_node03_address}:/srv/glusterfs/etcd
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/gerrit.yml b/glusterfs/server/volume/gerrit.yml
index b959f82..b3b036a 100644
--- a/glusterfs/server/volume/gerrit.yml
+++ b/glusterfs/server/volume/gerrit.yml
@@ -10,6 +10,10 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/gerrit
             - ${_param:cluster_node03_address}:/srv/glusterfs/gerrit
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 1000
+            storage.owner-uid: 1000
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/glance.yml b/glusterfs/server/volume/glance.yml
index d0dfdf1..38a571e 100644
--- a/glusterfs/server/volume/glance.yml
+++ b/glusterfs/server/volume/glance.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/glance
             - ${_param:cluster_node03_address}:/srv/glusterfs/glance
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/gnocchi.yml b/glusterfs/server/volume/gnocchi.yml
index f8f5b6a..1d4ce62 100644
--- a/glusterfs/server/volume/gnocchi.yml
+++ b/glusterfs/server/volume/gnocchi.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/gnocchi
             - ${_param:cluster_node03_address}:/srv/glusterfs/gnocchi
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/influxdb.yml b/glusterfs/server/volume/influxdb.yml
index 9a75a2f..5f56d0b 100644
--- a/glusterfs/server/volume/influxdb.yml
+++ b/glusterfs/server/volume/influxdb.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/influxdb
             - ${_param:cluster_node03_address}:/srv/glusterfs/influxdb
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/jenkins.yml b/glusterfs/server/volume/jenkins.yml
index 9a2582a..e17cdb5 100644
--- a/glusterfs/server/volume/jenkins.yml
+++ b/glusterfs/server/volume/jenkins.yml
@@ -10,6 +10,10 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins
             - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 1000
+            storage.owner-uid: 1000
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/jenkins_slave_multi.yml b/glusterfs/server/volume/jenkins_slave_multi.yml
new file mode 100644
index 0000000..5d2e70a
--- /dev/null
+++ b/glusterfs/server/volume/jenkins_slave_multi.yml
@@ -0,0 +1,42 @@
+classes:
+- system.glusterfs.server.volume.jenkins_slave_single
+parameters:
+  glusterfs:
+    server:
+      volumes:
+        jenkins_slave02:
+          storage: /srv/glusterfs/jenkins_slaves/slave02
+          replica: 3
+          bricks:
+            - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave02
+            - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave02
+            - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave02
+          options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 10000
+            storage.owner-uid: 10000
+            cluster.readdir-optimize: On
+            nfs.disable: On
+            network.remote-dio: On
+            diagnostics.client-log-level: WARNING
+            diagnostics.brick-log-level: WARNING
+            cluster.favorite-child-policy: mtime
+        jenkins_slave03:
+          storage: /srv/glusterfs/jenkins_slaves/slave03
+          replica: 3
+          bricks:
+            - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave03
+            - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave03
+            - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave03
+          options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 10000
+            storage.owner-uid: 10000
+            cluster.readdir-optimize: On
+            nfs.disable: On
+            network.remote-dio: On
+            diagnostics.client-log-level: WARNING
+            diagnostics.brick-log-level: WARNING
+            cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/jenkins_slave_single.yml b/glusterfs/server/volume/jenkins_slave_single.yml
new file mode 100644
index 0000000..e9420b3
--- /dev/null
+++ b/glusterfs/server/volume/jenkins_slave_single.yml
@@ -0,0 +1,22 @@
+parameters:
+  glusterfs:
+    server:
+      volumes:
+        jenkins_slave01:
+          storage: /srv/glusterfs/jenkins_slaves/slave01
+          replica: 3
+          bricks:
+            - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave01
+            - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave01
+            - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave01
+          options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 10000
+            storage.owner-uid: 10000
+            cluster.readdir-optimize: On
+            nfs.disable: On
+            network.remote-dio: On
+            diagnostics.client-log-level: WARNING
+            diagnostics.brick-log-level: WARNING
+            cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/keycloak.yml b/glusterfs/server/volume/keycloak.yml
index c8c71f0..b22d2c3 100644
--- a/glusterfs/server/volume/keycloak.yml
+++ b/glusterfs/server/volume/keycloak.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/keycloak
             - ${_param:cluster_node03_address}:/srv/glusterfs/keycloak
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/keystone.yml b/glusterfs/server/volume/keystone.yml
index 81e14be..e549180 100644
--- a/glusterfs/server/volume/keystone.yml
+++ b/glusterfs/server/volume/keystone.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/keystone-keys
             - ${_param:cluster_node03_address}:/srv/glusterfs/keystone-keys
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
@@ -24,6 +26,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/keystone-credential-keys
             - ${_param:cluster_node03_address}:/srv/glusterfs/keystone-credential-keys
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/kqueen.yml b/glusterfs/server/volume/kqueen.yml
index 0d09c51..091a93c 100644
--- a/glusterfs/server/volume/kqueen.yml
+++ b/glusterfs/server/volume/kqueen.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/kqueen
             - ${_param:cluster_node03_address}:/srv/glusterfs/kqueen
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/mongodb.yml b/glusterfs/server/volume/mongodb.yml
index f694ad7..0cb3a8e 100644
--- a/glusterfs/server/volume/mongodb.yml
+++ b/glusterfs/server/volume/mongodb.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/mongodb
             - ${_param:cluster_node03_address}:/srv/glusterfs/mongodb
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/mysql.yml b/glusterfs/server/volume/mysql.yml
index c473de6..b67975e 100644
--- a/glusterfs/server/volume/mysql.yml
+++ b/glusterfs/server/volume/mysql.yml
@@ -10,6 +10,10 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/mysql
             - ${_param:cluster_node03_address}:/srv/glusterfs/mysql
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 999
+            storage.owner-uid: 999
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/openldap.yml b/glusterfs/server/volume/openldap.yml
index 84619c0..cc1ba5f 100644
--- a/glusterfs/server/volume/openldap.yml
+++ b/glusterfs/server/volume/openldap.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/openldap
             - ${_param:cluster_node03_address}:/srv/glusterfs/openldap
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/openldap_k8s.yml b/glusterfs/server/volume/openldap_k8s.yml
new file mode 100644
index 0000000..24b2a26
--- /dev/null
+++ b/glusterfs/server/volume/openldap_k8s.yml
@@ -0,0 +1,40 @@
+parameters:
+  glusterfs:
+    server:
+      volumes:
+        openldap-config:
+          storage: /srv/glusterfs/openldap/config
+          replica: 3
+          bricks:
+            - ${_param:cluster_node01_address}:/srv/glusterfs/openldap/config
+            - ${_param:cluster_node02_address}:/srv/glusterfs/openldap/config
+            - ${_param:cluster_node03_address}:/srv/glusterfs/openldap/config
+          options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 999
+            storage.owner-uid: 999
+            cluster.readdir-optimize: On
+            nfs.disable: On
+            network.remote-dio: On
+            diagnostics.client-log-level: WARNING
+            diagnostics.brick-log-level: WARNING
+            cluster.favorite-child-policy: mtime
+        openldap-data:
+          storage: /srv/glusterfs/openldap/data
+          replica: 3
+          bricks:
+          - ${_param:cluster_node01_address}:/srv/glusterfs/openldap/data
+          - ${_param:cluster_node02_address}:/srv/glusterfs/openldap/data
+          - ${_param:cluster_node03_address}:/srv/glusterfs/openldap/data
+          options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 999
+            storage.owner-uid: 999
+            cluster.readdir-optimize: On
+            nfs.disable: On
+            network.remote-dio: On
+            diagnostics.client-log-level: WARNING
+            diagnostics.brick-log-level: WARNING
+            cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/postgresql.yml b/glusterfs/server/volume/postgresql.yml
index c48d833..5376934 100644
--- a/glusterfs/server/volume/postgresql.yml
+++ b/glusterfs/server/volume/postgresql.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/postgresql
             - ${_param:cluster_node03_address}:/srv/glusterfs/postgresql
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/postgresql_k8s.yml b/glusterfs/server/volume/postgresql_k8s.yml
new file mode 100644
index 0000000..523ef59
--- /dev/null
+++ b/glusterfs/server/volume/postgresql_k8s.yml
@@ -0,0 +1,22 @@
+parameters:
+  glusterfs:
+    server:
+      volumes:
+        postgresql-data:
+          storage: /srv/glusterfs/postgresql
+          replica: 3
+          bricks:
+            - ${_param:cluster_node01_address}:/srv/glusterfs/postgresql
+            - ${_param:cluster_node02_address}:/srv/glusterfs/postgresql
+            - ${_param:cluster_node03_address}:/srv/glusterfs/postgresql
+          options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
+            storage.owner-gid: 999
+            storage.owner-uid: 999
+            cluster.readdir-optimize: On
+            nfs.disable: On
+            network.remote-dio: On
+            diagnostics.client-log-level: WARNING
+            diagnostics.brick-log-level: WARNING
+            cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/privatebin.yml b/glusterfs/server/volume/privatebin.yml
index e2eba2d..e78df75 100644
--- a/glusterfs/server/volume/privatebin.yml
+++ b/glusterfs/server/volume/privatebin.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/privatebin
             - ${_param:cluster_node03_address}:/srv/glusterfs/privatebin
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/pushkin.yml b/glusterfs/server/volume/pushkin.yml
index 2d6a249..14d8b16 100644
--- a/glusterfs/server/volume/pushkin.yml
+++ b/glusterfs/server/volume/pushkin.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/pushkin
             - ${_param:cluster_node03_address}:/srv/glusterfs/pushkin
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/registry.yml b/glusterfs/server/volume/registry.yml
index 474ce7b..19d0106 100644
--- a/glusterfs/server/volume/registry.yml
+++ b/glusterfs/server/volume/registry.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/registry
             - ${_param:cluster_node03_address}:/srv/glusterfs/registry
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/rundeck.yml b/glusterfs/server/volume/rundeck.yml
index c0ced5b..727496a 100644
--- a/glusterfs/server/volume/rundeck.yml
+++ b/glusterfs/server/volume/rundeck.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/rundeck
             - ${_param:cluster_node03_address}:/srv/glusterfs/rundeck
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/salt.yml b/glusterfs/server/volume/salt.yml
index e14701d..f832bce 100644
--- a/glusterfs/server/volume/salt.yml
+++ b/glusterfs/server/volume/salt.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/saltmaster
             - ${_param:cluster_node03_address}:/srv/glusterfs/saltmaster
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/salt_pki.yml b/glusterfs/server/volume/salt_pki.yml
index 9a26bdb..8135e47 100644
--- a/glusterfs/server/volume/salt_pki.yml
+++ b/glusterfs/server/volume/salt_pki.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/salt_pki
             - ${_param:cluster_node03_address}:/srv/glusterfs/salt_pki
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/glusterfs/server/volume/security_monkey.yml b/glusterfs/server/volume/security_monkey.yml
index e730c90..3fa9f57 100644
--- a/glusterfs/server/volume/security_monkey.yml
+++ b/glusterfs/server/volume/security_monkey.yml
@@ -10,6 +10,8 @@
             - ${_param:cluster_node02_address}:/srv/glusterfs/security_monkey
             - ${_param:cluster_node03_address}:/srv/glusterfs/security_monkey
           options:
+            auth.allow: ${_param:glusterfs_allow_ips}
+            auth.reject: ${_param:glusterfs_reject_ips}
             cluster.readdir-optimize: On
             nfs.disable: On
             network.remote-dio: On
diff --git a/gnocchi/common/coordination/redis.yml b/gnocchi/common/coordination/redis.yml
index 673d9bd..f1e94b6 100644
--- a/gnocchi/common/coordination/redis.yml
+++ b/gnocchi/common/coordination/redis.yml
@@ -1,7 +1,18 @@
 parameters:
   _param:
-    gnocchi_coordination_url: redis://${_param:single_address}:6379
+    gnocchi_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
   gnocchi:
     common:
       coordination_backend:
         url: ${_param:gnocchi_coordination_url}
+        engine: redis
+        redis:
+          password: ${_param:openstack_telemetry_redis_password}
+          user: openstack
+          db: ${_param:gnocchi_redis_db}
+          sentinel:
+            host: ${_param:redis_sentinel_node01_address}
+            master_name: ${_param:gnocchi_redis_sentinel_mastername}
+            fallback:
+              - host: ${_param:redis_sentinel_node02_address}
+              - host: ${_param:redis_sentinel_node03_address}
diff --git a/gnocchi/common/storage/incoming/redis.yml b/gnocchi/common/storage/incoming/redis.yml
index d0f04d7..77cd6c6 100644
--- a/gnocchi/common/storage/incoming/redis.yml
+++ b/gnocchi/common/storage/incoming/redis.yml
@@ -1,10 +1,20 @@
 parameters:
   _param:
-    gnocchi_storage_incoming_redis_url: redis://${_param:single_address}:6379
+    gnocchi_storage_incoming_redis_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
     gnocchi_storage_incoming_driver: redis
   gnocchi:
     common:
       storage:
         incoming:
           driver: ${_param:gnocchi_storage_incoming_driver}
-          redis_url: ${_param:gnocchi_storage_incoming_redis_url}
\ No newline at end of file
+          redis_url: ${_param:gnocchi_storage_incoming_redis_url}
+          redis:
+            password: ${_param:openstack_telemetry_redis_password}
+            user: openstack
+            db: ${_param:gnocchi_redis_db}
+            sentinel:
+              host: ${_param:redis_sentinel_node01_address}
+              master_name: ${_param:gnocchi_redis_sentinel_mastername}
+              fallback:
+                - host: ${_param:redis_sentinel_node02_address}
+                - host: ${_param:redis_sentinel_node03_address}
diff --git a/gnocchi/common/storage/redis.yml b/gnocchi/common/storage/redis.yml
index d71fcf0..079c887 100644
--- a/gnocchi/common/storage/redis.yml
+++ b/gnocchi/common/storage/redis.yml
@@ -1,9 +1,19 @@
 parameters:
   _param:
-    gnocchi_storage_redis_url: redis://${_param:single_address}:6379
+    gnocchi_storage_redis_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
     gnocchi_storage_driver: redis
   gnocchi:
     common:
       storage:
         driver: ${_param:gnocchi_storage_driver}
-        redis_url: ${_param:gnocchi_storage_redis_url}
\ No newline at end of file
+        redis_url: ${_param:gnocchi_storage_redis_url}
+        redis:
+          password: ${_param:openstack_telemetry_redis_password}
+          user: openstack
+          db: ${_param:gnocchi_redis_db}
+          sentinel:
+            host: ${_param:redis_sentinel_node01_address}
+            master_name: ${_param:gnocchi_redis_sentinel_mastername}
+            fallback:
+              - host: ${_param:redis_sentinel_node02_address}
+              - host: ${_param:redis_sentinel_node03_address}
diff --git a/grafana/server/single.yml b/grafana/server/single.yml
index 775ce38..6303430 100644
--- a/grafana/server/single.yml
+++ b/grafana/server/single.yml
@@ -4,7 +4,6 @@
   _param:
     grafana_port: 3000
     grafana_user: admin
-    grafana_password: admin
   grafana:
     server:
       enabled: true
diff --git a/graphite/collector/single.yml b/graphite/collector/single.yml
index 5ca5715..5442a3f 100644
--- a/graphite/collector/single.yml
+++ b/graphite/collector/single.yml
@@ -2,8 +2,6 @@
 - service.memcached.server.local
 - service.graphite.collector.single
 parameters:
-  _param:
-    rabbitmq_monitor_password: password
   carbon:
     relay:
       enabled: false
diff --git a/graphite/server/single.yml b/graphite/server/single.yml
index 237c65d..9c891d3 100644
--- a/graphite/server/single.yml
+++ b/graphite/server/single.yml
@@ -7,12 +7,7 @@
 parameters:
   _param:
     graphite_secret_key: secret
-    postgresql_graphite_password: password
     apache2_site_graphite_host: ${_param:single_address}
-    rabbitmq_graphite_password: password
-    rabbitmq_monitor_password: password
-    rabbitmq_admin_password: password
-    rabbitmq_secret_key: password
   apache:
     server:
       modules:
diff --git a/haproxy/proxy/listen/keycloak.yml b/haproxy/proxy/listen/keycloak.yml
index 89a9670..73697a3 100644
--- a/haproxy/proxy/listen/keycloak.yml
+++ b/haproxy/proxy/listen/keycloak.yml
@@ -1,7 +1,7 @@
 parameters:
   _param:
     haproxy_keycloak_bind_host: ${_param:haproxy_bind_address}
-    haproxy_keycloak_bind_port: 8080
+    haproxy_keycloak_bind_port: 8086
     haproxy_keycloak_exposed_port: 18086
     haproxy_keycloak_ssl:
       enabled: false
diff --git a/haproxy/proxy/listen/opencontrail/analytics.yml b/haproxy/proxy/listen/opencontrail/analytics.yml
index 14890ca..fd20277 100644
--- a/haproxy/proxy/listen/opencontrail/analytics.yml
+++ b/haproxy/proxy/listen/opencontrail/analytics.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    opencontrail_stats_password: password
   haproxy:
     proxy:
       listen:
diff --git a/haproxy/proxy/listen/opencontrail/control.yml b/haproxy/proxy/listen/opencontrail/control.yml
index db407be..b704f04 100644
--- a/haproxy/proxy/listen/opencontrail/control.yml
+++ b/haproxy/proxy/listen/opencontrail/control.yml
@@ -1,6 +1,5 @@
 parameters:
   _param:
-    opencontrail_stats_password: password
     opencontrail_api_start_offset: 0
     opencontrail_api_workers_count: 1
   haproxy:
diff --git a/haproxy/proxy/listen/opencontrail/control4_0.yml b/haproxy/proxy/listen/opencontrail/control4_0.yml
index baeb86e..22623fd 100644
--- a/haproxy/proxy/listen/opencontrail/control4_0.yml
+++ b/haproxy/proxy/listen/opencontrail/control4_0.yml
@@ -1,6 +1,5 @@
 parameters:
   _param:
-    opencontrail_stats_password: password
     opencontrail_api_start_offset: 0
     opencontrail_api_workers_count: 1
   haproxy:
diff --git a/haproxy/proxy/listen/openstack/large_setup.yml b/haproxy/proxy/listen/openstack/large_setup.yml
index 947cfce..c517779 100644
--- a/haproxy/proxy/listen/openstack/large_setup.yml
+++ b/haproxy/proxy/listen/openstack/large_setup.yml
@@ -8,4 +8,4 @@
 - system.haproxy.proxy.listen.openstack.keystone.large
 - system.haproxy.proxy.listen.openstack.neutron_large
 - system.haproxy.proxy.listen.openstack.nova_large
-- system.haproxy.proxy.listen.openstack.novanc_large
+- system.haproxy.proxy.listen.openstack.novnc_large
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch.yml b/haproxy/proxy/listen/stacklight/elasticsearch.yml
index 582de6a..d684861 100644
--- a/haproxy/proxy/listen/stacklight/elasticsearch.yml
+++ b/haproxy/proxy/listen/stacklight/elasticsearch.yml
@@ -1,10 +1,6 @@
 parameters:
   _param:
     haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
-    haproxy_elasticsearch_http_bind_port: 9200
-    haproxy_elasticsearch_http_exposed_port: 9200
-    haproxy_elasticsearch_binary_bind_port: 9300
-    haproxy_elasticsearch_binary_exposed_port: 9300
   haproxy:
     proxy:
       listen:
@@ -17,7 +13,7 @@
             - dontlog-normal
           balance: roundrobin
           binds:
-            - address: ${_param:haproxy_elasticsearch_bind_host}
+            - address: ${_param:cluster_vip_address}
               port: ${_param:haproxy_elasticsearch_http_bind_port}
           servers:
             - name: ${_param:cluster_node01_hostname}
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
new file mode 100644
index 0000000..a50280e
--- /dev/null
+++ b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
@@ -0,0 +1,55 @@
+parameters:
+  _param:
+    haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
+  haproxy:
+    proxy:
+      listen:
+        elasticsearch:
+          mode: http
+          options:
+            - httplog
+            - http-keep-alive
+            - prefer-last-server
+            - dontlog-normal
+          balance: roundrobin
+          binds:
+            - address: ${_param:cluster_vip_address}
+              port: ${_param:haproxy_elasticsearch_http_bind_port}
+              ssl:
+                enabled: true
+                pem_file: /etc/elasticsearch/elasticsearch.pem
+          servers:
+            - name: ${_param:cluster_node01_hostname}
+              host: ${_param:cluster_node01_address}
+              port: ${_param:haproxy_elasticsearch_http_exposed_port}
+              params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+            - name: ${_param:cluster_node02_hostname}
+              host: ${_param:cluster_node02_address}
+              port: ${_param:haproxy_elasticsearch_http_exposed_port}
+              params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+            - name: ${_param:cluster_node03_hostname}
+              host: ${_param:cluster_node03_address}
+              port: ${_param:haproxy_elasticsearch_http_exposed_port}
+              params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+        elasticsearch_binary:
+          mode: tcp
+          options:
+            - tcpka
+            - tcplog
+          balance: source
+          binds:
+            - address: ${_param:cluster_vip_address}
+              port: ${_param:haproxy_elasticsearch_binary_bind_port}
+          servers:
+            - name: ${_param:cluster_node01_hostname}
+              host: ${_param:cluster_node01_address}
+              port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+              params: 'check'
+            - name: ${_param:cluster_node02_hostname}
+              host: ${_param:cluster_node02_address}
+              port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+              params: 'check'
+            - name: ${_param:cluster_node03_hostname}
+              host: ${_param:cluster_node03_address}
+              port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+              params: 'check'
diff --git a/heka/router/single.yml b/heka/router/single.yml
index 8801e42..bba6458 100644
--- a/heka/router/single.yml
+++ b/heka/router/single.yml
@@ -12,7 +12,6 @@
     heka_router_prefetch_count: 20
     rabbitmq_secret_key: secret_key
     rabbitmq_admin_name: admin
-    rabbitmq_admin_password: workshoplearning42
     kibana_elasticsearch_host: localhost
   heka:
     shipper:
diff --git a/jenkins/client/init.yml b/jenkins/client/init.yml
index 59faa0b..11b5430 100644
--- a/jenkins/client/init.yml
+++ b/jenkins/client/init.yml
@@ -1,12 +1,12 @@
 classes:
-  - service.jenkins.support
-  - service.jenkins.client
-  - system.jenkins.client.approved_scripts
-  - system.jenkins.client.plugins
+- service.jenkins.support
+- service.jenkins.client
+- system.jenkins.client.approved_scripts
+- system.jenkins.client.plugins
+- system.jenkins.client.security.csrf
 parameters:
   _param:
     jenkins_client_user: none
-    jenkins_client_password: none
     jenkins_master_host: ${_param:control_vip_address}
     jenkins_aptly_storages: "local"
     jenkins_offline_deployment: "false"
diff --git a/jenkins/client/job/ceph/upgrade.yml b/jenkins/client/job/ceph/upgrade.yml
index 7717761..d308845 100644
--- a/jenkins/client/job/ceph/upgrade.yml
+++ b/jenkins/client/job/ceph/upgrade.yml
@@ -73,3 +73,7 @@
               type: boolean
               default: 'true'
               description: Select to copy the disks of Ceph VMs before upgrade and backup Ceph directories on OSD nodes.
+            BACKUP_DIR:
+              type: string
+              default: '/root'
+              description: Select the target dir to backup to when BACKUP_ENABLED
diff --git a/jenkins/client/job/deploy/galera_verify_restore.yml b/jenkins/client/job/deploy/galera_verify_restore.yml
index 492d76f..73e312a 100644
--- a/jenkins/client/job/deploy/galera_verify_restore.yml
+++ b/jenkins/client/job/deploy/galera_verify_restore.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/openstack.yml b/jenkins/client/job/deploy/openstack.yml
index d18ccae..107b932 100644
--- a/jenkins/client/job/deploy/openstack.yml
+++ b/jenkins/client/job/deploy/openstack.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/try_mcp.yml b/jenkins/client/job/deploy/try_mcp.yml
index 9c161ff..3ad2878 100644
--- a/jenkins/client/job/deploy/try_mcp.yml
+++ b/jenkins/client/job/deploy/try_mcp.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/cloud_update.yml b/jenkins/client/job/deploy/update/cloud_update.yml
index aef20ce..f3fe8ef 100644
--- a/jenkins/client/job/deploy/update/cloud_update.yml
+++ b/jenkins/client/job/deploy/update/cloud_update.yml
@@ -2,8 +2,6 @@
 # Jobs to update cloud packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/config.yml b/jenkins/client/job/deploy/update/config.yml
index 47ec321..5eafd70 100644
--- a/jenkins/client/job/deploy/update/config.yml
+++ b/jenkins/client/job/deploy/update/config.yml
@@ -2,8 +2,6 @@
 # Jobs to run given states on given Salt master environment's
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index 5a26020..be7e82e 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -5,6 +5,7 @@
   - system.jenkins.client.job.deploy.update.update_mirror_image
   - system.jenkins.client.job.deploy.update.update_ceph
   - system.jenkins.client.job.deploy.update.upgrade
+  - system.jenkins.client.job.deploy.update.upgrade_rabbitmq
   - system.jenkins.client.job.deploy.update.upgrade_compute
   - system.jenkins.client.job.deploy.update.upgrade_mcp_release
   - system.jenkins.client.job.deploy.update.upgrade_ovs_gateway
@@ -18,3 +19,7 @@
   - system.jenkins.client.job.deploy.update.cloud_update
   - system.jenkins.client.job.deploy.update.kubernetes_update
   - system.jenkins.client.job.deploy.galera_verify_restore
+  - system.jenkins.client.job.deploy.update.update_glusterfs
+  - system.jenkins.client.job.deploy.update.update_glusterfs_servers
+  - system.jenkins.client.job.deploy.update.update_glusterfs_clients
+  - system.jenkins.client.job.deploy.update.update_glusterfs_cluster_op_version
diff --git a/jenkins/client/job/deploy/update/kubernetes_update.yml b/jenkins/client/job/deploy/update/kubernetes_update.yml
index 454d92b..ee77583 100644
--- a/jenkins/client/job/deploy/update/kubernetes_update.yml
+++ b/jenkins/client/job/deploy/update/kubernetes_update.yml
@@ -2,8 +2,6 @@
 # Jobs to update cloud packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/package.yml b/jenkins/client/job/deploy/update/package.yml
index acf1f62..65a4ac3 100644
--- a/jenkins/client/job/deploy/update/package.yml
+++ b/jenkins/client/job/deploy/update/package.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/reclass_update_check.yml b/jenkins/client/job/deploy/update/reclass_update_check.yml
index cec8d79..dd279b3 100644
--- a/jenkins/client/job/deploy/update/reclass_update_check.yml
+++ b/jenkins/client/job/deploy/update/reclass_update_check.yml
@@ -2,8 +2,6 @@
 # Jobs to to check new Reclass package version compatibility with model
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/restore_cassandra.yml b/jenkins/client/job/deploy/update/restore_cassandra.yml
index 34179af..8b18eb1 100644
--- a/jenkins/client/job/deploy/update/restore_cassandra.yml
+++ b/jenkins/client/job/deploy/update/restore_cassandra.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/restore_zookeeper.yml b/jenkins/client/job/deploy/update/restore_zookeeper.yml
index ebb57f7..3d0dc05 100644
--- a/jenkins/client/job/deploy/update/restore_zookeeper.yml
+++ b/jenkins/client/job/deploy/update/restore_zookeeper.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/saltenv.yml b/jenkins/client/job/deploy/update/saltenv.yml
index 734a4e5..f2b38d2 100644
--- a/jenkins/client/job/deploy/update/saltenv.yml
+++ b/jenkins/client/job/deploy/update/saltenv.yml
@@ -3,7 +3,6 @@
 #
 parameters:
   _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
     jenkins_salt_model_name: "salt"
     jenkins_salt_model_branch: "master"
   jenkins:
diff --git a/jenkins/client/job/deploy/update/update_ceph.yml b/jenkins/client/job/deploy/update/update_ceph.yml
index dd8bf58..4b7603b 100644
--- a/jenkins/client/job/deploy/update/update_ceph.yml
+++ b/jenkins/client/job/deploy/update/update_ceph.yml
@@ -2,8 +2,6 @@
 # Jobs to run given states on given Salt master environment's
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/update_glusterfs.yml b/jenkins/client/job/deploy/update/update_glusterfs.yml
new file mode 100644
index 0000000..dfdfc9e
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs.yml
@@ -0,0 +1,31 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        update-glusterfs:
+          type: workflow-scm
+          description: This is a general job which runs "Update glusterfs servers", "Update glusterfs clients" and "Update glusterfs cluster.op-version" jobs with default parameters. If you need/want better control of update process use those jobs.
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Update GlusterFS"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: update-glusterfs.groovy
+          param:
+            DRIVE_TRAIN_PARAMS:
+              type: text
+              description: "Yaml based DriveTrain releated params"
+              default: |
+                ---
+                SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+                SALT_MASTER_CREDENTIALS: "salt"
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_clients.yml b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
new file mode 100644
index 0000000..48a393c
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        update-glusterfs-clients:
+          type: workflow-scm
+          description: Update glusterfs-client package on corresponding hosts
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Update glusterfs clients"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: update-glusterfs-clients.groovy
+          param:
+            DRIVE_TRAIN_PARAMS:
+              type: text
+              description: "Yaml based DriveTrain releated params"
+              default: |
+                ---
+                SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+                SALT_MASTER_CREDENTIALS: "salt"
+                # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+                TARGET_SERVERS: "I@glusterfs:client"
+                # Does not validate server availability/status before update
+                IGNORE_SERVER_STATUS: false
+                # Does not validate that all servers have been updated
+                IGNORE_SERVER_VERSION: false
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
new file mode 100644
index 0000000..24b1217
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        update-glusterfs-cluster-op-version:
+          type: workflow-scm
+          description: Update cluster.op-version global option
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Update glusterfs cluster.op-version"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: update-glusterfs-cluster-op-version.groovy
+          param:
+            DRIVE_TRAIN_PARAMS:
+              type: text
+              description: "Yaml based DriveTrain releated params"
+              default: |
+                ---
+                SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+                SALT_MASTER_CREDENTIALS: "salt"
+                # GlusterFS cluster.op-verion option to set. Leave it empty to get proper version from cluster.max-op-version if available.
+                CLUSTER_OP_VERSION: ''
+                # Does not validate that all servers have been updated
+                IGNORE_SERVER_VERSION: false
+                # Does not validate that all clients have been updated
+                IGNORE_CLIENT_VERSION: false
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_servers.yml b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
new file mode 100644
index 0000000..97f4e77
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        update-glusterfs-servers:
+          type: workflow-scm
+          description: Update glusterfs-server package on corresponding hosts
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Update glusterfs servers"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: update-glusterfs-servers.groovy
+          param:
+            DRIVE_TRAIN_PARAMS:
+              type: text
+              description: "Yaml based DriveTrain releated params"
+              default: |
+                ---
+                SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+                SALT_MASTER_CREDENTIALS: "salt"
+                # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+                TARGET_SERVERS: "I@glusterfs:server"
+                # Does not validate server availability/status before update
+                IGNORE_SERVER_STATUS: false
+                # Update GlusterFS even there is a non-replicated volume
+                IGNORE_NON_REPLICATED_VOLUMES: false
diff --git a/jenkins/client/job/deploy/update/update_mirror_image.yml b/jenkins/client/job/deploy/update/update_mirror_image.yml
index 73fd434..96e905c 100644
--- a/jenkins/client/job/deploy/update/update_mirror_image.yml
+++ b/jenkins/client/job/deploy/update/update_mirror_image.yml
@@ -2,8 +2,6 @@
 # Jobs to update Salt master environment (formulas and models)
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
@@ -67,4 +65,4 @@
               default: 'true'
             UPDATE_FILES:
               type: boolean
-              default: 'true'
\ No newline at end of file
+              default: 'true'
diff --git a/jenkins/client/job/deploy/update/update_opencontrail4.yml b/jenkins/client/job/deploy/update/update_opencontrail4.yml
index 72ea870..e89d622 100644
--- a/jenkins/client/job/deploy/update/update_opencontrail4.yml
+++ b/jenkins/client/job/deploy/update/update_opencontrail4.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index f4f5630..e3b60e1 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index b4628fa..ed5a222 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
index a4821f9..9d46def 100644
--- a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
+++ b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
@@ -2,8 +2,6 @@
 # Jobs to upgrade MCP release
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
index 0b0d945..64c3aff 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
index c1f448c..2d7ed69 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index 76bf436..9d31352 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -2,8 +2,6 @@
 # Jobs to update packages on given Salt master environment
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml b/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
new file mode 100644
index 0000000..73c2f1f
--- /dev/null
+++ b/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
@@ -0,0 +1,46 @@
+#
+# Jobs to upgrade RabbitMQ packages on given Salt master environment
+#
+parameters:
+  jenkins:
+    client:
+      job:
+        deploy-upgrade-rabbitmq:
+          type: workflow-scm
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Deploy - upgrade RabbitMQ server"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: openstack-rabbitmq-upgrade.groovy
+          param:
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            OS_DIST_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+            OS_UPGRADE:
+              type: boolean
+              default: 'false'
+              description: "Upgrade all installed applications (apt-get upgrade)"
+            INTERACTIVE:
+              type: boolean
+              default: 'true'
+              description: "Ask interactive questions during pipeline run (bool)"
+            TARGET_SERVERS:
+              type: string
+              default: 'msg*'
+              description: "Salt compound expression to get messaging servers to upgrade."
+
diff --git a/jenkins/client/job/deploy/update/upgrade_stacklight.yml b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
index d7279a6..578fd28 100644
--- a/jenkins/client/job/deploy/update/upgrade_stacklight.yml
+++ b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
@@ -2,8 +2,6 @@
 # Jobs to process Stacklight update
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
diff --git a/jenkins/client/job/deploy/update/virt_snapshot.yml b/jenkins/client/job/deploy/update/virt_snapshot.yml
index be92c8d..feada8a 100644
--- a/jenkins/client/job/deploy/update/virt_snapshot.yml
+++ b/jenkins/client/job/deploy/update/virt_snapshot.yml
@@ -2,8 +2,6 @@
 # Job to manage libvirt live snapshots
 #
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       job:
@@ -57,7 +55,7 @@
               type: string
               default: "snapshot1"
               description: "Snapshot name"
-            PATH:
+            LIBVIRT_IMAGES_PATH:
               type: string
               default: "/var/lib/libvirt/images"
               description: "Path where snapshot image and dumpxml are being put"
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index 176018c..e4e628a 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -1,6 +1,4 @@
 parameters:
-  _param:
-    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
   jenkins:
     client:
       view:
@@ -196,10 +194,6 @@
             credentials: "gerrit"
             script: cvp-runner.groovy
           param:
-            DEBUG_MODE:
-              type: boolean
-              default: 'false'
-              description: Enable if you need to keep container after the test and debug
             IMAGE:
               type: string
               default: ${_param:docker_image_cvp_sanity_checks}
@@ -211,22 +205,12 @@
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
-            TESTS_REPO:
-              type: string
-              default: ""
-              description: Url for cvp-sanity-checks
-            TESTS_SETTINGS:
-              type: string
-              default: ""
-              description: e.g. skipped_nodes=nal01.local.com,ntw01.local.com
-            TESTS_SET:
-              type: string
-              default: "cvp-sanity/cvp_checks/tests"
-              description: "Leave as is for full run or add a filename, e.g. _default_path_/test_mtu.py"
-            PROXY:
-              type: string
-              default: ""
-              description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
+            EXTRA_PARAMS:
+              type: text
+              default: |
+                envs:
+                  - tests_set=''
+              description: "YAML context with additional parameters, e.g. skipped_nodes=nal01.local.com,ntw01.local.com or tests_set='tests/test_mtu.py'"
         cvp-func:
           type: workflow-scm
           name: cvp-func
@@ -262,7 +246,7 @@
               description: Credentials to the Salt API
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.10.1"
+              default: "xrally/xrally-openstack:0.11.2"
               description: Docker image to use for running Rally/Tempest
             TARGET_NODE:
               type: string
@@ -289,7 +273,7 @@
               description: URL to Tempest repo (local or remote) or path to tempest folder in container
             TOOLS_REPO:
               type: string
-              default: "https://github.com/Mirantis/cvp-configuration"
+              default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
               description: URL of repo where testing tools, scenarios, configs are located.
         cvp-ha:
           type: workflow-scm
@@ -322,7 +306,7 @@
               description: Node where container with tempest will be run
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.10.1"
+              default: "xrally/xrally-openstack:0.11.2"
               description: Docker image to use for running Rally/Tempest
             TARGET_NODES:
               type: string
@@ -358,8 +342,53 @@
               description: Can be repo url (local or remote) or path to folder (inside container) with Tempest
             TOOLS_REPO:
               type: string
-              default: "https://github.com/Mirantis/cvp-configuration"
+              default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
               description: URL of repo where testing tools, scenarios, configs are located.
+        cvp-tempest:
+          type: workflow-scm
+          name: cvp-tempest
+          display_name: "CVP-Tempest (technical preview)"
+          discard:
+            build:
+              keep_num: 20
+            artifact:
+              keep_num: 20
+          concurrent: false
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: cvp-tempest.groovy
+          param:
+            PREPARE_RESOURCES:
+              type: boolean
+              default: true
+              description: Prepare resources for Tempest
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
+              description: SALT_MASTER_URL
+            TEMPEST_TEST_PATTERN:
+              type: string
+              default: "set=smoke"
+              description: Use set=smoke, set=full or just test name (regex)
+            TEMPEST_ENDPOINT_TYPE:
+              type: choice
+              choices:
+                - internalURL
+                - adminURL
+                - publicURL
+              description: Openstack endpoint type to use during test run.
+            EXTRA_PARAMS:
+              type: text
+              default:  |
+                ---
+                  DEBUG_MODE: false
+                  GENERATE_CONFIG: true
+                  TEST_IMAGE: "docker-prod-virtual.docker.mirantis.net/mirantis/cicd/ci-tempest:${_param:openstack_version}"
+                  report_prefix: "cvp_"
+              description: YAML context with additional parameters
         cvp-perf:
           type: workflow-scm
           name: cvp-perf
@@ -387,7 +416,7 @@
               description: Path to scenario file in container
             TEST_IMAGE:
               type: string
-              default: "xrally/xrally-openstack:0.10.1"
+              default: "xrally/xrally-openstack:0.11.2"
               description: Docker image to use for running Rally/Tempest
             SALT_MASTER_URL:
               type: string
@@ -403,7 +432,7 @@
               description: Node where docker container with Rally will be run
             TOOLS_REPO:
               type: string
-              default: "https://github.com/Mirantis/cvp-configuration"
+              default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
               description: URL of repo where testing tools, scenarios, configs are located.
             PROXY:
               type: string
@@ -424,8 +453,12 @@
             url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
             branch: "${_param:jenkins_pipelines_branch}"
             credentials: "gerrit"
-            script: cvp-stacklight.groovy
+            script: cvp-runner.groovy
           param:
+            IMAGE:
+              type: string
+              default: ${_param:docker_image_cvp_sanity_checks}
+              description: Docker image with tests and all pip dependecies to use for testing
             SALT_MASTER_URL:
               type: string
               default: "${_param:jenkins_salt_api_url}"
@@ -433,22 +466,12 @@
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
-            TESTS_REPO:
-              type: string
-              default: "http://gerrit.mcp.mirantis.com/mcp/stacklight-pytest -b release/2019.2.0"
-              description: Url for cvp-stacklight-tests
-            TESTS_SETTINGS:
-              type: string
-              default: "SL_AUTOCONF=True;PYTHONPATH=./stacklight-pytest"
-              description: "Additional environment variables to export"
-            TESTS_SET:
-              type: string
-              default: "stacklight-pytest/stacklight_tests/tests/"
-              description: "Leave as is for full run or add a filename, e.g. _default_path_/test_dashboards.py"
-            PROXY:
-              type: string
-              default: ""
-              description: "Proxy address to use to access the Internet."
+            EXTRA_PARAMS:
+              type: text
+              default: |
+                envs:
+                  - SL_AUTOCONF=True
+              description: YAML context with additional parameters
         cvp-spt:
           type: workflow-scm
           name: cvp-spt
@@ -466,10 +489,6 @@
             credentials: "gerrit"
             script: cvp-runner.groovy
           param:
-            DEBUG_MODE:
-              type: boolean
-              default: 'false'
-              description: Enable if you need to keep container after the test and debug
             IMAGE:
               type: string
               default: ${_param:docker_image_cvp_sanity_checks}
@@ -481,22 +500,14 @@
             SALT_MASTER_CREDENTIALS:
               type: string
               default: "salt"
-            TESTS_REPO:
-              type: string
-              default: ""
-              description: Url for cvp-spt repository
-            TESTS_SETTINGS:
-              type: string
-              default: ""
-              description: "Additional environment variables to export, e.g. image_name, networks, HW_NODES"
-            TESTS_SET:
-              type: string
-              default: "cvp-spt/cvp_spt/tests"
-              description: "Leave as is for full run or add a filename, e.g. _default_path_/test_glance.py"
-            PROXY:
-              type: string
-              default: ""
-              description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
+            EXTRA_PARAMS:
+              type: text
+              default: |
+                envs:
+                  - tests_set=''
+                  - image_name='Ubuntu'
+                  - networks=10.101.0.0/24
+              description: 'YAML context with additional parameters. Additional params: HW_NODES, CMP_HOSTS, salt_timeout, skipped_nodes, nova_timeout, iperf_prep_string, IMAGE_SIZE_MB'
         cvp-shaker:
           type: workflow-scm
           name: cvp-shaker
diff --git a/jenkins/client/node.yml b/jenkins/client/node.yml
index e5e4d3b..2de0022 100644
--- a/jenkins/client/node.yml
+++ b/jenkins/client/node.yml
@@ -7,8 +7,7 @@
         master:
           node_mode: Exclusive
           remote_home: /var/lib/jenkins
-          labels:
-            - python
+          num_executors: 0
           launcher:
             type: master
         slave01:
diff --git a/jenkins/client/security/csrf.yml b/jenkins/client/security/csrf.yml
new file mode 100644
index 0000000..e9c8606
--- /dev/null
+++ b/jenkins/client/security/csrf.yml
@@ -0,0 +1,6 @@
+parameters:
+  jenkins:
+    client:
+      security:
+        csrf:
+          enabled: True
diff --git a/jenkins/client/security/ldap.yml b/jenkins/client/security/ldap.yml
index ba53570..d47e74f 100644
--- a/jenkins/client/security/ldap.yml
+++ b/jenkins/client/security/ldap.yml
@@ -1,7 +1,6 @@
 parameters:
   _param:
     jenkins_security_ldap_manager_dn: ''
-    jenkins_security_ldap_manager_password: ''
     jenkins_security_ldap_user_search_filter: 'uid={0}'
     jenkins_security_ldap_user_search_base: ''
     jenkins_security_ldap_group_search_base: ''
diff --git a/jenkins/slave/init.yml b/jenkins/slave/init.yml
index 20dc641..a0d3e0e 100644
--- a/jenkins/slave/init.yml
+++ b/jenkins/slave/init.yml
@@ -7,7 +7,6 @@
     java_environment_version: "8"
     java_environment_platform: openjdk
     jenkins_slave_user: none
-    jenkins_slave_password: none
     jenkins_master_host: ${_param:control_vip_address}
   java:
     environment:
@@ -23,8 +22,8 @@
         port: ${_param:jenkins_master_port}
         protocol: ${_param:jenkins_master_protocol}
       user:
-        name: ${_param:jenkins_slave_user}
-        password: ${_param:jenkins_slave_password}
+        name: ${_param:jenkins_client_user}
+        password: ${_param:jenkins_client_password}
   linux:
     system:
       user:
diff --git a/keepalived/cluster/instance/kube_api_server_vip.yml b/keepalived/cluster/instance/kube_api_server_vip.yml
index f7fbce8..42d95f1 100644
--- a/keepalived/cluster/instance/kube_api_server_vip.yml
+++ b/keepalived/cluster/instance/kube_api_server_vip.yml
@@ -8,7 +8,6 @@
     keepalived_kube_apiserver_vrrp_script_content: "pidof haproxy && systemctl status kube-apiserver.service --quiet --no-pager"
     keepalived_k8s_apiserver_vip_interface: ens3
     keepalived_k8s_apiserver_vip_address: ${_param:kubernetes_control_address}
-    keepalived_k8s_apiserver_vip_password: password
   keepalived:
     cluster:
       vrrp_scripts:
@@ -25,4 +24,4 @@
           interface: ${_param:keepalived_k8s_apiserver_vip_interface}
           virtual_router_id: 60
           priority: ${_param:keepalived_vip_priority}
-          track_script: k8s_vip
\ No newline at end of file
+          track_script: k8s_vip
diff --git a/keepalived/cluster/instance/openstack_barbican_vip.yml b/keepalived/cluster/instance/openstack_barbican_vip.yml
index 3c733c4..f6e430f 100644
--- a/keepalived/cluster/instance/openstack_barbican_vip.yml
+++ b/keepalived/cluster/instance/openstack_barbican_vip.yml
@@ -3,7 +3,6 @@
 parameters:
   _param:
     keepalived_openstack_barbican_vip_address: ${_param:cluster_vip_address}
-    keepalived_openstack_barbican_vip_password: password
     keepalived_openstack_barbican_vip_interface: eth1
     keepalived_vip_virtual_router_id: 250
     keepalived_vip_address: ${_param:keepalived_openstack_barbican_vip_address}
diff --git a/keepalived/cluster/instance/openstack_baremetal_vip.yml b/keepalived/cluster/instance/openstack_baremetal_vip.yml
index 355cf53..fe2b527 100644
--- a/keepalived/cluster/instance/openstack_baremetal_vip.yml
+++ b/keepalived/cluster/instance/openstack_baremetal_vip.yml
@@ -5,7 +5,6 @@
 parameters:
   _param:
     keepalived_openstack_baremetal_vip_address: ${_param:cluster_baremetal_vip_address}
-    keepalived_openstack_baremetal_password: password
     keepalived_openstack_baremetal_vip_interface: eth1
     keepalived_openstack_baremetal_vip_virtual_router_id: 132
     keepalived_openstack_baremetal_vip_priority: ${_param:keepalived_vip_priority}
diff --git a/keepalived/cluster/instance/openstack_manila_vip.yml b/keepalived/cluster/instance/openstack_manila_vip.yml
index d8330c4..b87d998 100644
--- a/keepalived/cluster/instance/openstack_manila_vip.yml
+++ b/keepalived/cluster/instance/openstack_manila_vip.yml
@@ -3,7 +3,6 @@
 parameters:
   _param:
     keepalived_openstack_manila_vip_address: ${_param:cluster_vip_address}
-    keepalived_openstack_manila_vip_password: password
     keepalived_openstack_manila_vip_interface: eth1
     keepalived_vip_virtual_router_id: 235
     keepalived_vip_address: ${_param:keepalived_openstack_manila_vip_address}
diff --git a/keepalived/cluster/instance/openstack_telemetry_vip.yml b/keepalived/cluster/instance/openstack_telemetry_vip.yml
index 5dc91a1..92aa048 100644
--- a/keepalived/cluster/instance/openstack_telemetry_vip.yml
+++ b/keepalived/cluster/instance/openstack_telemetry_vip.yml
@@ -3,7 +3,6 @@
 parameters:
   _param:
     keepalived_openstack_telemetry_vip_address: ${_param:cluster_vip_address}
-    keepalived_openstack_telemetry_vip_password: password
     keepalived_openstack_telemetry_vip_interface: eth1
     keepalived_vip_virtual_router_id: 230
     keepalived_vip_address: ${_param:keepalived_openstack_telemetry_vip_address}
diff --git a/keepalived/cluster/instance/openstack_web_public_vip.yml b/keepalived/cluster/instance/openstack_web_public_vip.yml
index 363f23b..3efebd2 100644
--- a/keepalived/cluster/instance/openstack_web_public_vip.yml
+++ b/keepalived/cluster/instance/openstack_web_public_vip.yml
@@ -5,7 +5,6 @@
 parameters:
   _param:
     keepalived_openstack_web_public_vip_address: ${_param:cluster_vip_address}
-    keepalived_openstack_web_public_vip_password: password
     keepalived_openstack_web_public_vip_interface: eth1
   keepalived:
     cluster:
diff --git a/keystone/client/service/radosgw-swift.yml b/keystone/client/service/radosgw-swift.yml
index e93f9b4..c8b6569 100644
--- a/keystone/client/service/radosgw-swift.yml
+++ b/keystone/client/service/radosgw-swift.yml
@@ -8,6 +8,8 @@
     client:
       server:
         identity:
+          roles:
+          - ResellerAdmin
           project:
             service:
               user:
@@ -16,6 +18,11 @@
                   password: ${_param:keystone_swift_password}
                   email: ${_param:admin_email}
                   options: ${_param:openstack_service_user_options}
+            admin:
+              user:
+                admin:
+                  roles:
+                  - ResellerAdmin
           service:
             radosgw-swift:
               type: object-store
diff --git a/keystone/client/v3/service/radosgw-swift.yml b/keystone/client/v3/service/radosgw-swift.yml
index ca06fed..2e78bb9 100644
--- a/keystone/client/v3/service/radosgw-swift.yml
+++ b/keystone/client/v3/service/radosgw-swift.yml
@@ -6,6 +6,10 @@
     client:
       resources:
         v3:
+          roles:
+            reseller_admin:
+              name: ResellerAdmin
+              enabled: true
           users:
             swift:
               password: ${_param:keystone_swift_password}
@@ -15,6 +19,11 @@
                 service_admin:
                   name: admin
                   project_id: service
+            admin:
+              roles:
+                reseller_admin:
+                  name: ResellerAdmin
+                  project_id: admin
           services:
             radosgw-swift:
               type: object-store
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index 7e9ea1b..824c6b5 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -37,7 +37,7 @@
       region: ${_param:openstack_region}
       bind:
         address: ${_param:cluster_local_address}
-        private_address: ${_param:cluster_vip_address}
+        private_address: ${_param:openstack_service_host}
         private_port: 35357
         public_address: ${_param:cluster_vip_address}
         public_port: 5000
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 9663488..014a6dc 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -9,10 +9,8 @@
 parameters:
   _param:
     keystone_service_token: token
-    keystone_admin_password: password
     mysql_admin_user: root
-    mysql_admin_password: password
-    mysql_keystone_password: password
+    keystone_tokens_expiration: 3600
     openstack_node_role: primary
     keystone_service_protocol: ${_param:cluster_internal_protocol}
   linux:
diff --git a/kibana/client/ssl.yml b/kibana/client/ssl.yml
new file mode 100644
index 0000000..76160c6
--- /dev/null
+++ b/kibana/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+  kibana:
+    client:
+      server:
+        scheme: https
diff --git a/kibana/server/single.yml b/kibana/server/single.yml
index 965f274..5c59588 100644
--- a/kibana/server/single.yml
+++ b/kibana/server/single.yml
@@ -13,4 +13,5 @@
         engine: elasticsearch
         host: ${_param:kibana_elasticsearch_host}
         port: 9200
+        scheme: http
 
diff --git a/kibana/server/ssl.yml b/kibana/server/ssl.yml
new file mode 100644
index 0000000..5b049f8
--- /dev/null
+++ b/kibana/server/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+  kibana:
+    server:
+      database:
+        scheme: https
diff --git a/kubernetes/common/init.yml b/kubernetes/common/init.yml
index 3ab1085..4153f57 100644
--- a/kubernetes/common/init.yml
+++ b/kubernetes/common/init.yml
@@ -38,9 +38,9 @@
     kubernetes_calico_cni_source_hash: md5=2544bc1865c1451cac7a61264c25a2cb
     kubernetes_calico_cni_ipam_source: ${_param:kubernetes_calico_cni_repo}/calico-ipam-v3.3.2
     kubernetes_calico_cni_ipam_source_hash: md5=b22623eeea3b29ba8ec071d859ac7055
-    kubernetes_hyperkube_source: ${_param:kubernetes_hyperkube_repo}/hyperkube_v1.13.5-3_1553734030770
-    kubernetes_hyperkube_source_hash: md5=50e76be5db36adcffe24ede633e428d2
-    kubernetes_pause_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/pause-amd64:v1.13.5-3
+    kubernetes_hyperkube_source: ${_param:kubernetes_hyperkube_repo}/hyperkube_v1.13.6-4_1559029385616
+    kubernetes_hyperkube_source_hash: md5=0746e3e541794b1a85f7c55e8280bdd7
+    kubernetes_pause_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/pause-amd64:v1.13.6-4
     kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.5.0
     kubernetes_criproxy_version: v0.14.0
     kubernetes_criproxy_checksum: md5=f0fa669295a156a588f3480c9909e6fd
@@ -50,7 +50,7 @@
     kubernetes_dnsmasq_image: ${_param:kubernetes_kubedns_repo}/k8s-dns-dnsmasq-amd64:1.14.5
     kubernetes_sidecar_image: ${_param:kubernetes_kubedns_repo}/k8s-dns-sidecar-amd64:1.14.5
     kubernetes_dns_autoscaler_image: ${_param:kubernetes_kubedns_repo}/cluster-proportional-autoscaler-amd64:1.0.0
-    kubernetes_externaldns_image: ${_param:kubernetes_externaldns_repo}/external-dns:v0.5.11-4
+    kubernetes_externaldns_image: ${_param:kubernetes_externaldns_repo}/external-dns:v0.5.14-5
     kubernetes_genie_source: ${_param:kubernetes_genie_repo}/genie_v2.0-1-g209d3c4
     kubernetes_genie_source_hash: md5=fa7a27ecbb9f800c1b705f87c64f6226
     kubernetes_flannel_image: ${_param:kubernetes_flannel_repo}/flannel:v0.10.0-amd64
@@ -58,17 +58,17 @@
     kubernetes_metallb_speaker_image: ${_param:kubernetes_metallb_repo}/speaker:v0.7.3-2
     kubernetes_sriov_source: ${_param:kubernetes_sriov_repo}/sriov_v0.3-9-g3b31f1a
     kubernetes_sriov_source_hash: md5=cd9ea01e80d260218260314447c23b30
-    kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/containernetworking-plugins_v0.7.2-173-g8db2808.tar.gz
-    kubernetes_cniplugins_source_hash: md5=1861ab0c880fff58e7e8299e3dad8a0b
+    kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/containernetworking-plugins_v0.8.0-7-g70fb96e.tar.gz
+    kubernetes_cniplugins_source_hash: md5=6311ce5044ab76ad7de665f359988854
     kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.10.1-2
     kubernetes_telegraf_image: ${_param:mcp_docker_registry}/openstack-docker/telegraf:2018.8.0
     kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:v1.4.0-96
-    kubernetes_ingressnginx_controller_image: ${_param:kubernetes_ingressnginx_repo}/nginx-ingress-controller-amd64:nginx-0.23.0-4
+    kubernetes_ingressnginx_controller_image: ${_param:kubernetes_ingressnginx_repo}/nginx-ingress-controller-amd64:nginx-0.24.1-5
     kubernetes_corends_etcd_operator_image: ${_param:kubernetes_corends_etcd_operator_repo}/etcd-operator:v0.9.3
     kubernetes_containerd_source: ${_param:kubernetes_containerd_repo}/v1.12.0/crictl-v1.12.0-linux-amd64.tar.gz
     kubernetes_containerd_source_hash: md5=ff60b9ddfa5617f7ed14b3f3b6a60056
     # images for formula compatibility
-    kubernetes_hyperkube_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/hyperkube-amd64:v1.13.5-3
+    kubernetes_hyperkube_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/hyperkube-amd64:v1.13.6-4
     kubernetes_calico_cni_image: ${_param:mcp_docker_registry}/mirantis/projectcalico/calico/cni:v3.3.2
     kubernetes_calico_calicoctl_image: ${_param:mcp_docker_registry}/mirantis/projectcalico/calico/ctl:v3.3.2
     kubernetes_containerd_package: containerd=1.2.5-2~u16.04+mcp
@@ -131,7 +131,6 @@
     kubernetes_openstack_provider_binary: ${_param:kubernetes_openstack_provider_repo}/openstack-cloud-controller-manager_v0.3.0-2_1549884015986
     kubernetes_openstack_provider_binary_hash: md5=fd19a97527009aac72de7997744885fb
     kubernetes_openstack_provider_cloud_user: admin
-    kubernetes_openstack_provider_cloud_password: secret
     kubernetes_openstack_provider_cloud_auth_url: http://127.0.0.1:5000/v3
     kubernetes_openstack_provider_cloud_tenant_id: tenant_id
     kubernetes_openstack_provider_cloud_domain_id: default
diff --git a/kubernetes/control/opencontrail.yml b/kubernetes/control/opencontrail.yml
index 75e3b0d..8cdd97c 100644
--- a/kubernetes/control/opencontrail.yml
+++ b/kubernetes/control/opencontrail.yml
@@ -1,12 +1,10 @@
 parameters:
   _param:
     opencontrail_identity_user: admin
-    opencontrail_identity_password: contrail123
     opencontrail_identity_tenant: admin
     opencontrail_public_ip_range: 172.17.47.128/25
     opencontrail_public_ip_network: default-domain:default-project:Public
     opencontrail_private_ip_range: 10.150.0.0/16
-    opencontrail_message_queue_password: guest
   kubernetes:
     pool:
       network:
diff --git a/neutron/compute/cluster.yml b/neutron/compute/cluster.yml
index c8a0922..0766df7 100644
--- a/neutron/compute/cluster.yml
+++ b/neutron/compute/cluster.yml
@@ -14,6 +14,9 @@
         python-pymysql:
           fromrepo: ${_param:openstack_version}
           version: latest
+      kernel:
+        sysctl:
+          fs.inotify.max_user_instances: 4096
   neutron:
     compute:
       dvr: ${_param:neutron_compute_dvr}
diff --git a/nginx/server/proxy/salt_api.yml b/nginx/server/proxy/salt_api.yml
new file mode 100644
index 0000000..f559ef4
--- /dev/null
+++ b/nginx/server/proxy/salt_api.yml
@@ -0,0 +1,28 @@
+parameters:
+  _param:
+    nginx_proxy_salt_api_proxy_port: ${_param:salt_master_api_port}
+    nginx_proxy_ssl:
+      enabled: true
+      authority: ${_param:salt_minion_ca_authority}
+      engine: salt
+      key_file:   /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+      cert_file:  /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+      all_file:   /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+      ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
+  nginx:
+    server:
+      enabled: true
+      site:
+        nginx_proxy_salt_api:
+          enabled: true
+          type: nginx_proxy
+          name: salt_api
+          proxy:
+            host: ${_param:infra_config_hostname}.${_param:cluster_domain}
+            port: ${_param:nginx_proxy_salt_api_proxy_port}
+            protocol: ${_param:nginx_proxy_salt_api_proxy_protocol}
+          host:
+            name: ${_param:infra_config_hostname}.${_param:cluster_domain}
+            port: ${_param:nginx_proxy_salt_api_site_port}
+            protocol: ${_param:nginx_proxy_salt_api_site_protocol}
+          ssl: ${_param:nginx_proxy_ssl}
diff --git a/nginx/server/proxy/ssl.yml b/nginx/server/proxy/ssl.yml
index 66a1938..fdd95a5 100644
--- a/nginx/server/proxy/ssl.yml
+++ b/nginx/server/proxy/ssl.yml
@@ -8,18 +8,14 @@
       dhparam:
         enabled: True
         numbits: 2048
-      ecdh_curve:
-        secp521r1:
-          name: 'secp521r1'
-          enabled: True
       prefer_server_ciphers: "on"
       protocols:
         TLSv1:
           name: 'TLSv1'
-          enabled: True
+          enabled: False
         TLSv1.1:
           name: 'TLSv1.1'
-          enabled: True
+          enabled: False
         TLSv1.2:
           name: 'TLSv1.2'
           enabled: True
@@ -28,16 +24,16 @@
       ciphers:
         ECDHE-ECDSA-CHACHA20-POLY1305:
           name: 'ECDHE-ECDSA-CHACHA20-POLY1305'
-          enabled: True
+          enabled: False
         ECDHE-RSA-CHACHA20-POLY1305:
           name: 'ECDHE-RSA-CHACHA20-POLY1305'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES128-GCM-SHA256:
           name: 'ECDHE-ECDSA-AES128-GCM-SHA256'
-          enabled: True
+          enabled: False
         ECDHE-RSA-AES128-GCM-SHA256:
           name: 'ECDHE-RSA-AES128-GCM-SHA256'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES256-GCM-SHA384:
           name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
           enabled: True
@@ -46,76 +42,76 @@
           enabled: True
         DHE-RSA-AES128-GCM-SHA256:
           name: 'DHE-RSA-AES128-GCM-SHA256'
-          enabled: True
+          enabled: False
         DHE-RSA-AES256-GCM-SHA384:
           name: 'DHE-RSA-AES256-GCM-SHA384'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES128-SHA256:
           name: 'ECDHE-ECDSA-AES128-SHA256'
-          enabled: True
+          enabled: False
         ECDHE-RSA-AES128-SHA256:
           name: 'ECDHE-RSA-AES128-SHA256'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES128-SHA:
           name: 'ECDHE-ECDSA-AES128-SHA'
-          enabled: True
+          enabled: False
         ECDHE-RSA-AES256-SHA384:
           name: 'ECDHE-RSA-AES256-SHA384'
           enabled: True
         ECDHE-RSA-AES128-SHA:
           name: 'ECDHE-RSA-AES128-SHA'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-AES256-SHA384:
           name: 'ECDHE-ECDSA-AES256-SHA384'
           enabled: True
         ECDHE-ECDSA-AES256-SHA:
           name: 'ECDHE-ECDSA-AES256-SHA'
-          enabled: True
+          enabled: False
         ECDHE-RSA-AES256-SHA:
           name: 'ECDHE-RSA-AES256-SHA'
-          enabled: True
+          enabled: False
         DHE-RSA-AES128-SHA256:
           name: 'DHE-RSA-AES128-SHA256'
-          enabled: True
+          enabled: False
         DHE-RSA-AES128-SHA:
           name: 'DHE-RSA-AES128-SHA'
-          enabled: True
+          enabled: False
         DHE-RSA-AES256-SHA256:
           name: 'DHE-RSA-AES256-SHA256'
-          enabled: True
+          enabled: False
         DHE-RSA-AES256-SHA:
           name: 'DHE-RSA-AES256-SHA'
-          enabled: True
+          enabled: False
         ECDHE-ECDSA-DES-CBC3-SHA:
           name: 'ECDHE-ECDSA-DES-CBC3-SHA'
-          enabled: True
+          enabled: False
         ECDHE-RSA-DES-CBC3-SHA:
           name: 'ECDHE-RSA-DES-CBC3-SHA'
-          enabled: True
+          enabled: False
         EDH-RSA-DES-CBC3-SHA:
           name: 'EDH-RSA-DES-CBC3-SHA'
-          enabled: True
+          enabled: False
         AES128-GCM-SHA256:
           name: 'AES128-GCM-SHA256'
-          enabled: True
+          enabled: False
         AES256-GCM-SHA384:
           name: 'AES256-GCM-SHA384'
-          enabled: True
+          enabled: False
         AES128-SHA256:
           name: 'AES128-SHA256'
-          enabled: True
+          enabled: False
         AES256-SHA256:
           name: 'AES256-SHA256'
-          enabled: True
+          enabled: False
         AES256-SHA:
           name: 'AES256-SHA'
-          enabled: True
+          enabled: False
         AES128-SHA:
           name: 'AES128-SHA'
-          enabled: True
+          enabled: False
         DES-CBC3-SHA:
           name: 'DES-CBC3-SHA'
-          enabled: True
+          enabled: False
         removeDSS:
           name: '!DSS'
-          enabled: True
\ No newline at end of file
+          enabled: True
diff --git a/nova/control/cluster.yml b/nova/control/cluster.yml
index 5533cf9..437f3c1 100644
--- a/nova/control/cluster.yml
+++ b/nova/control/cluster.yml
@@ -13,7 +13,6 @@
     nova_cpu_allocation_ratio: 16.0
     nova_ram_allocation_ratio: 1.5
     nova_disk_allocation_ratio: 1.0
-    metadata_password: metadataPass
   linux:
     system:
       package:
diff --git a/opencontrail/compute/cluster.yml b/opencontrail/compute/cluster.yml
index 7cdcdf6..32153df 100644
--- a/opencontrail/compute/cluster.yml
+++ b/opencontrail/compute/cluster.yml
@@ -4,6 +4,7 @@
 - opencontrail
 parameters:
   _param:
+    opencontrail_version: 3.0
     opencontrail_compute_iface_mask: 24
   opencontrail:
     common:
@@ -11,25 +12,15 @@
       identity:
         engine: keystone
         host: ${_param:openstack_control_address}
-        port: 35357
+        port: ${_param:opencontrail_identity_port}
         token: ${_param:keystone_service_token}
         password: ${_param:keystone_admin_password}
       network:
-        engine: neutron
         host: ${_param:opencontrail_control_address}
-        port: 9696
     compute:
       version: ${_param:opencontrail_version}
-      disable_flow_collection: true
-      enabled: True
+      disable_flow_collection: True
       bind:
         address: ${_param:single_address}
       discovery:
         host: ${_param:opencontrail_control_address}
-      interface:
-        address: ${_param:opencontrail_compute_address}
-        dev: ${_param:opencontrail_compute_iface}
-        gateway: ${_param:opencontrail_compute_gateway}
-        mask: ${_param:opencontrail_compute_iface_mask}
-        dns: ${_param:opencontrail_compute_dns}
-        mtu: 9000
diff --git a/opencontrail/compute/cluster4_0.yml b/opencontrail/compute/cluster4_0.yml
index 3cb1514..058463d 100644
--- a/opencontrail/compute/cluster4_0.yml
+++ b/opencontrail/compute/cluster4_0.yml
@@ -1,31 +1,24 @@
-classes:
-  - service.opencontrail.compute.cluster
 applications:
 - opencontrail
+classes:
+  - service.opencontrail.compute.cluster
 parameters:
   _param:
+    opencontrail_version: 4.1
     opencontrail_compute_iface_mask: 24
-    opencontrail_version: 4.0
-    linux_repo_contrail_component: oc40
   opencontrail:
     common:
       version: ${_param:opencontrail_version}
       identity:
         engine: keystone
         host: ${_param:openstack_control_address}
-        port: 35357
+        port: ${_param:opencontrail_identity_port}
         token: ${_param:keystone_service_token}
         password: ${_param:opencontrail_admin_password}
       network:
-        engine: neutron
         host: ${_param:openstack_control_address}
-        port: 9696
     compute:
-      version: ${_param:opencontrail_version}
-      disable_flow_collection: true
-      enabled: True
-      bind:
-        address: ${_param:single_address}
+      disable_flow_collection: True
       config:
         members:
         - host: ${_param:opencontrail_control_node01_address}
@@ -41,10 +34,3 @@
         - host: ${_param:opencontrail_control_node01_address}
         - host: ${_param:opencontrail_control_node02_address}
         - host: ${_param:opencontrail_control_node03_address}
-      interface:
-        address: ${_param:opencontrail_compute_address}
-        dev: ${_param:opencontrail_compute_iface}
-        gateway: ${_param:opencontrail_compute_gateway}
-        mask: ${_param:opencontrail_compute_iface_mask}
-        dns: ${_param:opencontrail_compute_dns}
-        mtu: 9000
diff --git a/opencontrail/compute/single.yml b/opencontrail/compute/single.yml
index 65426c8..2211a69 100644
--- a/opencontrail/compute/single.yml
+++ b/opencontrail/compute/single.yml
@@ -1,7 +1,10 @@
 applications:
 - opencontrail
+classes:
+  - service.opencontrail.compute.single
 parameters:
   _param:
+    opencontrail_version: 3.0
     opencontrail_compute_iface_mask: 24
   opencontrail:
     common:
@@ -9,7 +12,7 @@
       identity:
         engine: keystone
         host: ${_param:control_address}
-        port: 35357
+        port: ${_param:opencontrail_identity_port}
         token: ${_param:keystone_service_token}
         password: ${_param:keystone_admin_password}
       network:
@@ -17,17 +20,8 @@
         host: ${_param:control_address}
         port: 9696
     compute:
-      version: ${_param:opencontrail_version}
-      enabled: True
       discovery:
         host: ${_param:control_address}
-      interface:
-        address: ${_param:opencontrail_compute_address}
-        dev: ${_param:opencontrail_compute_iface}
-        gateway: ${_param:opencontrail_compute_gateway}
-        mask: ${_param:opencontrail_compute_iface_mask}
-        dns: ${_param:opencontrail_compute_dns}
-        mtu: 9000
   nova:
     compute:
       network:
diff --git a/opencontrail/compute/single4_0.yml b/opencontrail/compute/single4_0.yml
index b98522d..952827f 100644
--- a/opencontrail/compute/single4_0.yml
+++ b/opencontrail/compute/single4_0.yml
@@ -1,9 +1,11 @@
 applications:
 - opencontrail
+classes:
+  - service.opencontrail.compute.single
 parameters:
   _param:
+    opencontrail_version: 4.1
     opencontrail_compute_iface_mask: 24
-    opencontrail_version: 4.0
     linux_repo_contrail_component: oc40
   opencontrail:
     common:
@@ -11,7 +13,7 @@
       identity:
         engine: keystone
         host: ${_param:control_address}
-        port: 35357
+        port: ${_param:opencontrail_identity_port}
         token: ${_param:keystone_service_token}
         password: ${_param:opencontrail_admin_password}
       network:
@@ -19,8 +21,6 @@
         host: ${_param:control_address}
         port: 9696
     compute:
-      version: ${_param:opencontrail_version}
-      enabled: True
       config:
         members:
         - host: ${_param:opencontrail_control_node01_address}
@@ -31,11 +31,3 @@
         - host: ${_param:opencontrail_analytics_node01_address}
         - host: ${_param:opencontrail_analytics_node02_address}
         - host: ${_param:opencontrail_analytics_node03_address}
-      interface:
-        address: ${_param:opencontrail_compute_address}
-        dev: ${_param:opencontrail_compute_iface}
-        gateway: ${_param:opencontrail_compute_gateway}
-        mask: ${_param:opencontrail_compute_iface_mask}
-        dns: ${_param:opencontrail_compute_dns}
-        mtu: 9000
-
diff --git a/opencontrail/control/analytics4_0.yml b/opencontrail/control/analytics4_0.yml
index eb29ead..19fefcc 100644
--- a/opencontrail/control/analytics4_0.yml
+++ b/opencontrail/control/analytics4_0.yml
@@ -18,7 +18,6 @@
     opencontrail_message_queue_node02_address: ${_param:openstack_message_queue_node02_address}
     opencontrail_message_queue_node03_address: ${_param:openstack_message_queue_node03_address}
     opencontrail_message_queue_address: ${_param:openstack_message_queue_address}
-    opencontrail_message_queue_password: guest
     opencontrail_analytics_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analytics:${_param:opencontrail_docker_image_tag}
     opencontrail_analyticsdb_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analyticsdb:${_param:opencontrail_docker_image_tag}
     opencontrail_analytics_container_name: opencontrail_analytics_1
@@ -92,6 +91,7 @@
               volumes:
                 - /etc/contrail:/etc/contrail
                 - /etc/redis/redis.conf:/etc/redis/redis.conf
+                - /var/crashes:/var/crashes
                 - /var/log/contrail:/var/log/contrail
                 - /var/log/journal/contrail-analytics:/var/log/journal
               env_file:
diff --git a/opencontrail/control/cluster4_0.yml b/opencontrail/control/cluster4_0.yml
index 64cbf14..6859b9c 100644
--- a/opencontrail/control/cluster4_0.yml
+++ b/opencontrail/control/cluster4_0.yml
@@ -19,7 +19,6 @@
     opencontrail_message_queue_node02_address: ${_param:openstack_control_node02_address}
     opencontrail_message_queue_node03_address: ${_param:openstack_control_node03_address}
     opencontrail_message_queue_address: ${_param:openstack_control_address}
-    opencontrail_message_queue_password: guest
     opencontrail_analytics_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analytics:${_param:opencontrail_docker_image_tag}
     opencontrail_analyticsdb_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analyticsdb:${_param:opencontrail_docker_image_tag}
     opencontrail_controller_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-controller:${_param:opencontrail_docker_image_tag}
diff --git a/opencontrail/control/cluster4_0_k8s.yml b/opencontrail/control/cluster4_0_k8s.yml
index f5f34c1..77c036d 100644
--- a/opencontrail/control/cluster4_0_k8s.yml
+++ b/opencontrail/control/cluster4_0_k8s.yml
@@ -13,7 +13,6 @@
     opencontrail_message_queue_node02_address: ${_param:openstack_control_node02_address}
     opencontrail_message_queue_node03_address: ${_param:openstack_control_node03_address}
     opencontrail_message_queue_address: ${_param:openstack_control_address}
-    opencontrail_message_queue_password: guest
     opencontrail_analytics_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analytics:${_param:opencontrail_docker_image_tag}
     opencontrail_analyticsdb_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analyticsdb:${_param:opencontrail_docker_image_tag}
     opencontrail_controller_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-controller:${_param:opencontrail_docker_image_tag}
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index fe63ec1..bc37f8e 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -13,7 +13,6 @@
     opencontrail_message_queue_node01_address: ${_param:openstack_message_queue_node01_address}
     opencontrail_message_queue_node02_address: ${_param:openstack_message_queue_node02_address}
     opencontrail_message_queue_node03_address: ${_param:openstack_message_queue_node03_address}
-    opencontrail_message_queue_password: guest
     opencontrail_controller_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-controller:${_param:opencontrail_docker_image_tag}
     opencontrail_controller_container_name: opencontrail_controller_1
     opencontrail_api_workers_count: 6
diff --git a/opencontrail/control/single4_0.yml b/opencontrail/control/single4_0.yml
index d0573e9..89768d3 100644
--- a/opencontrail/control/single4_0.yml
+++ b/opencontrail/control/single4_0.yml
@@ -15,7 +15,6 @@
     opencontrail_controller_container_name: opencontrail_controller_1
     opencontrail_analytics_container_name: opencontrail_analytics_1
     opencontrail_analyticsdb_container_name: opencontrail_analyticsdb_1
-    opencontrail_message_queue_password: guest
 # Temprorary fix for MOS9 packages to pin old version of kafka
   linux:
     system:
diff --git a/openssh/server/single.yml b/openssh/server/single.yml
index b6055aa..0288a21 100644
--- a/openssh/server/single.yml
+++ b/openssh/server/single.yml
@@ -1,3 +1,37 @@
 classes:
 - service.openssh.server
 - service.openssh.server.cis
+# TODO: Uncomment service.openssh.server.sshd-strong-ciphers
+# when package with https://gerrit.mcp.mirantis.com/#/c/36220/
+# will be published.
+#- service.openssh.server.sshd-strong-ciphers
+# TODO: Remove parameters:openssh:server:ciphers completely
+# when package with https://gerrit.mcp.mirantis.com/#/c/36220/
+# will be published.
+parameters:
+  openssh:
+    server:
+      ciphers:
+        "3des-cbc":
+          enabled: True
+        "aes128-cbc":
+          enabled: True
+        "aes192-cbc":
+          enabled: True
+        "aes256-cbc":
+          enabled: True
+        "aes128-ctr":
+          enabled: True
+        "aes192-ctr":
+          enabled: True
+        "aes256-ctr":
+          enabled: True
+        "aes128-gcm@openssh.com":
+          enabled: True
+        "aes256-gcm@openssh.com":
+          enabled: True
+        "chacha20-poly1305@openssh.com":
+          enabled: True
+        "rijndael-cbc@lysator.liu.se":
+          enabled: True
+
diff --git a/postgresql/client/init.yml b/postgresql/client/init.yml
index 95fdcdb..1775654 100644
--- a/postgresql/client/init.yml
+++ b/postgresql/client/init.yml
@@ -1,7 +1,6 @@
 parameters:
   _param:
     postgresql_client_user: none
-    postgresql_client_password: none
     postgresql_client_host: ${_param:control_vip_address}
     postgresql_client_port: 5432
   postgresql:
diff --git a/postgresql/client/pushkin/alertmanager.yml b/postgresql/client/pushkin/alertmanager.yml
index 8e413da..bf01013 100644
--- a/postgresql/client/pushkin/alertmanager.yml
+++ b/postgresql/client/pushkin/alertmanager.yml
@@ -4,7 +4,6 @@
   _param:
     alertmanager_db_host: ${_param:haproxy_postgresql_bind_host}
     alertmanager_db_user: alertmanager
-    alertmanager_db_user_password: alertmanager
     webhook_login_id: 13
     webhook_application_id: 24
   postgresql:
diff --git a/postgresql/client/pushkin/init.yml b/postgresql/client/pushkin/init.yml
index 5677646..26f8abe 100644
--- a/postgresql/client/pushkin/init.yml
+++ b/postgresql/client/pushkin/init.yml
@@ -4,7 +4,6 @@
   _param:
     pushkin_db_host: ${_param:haproxy_postgresql_bind_host}
     pushkin_db_user: pushkin
-    pushkin_db_user_password: pushkin
   postgresql:
     client:
       server:
diff --git a/postgresql/client/pushkin/janitor_monkey.yml b/postgresql/client/pushkin/janitor_monkey.yml
index b56d098..78a3b27 100644
--- a/postgresql/client/pushkin/janitor_monkey.yml
+++ b/postgresql/client/pushkin/janitor_monkey.yml
@@ -4,7 +4,6 @@
   _param:
     janmonkey_db_host: ${_param:haproxy_postgresql_bind_host}
     janmonkey_db_user: janmonkey
-    janmonkey_db_user_password: janmonkey
     janmonkey_login_id: 12
     janmonkey_application_id: 2
   postgresql:
diff --git a/postgresql/client/pushkin/security_monkey.yml b/postgresql/client/pushkin/security_monkey.yml
index 18154cd..1ebf4f4 100644
--- a/postgresql/client/pushkin/security_monkey.yml
+++ b/postgresql/client/pushkin/security_monkey.yml
@@ -4,7 +4,6 @@
   _param:
     secmonkey_db_host: ${_param:haproxy_postgresql_bind_host}
     secmonkey_db_user: secmonkey
-    secmonkey_db_user_password: secmonkey
   postgresql:
     client:
       server:
diff --git a/postgresql/client/pushkin/sfdc.yml b/postgresql/client/pushkin/sfdc.yml
index 57af7fe..cfb1236 100644
--- a/postgresql/client/pushkin/sfdc.yml
+++ b/postgresql/client/pushkin/sfdc.yml
@@ -4,7 +4,6 @@
   _param:
     sfdc_db_host: ${_param:haproxy_postgresql_bind_host}
     sfdc_db_user: sfdc
-    sfdc_db_user_password: sfdc
     sfdc_login_id: 14
     sfdc_application_id: 4
   postgresql:
diff --git a/postgresql/client/rundeck.yml b/postgresql/client/rundeck.yml
index 0c1102d..d4cd256 100644
--- a/postgresql/client/rundeck.yml
+++ b/postgresql/client/rundeck.yml
@@ -4,7 +4,6 @@
   _param:
     rundeck_db_host: ${_param:haproxy_postgresql_bind_host}
     rundeck_db_user: rundeck
-    rundeck_db_user_password: password
   postgresql:
     client:
       server:
diff --git a/postgresql/client/security_monkey.yml b/postgresql/client/security_monkey.yml
index ab7a4c8..5693d6c 100644
--- a/postgresql/client/security_monkey.yml
+++ b/postgresql/client/security_monkey.yml
@@ -4,7 +4,6 @@
   _param:
     secmonkey_db_host: ${_param:haproxy_postgresql_bind_host}
     secmonkey_db_user: secmonkey
-    secmonkey_db_user_password: secmonkey
   postgresql:
     client:
       server:
diff --git a/prometheus/elasticsearch_exporter/queries/compute.yml b/prometheus/elasticsearch_exporter/queries/compute.yml
index 66904da..d4bd84f 100644
--- a/prometheus/elasticsearch_exporter/queries/compute.yml
+++ b/prometheus/elasticsearch_exporter/queries/compute.yml
@@ -7,29 +7,16 @@
           #   - compute_instance_event_doc_count{event="example"}
           #   - compute_instance_event_sum_other_doc_count
           #   - compute_instance_event_doc_count_error_upper_bound
-          #   - compute_instance_event_host_doc_count{host="example01",event="example"}
-          #   - compute_instance_event_host_sum_other_doc_count{event="example"}
-          #   - compute_instance_event_host_doc_count_error_upper_bound{event="example"}
           #
           indices: '<notification-{now/d}>'
           interval: 600
           json: |
             {
               "size": 0,
-              "query": {
-                "match_all": {}
-              },
               "aggs": {
                 "event": {
                   "terms": {
                     "field": "event_type.keyword"
-                  },
-                  "aggs": {
-                    "host": {
-                      "terms": {
-                        "field": "Hostname.keyword"
-                      }
-                    }
                   }
                 }
               }
@@ -37,9 +24,9 @@
 
         compute_instance_create_start:
           # Produces metrics:
-          #   - compute_instance_create_start_host_doc_count{host="example01"}
-          #   - compute_instance_create_start_host_event_sum_other_doc_count
-          #   - compute_instance_create_start_host_doc_count_error_upper_bound
+          #   - compute_instance_create_start_event_doc_count
+          #   - compute_instance_create_start_event_sum_other_doc_count
+          #   - compute_instance_create_start_event_doc_count_error_upper_bound
           #   - compute_instance_create_start_hits
           #   - compute_instance_create_start_took_milliseconds
           #
@@ -48,15 +35,12 @@
           json: |
             {
               "size": 0,
-              "query": {
-                "term": {
-                  "event_type": "compute.instance.create.start"
-                }
-              },
               "aggs": {
-                "host": {
-                  "terms": {
-                    "field": "Hostname.keyword"
+                "event": {
+                  "filter": {
+                    "term": {
+                      "event_type.keyword": "compute.instance.create.start"
+                    }
                   }
                 }
               }
@@ -64,9 +48,9 @@
 
         compute_instance_create_end:
           # Produces metrics:
-          #   - compute_instance_create_end_host_doc_count{host="example01"}
-          #   - compute_instance_create_end_host_event_sum_other_doc_count
-          #   - compute_instance_create_end_host_doc_count_error_upper_bound
+          #   - compute_instance_create_end_event_doc_count
+          #   - compute_instance_create_end_event_sum_other_doc_count
+          #   - compute_instance_create_end_event_doc_count_error_upper_bound
           #   - compute_instance_create_end_hits
           #   - compute_instance_create_end_took_milliseconds
           #
@@ -75,15 +59,12 @@
           json: |
             {
               "size": 0,
-              "query": {
-                "term": {
-                  "event_type": "compute.instance.create.end"
-                }
-              },
               "aggs": {
-                "host": {
-                  "terms": {
-                    "field": "Hostname.keyword"
+                "event": {
+                  "filter": {
+                    "term": {
+                      "event_type.keyword": "compute.instance.create.end"
+                    }
                   }
                 }
               }
@@ -91,9 +72,9 @@
 
         compute_instance_create_error:
           # Produces metrics:
-          #   - compute_instance_create_error_host_doc_count{host="example01"}
-          #   - compute_instance_create_error_host_event_sum_other_doc_count
-          #   - compute_instance_create_error_host_doc_count_error_upper_bound
+          #   - compute_instance_create_error_event_doc_count
+          #   - compute_instance_create_error_event_sum_other_doc_count
+          #   - compute_instance_create_error_event_doc_count_error_upper_bound
           #   - compute_instance_create_error_hits
           #   - compute_instance_create_error_took_milliseconds
           #
@@ -102,17 +83,13 @@
           json: |
             {
               "size": 0,
-              "query": {
-                "term": {
-                  "event_type": "compute.instance.create.error"
-                }
-              },
               "aggs": {
-                "host": {
-                  "terms": {
-                    "field": "Hostname.keyword"
+                "event": {
+                  "filter": {
+                    "term": {
+                      "event_type.keyword": "compute.instance.create.error"
+                    }
                   }
                 }
               }
             }
-
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index 40a804b..0e7aab6 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -16,3 +16,10 @@
         keystone_api: "'Keystone API','avg(avg_over_time(openstack_api_check_status{name=\"keystone\"}[24h]))'"
         glance_api: "'Glance API','avg(avg_over_time(openstack_api_check_status{name=\"glance\"}[24h]))'"
         neutron_api: "'Neutron API','avg(avg_over_time(openstack_api_check_status{name=\"neutron\"}[24h]))'"
+        nova_vm_all: "'Total VM number','avg_over_time(total:openstack_nova_instance_all[1d])'"
+        nova_vm_failed: "'Failed VM number','avg_over_time(total:openstack_nova_instance_failed[1d])'"
+        kpi_downtime: "'KPI Downtime','1 - avg_over_time(total:openstack_nova_instance_failed[1d]) / avg_over_time(total:openstack_nova_instance_all[1d])'"
+        compute_instance_create_start: "'VM creation start','sum(compute_instance_create_start_event_doc_count)'"
+        compute_instance_create_end: "'VM creation end','sum(compute_instance_create_end_event_doc_count)'"
+        compute_instance_create_error: "'VM creation error','sum(compute_instance_create_error_event_doc_count)'"
+
diff --git a/rabbitmq/server/cluster.yml b/rabbitmq/server/cluster.yml
index c9de9a8..2971795 100644
--- a/rabbitmq/server/cluster.yml
+++ b/rabbitmq/server/cluster.yml
@@ -1,4 +1,5 @@
 classes:
 - service.rabbitmq.server.cluster
 - service.keepalived.cluster.single
-- service.haproxy.proxy.single
\ No newline at end of file
+- service.haproxy.proxy.single
+- system.rabbitmq.upgrade
diff --git a/rabbitmq/server/single.yml b/rabbitmq/server/single.yml
index 6183f81..9982957 100644
--- a/rabbitmq/server/single.yml
+++ b/rabbitmq/server/single.yml
@@ -1,2 +1,3 @@
 classes:
 - service.rabbitmq.server.single
+- system.rabbitmq.upgrade
diff --git a/rabbitmq/server/vhost/catalog.yml b/rabbitmq/server/vhost/catalog.yml
index 23cb0f2..cd4b0cb 100644
--- a/rabbitmq/server/vhost/catalog.yml
+++ b/rabbitmq/server/vhost/catalog.yml
@@ -12,7 +12,7 @@
             definition: '{"ha-mode": "all", "message-ttl": 120000}'
       admin:
         name: admin
-        password: zeQuooQu47eed8esahpie2Lai8En9ohp
+        password: ${_param:rabbitmq_guest_password}
       bind:
         address: ${_param:single_address}
       management:
diff --git a/rabbitmq/server/vhost/opencontrail.yml b/rabbitmq/server/vhost/opencontrail.yml
index 8f88cee..c29f7c8 100644
--- a/rabbitmq/server/vhost/opencontrail.yml
+++ b/rabbitmq/server/vhost/opencontrail.yml
@@ -5,7 +5,7 @@
         '/':
           enabled: true
           user: guest
-          password: guest
+          password: ${_param:rabbitmq_guest_password}
           policies:
           - name: HA
             pattern: '^(?!amq\.).*'
diff --git a/rabbitmq/server/vhost/openstack/init.yml b/rabbitmq/server/vhost/openstack/init.yml
index 50b0814..5b440e7 100644
--- a/rabbitmq/server/vhost/openstack/init.yml
+++ b/rabbitmq/server/vhost/openstack/init.yml
@@ -8,7 +8,7 @@
         '/':
           enabled: true
           user: guest
-          password: guest
+          password: ${_param:rabbitmq_guest_password}
           policies:
           - name: HA
             pattern: '^(?!amq\.).*'
diff --git a/rabbitmq/upgrade/init.yml b/rabbitmq/upgrade/init.yml
new file mode 100644
index 0000000..3a75137
--- /dev/null
+++ b/rabbitmq/upgrade/init.yml
@@ -0,0 +1,4 @@
+parameters:
+  rabbitmq:
+    upgrade:
+      enabled: ${_param:rabbitmq_upgrade_enabled}
diff --git a/salt/control/placement/openstack/golden.yml b/salt/control/placement/openstack/golden.yml
index 03abda5..1212a42 100644
--- a/salt/control/placement/openstack/golden.yml
+++ b/salt/control/placement/openstack/golden.yml
@@ -31,7 +31,7 @@
     openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_barbican_backend_image: ${_param:salt_control_xenial_image_backend}
     openstack_dns_backend_image: ${_param:salt_control_xenial_image_backend}
-    openstack_telemetry_backend_image: ${_param:salt_control_trusty_image_backend}
+    openstack_telemetry_backend_image: ${_param:salt_control_xenial_image_backend}
     salt_control_cluster_node_cloud_init_openstack_control:
       user_data:
         write_files:
@@ -74,6 +74,13 @@
             ${salt:control:size:openstack.dns:image_layout}
           owner: root:root
           path: /usr/share/growlvm/image-layout.yml
+    salt_control_cluster_node_cloud_init_openstack_telemetry:
+      user_data:
+        write_files:
+        - content: |
+            ${salt:control:size:openstack.telemetry:image_layout}
+          owner: root:root
+          path: /usr/share/growlvm/image-layout.yml
   salt:
     control:
       cluster:
@@ -194,21 +201,21 @@
             mdb01:
               name: ${_param:openstack_telemetry_node01_hostname}
               provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
             mdb02:
               name: ${_param:openstack_telemetry_node02_hostname}
               provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
             mdb03:
               name: ${_param:openstack_telemetry_node03_hostname}
               provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
-              image: ${_param:salt_control_trusty_image}
+              image: ${_param:salt_control_xenial_image}
               backend: ${_param:openstack_telemetry_backend_image}
               size: openstack.telemetry
               cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
diff --git a/salt/master/api.yml b/salt/master/api.yml
index b5ede2f..4ed3112 100644
--- a/salt/master/api.yml
+++ b/salt/master/api.yml
@@ -1,3 +1,9 @@
+classes:
+# Enabled ssl api by default
+- system.salt.minion.cert.salt_api
+- system.nginx.server.single
+- system.nginx.server.proxy.ssl
+- system.nginx.server.proxy.salt_api
 parameters:
   _param:
     salt_master_api_port: 6969
@@ -11,7 +17,7 @@
     api:
       enabled: true
       bind:
-        address: 0.0.0.0
+        address: ${_param:salt_master_api_bind_address}
         port: ${_param:salt_master_api_port}
     master:
       command_timeout: 600
diff --git a/salt/minion/cert/ceph/rgw.yml b/salt/minion/cert/ceph/rgw.yml
new file mode 100644
index 0000000..23b0414
--- /dev/null
+++ b/salt/minion/cert/ceph/rgw.yml
@@ -0,0 +1,17 @@
+parameters:
+  _param:
+    ceph_rgw_cert_key_file: "/etc/ssl/private/ceph_rgw_key.key"
+    ceph_rgw_cert_cert_file: "/etc/ssl/certs/ceph_rgw.crt"
+    ceph_rgw_cert_all_file: "/etc/ssl/certs/ceph_rgw_all.crt"
+  salt:
+    minion:
+      cert:
+        ceph:
+          host: ${_param:salt_minion_ca_host}
+          signing_policy: cert_server
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: ceph_rgw
+          alternative_names: DNS:${_param:ceph_rgw_hostname}.${_param:cluster_domain},IP:${_param:cluster_vip_address}
+          key_file: ${_param:ceph_rgw_cert_key_file}
+          cert_file: ${_param:ceph_rgw_cert_cert_file}
+          all_file: ${_param:ceph_rgw_cert_all_file}
diff --git a/salt/minion/cert/elasticsearch.yml b/salt/minion/cert/elasticsearch.yml
new file mode 100644
index 0000000..0ac232d
--- /dev/null
+++ b/salt/minion/cert/elasticsearch.yml
@@ -0,0 +1,16 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        elasticsearch:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: elasticsearch
+          signing_policy: cert_server
+          alternative_names: IP:127.0.0.1,IP:${_param:single_address},IP:${_param:stacklight_log_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+          key_file: /etc/elasticsearch/elasticsearch.key
+          cert_file: /etc/elasticsearch/elasticsearch.crt
+          ca_file: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+          all_file: /etc/elasticsearch/elasticsearch.pem
+          mode: '0444'
+          enabled: true
diff --git a/salt/minion/cert/fluentd_prometheus.yml b/salt/minion/cert/fluentd_prometheus.yml
new file mode 100644
index 0000000..d7f4469
--- /dev/null
+++ b/salt/minion/cert/fluentd_prometheus.yml
@@ -0,0 +1,14 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        fluentd_prometheus:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: fluentd_prometheus
+          signing_policy: cert_server
+          alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+          key_file: ${fluentd:agent:dir:config}/fluentd-prometheus.key
+          cert_file: ${fluentd:agent:dir:config}/fluentd-prometheus.crt
+          mode: '0444'
+          enabled: true
diff --git a/salt/minion/cert/salt_api.yml b/salt/minion/cert/salt_api.yml
index acd9bba..71441b1 100644
--- a/salt/minion/cert/salt_api.yml
+++ b/salt/minion/cert/salt_api.yml
@@ -3,9 +3,20 @@
     minion:
       cert:
         salt_api:
+          common_name: salt_api
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
-          common_name: salt_api
+          key_file:   /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+          cert_file:  /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+          all_file:   /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+          ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
           signing_policy: cert_server
-          alternative_names: IP:${_param:salt_master_host},IP:127.0.0.1,DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
+          alternative_names: >
+            IP:${_param:salt_master_host},
+            IP:127.0.0.1,
+            IP:${_param:infra_config_address},
+            DNS:${_param:salt_master_host},
+            DNS:127.0.0.1,
+            DNS:${_param:infra_config_address},
+            DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
           mode: '0644'
diff --git a/salt/minion/cert/telegraf_agent.yml b/salt/minion/cert/telegraf_agent.yml
new file mode 100644
index 0000000..d54520c
--- /dev/null
+++ b/salt/minion/cert/telegraf_agent.yml
@@ -0,0 +1,14 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        telegraf_agent:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: telegraf_agent
+          signing_policy: cert_server
+          alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+          key_file: ${telegraf:agent:dir:config}/telegraf-agent.key
+          cert_file: ${telegraf:agent:dir:config}/telegraf-agent.crt
+          mode: '0444'
+          enabled: true
diff --git a/sensu/server/cluster.yml b/sensu/server/cluster.yml
index 5c8fe85..7f17a2c 100644
--- a/sensu/server/cluster.yml
+++ b/sensu/server/cluster.yml
@@ -6,10 +6,6 @@
 - service.sensu.server.single
 parameters:
   _param:
-    rabbitmq_secret_key: secret
-    rabbitmq_admin_password: password
-    rabbitmq_cold_password: password
-    rabbitmq_monitor_password: password
     sensu_message_queue_host: ${_param:cluster_vip_address}
     cluster_redis_port: 6379
   sensu:
diff --git a/sensu/server/dashboard.yml b/sensu/server/dashboard.yml
index 7cabe2b..98f480f 100644
--- a/sensu/server/dashboard.yml
+++ b/sensu/server/dashboard.yml
@@ -5,7 +5,6 @@
 - service.sensu.server.single
 parameters:
   _param:
-    rabbitmq_monitor_password: password
     sensu_message_queue_host: 127.0.0.1
   sensu:
     dashboard:
diff --git a/sensu/server/single.yml b/sensu/server/single.yml
index 806b9ef..e3c4df9 100644
--- a/sensu/server/single.yml
+++ b/sensu/server/single.yml
@@ -4,5 +4,4 @@
 - service.sensu.server.single
 parameters:
   _param:
-    rabbitmq_monitor_password: password
     sensu_message_queue_host: 127.0.0.1
diff --git a/telegraf/agent/output/prometheus_client_ssl.yml b/telegraf/agent/output/prometheus_client_ssl.yml
new file mode 100644
index 0000000..f59335f
--- /dev/null
+++ b/telegraf/agent/output/prometheus_client_ssl.yml
@@ -0,0 +1,10 @@
+parameters:
+  telegraf:
+    agent:
+      output:
+        prometheus_client:
+          scheme: https
+          tls_cert: ${telegraf:agent:dir:config}/telegraf-agent.crt
+          tls_key: ${telegraf:agent:dir:config}/telegraf-agent.key
+          tls_config:
+            ca_file: /etc/ssl/certs/ca-certificates.crt