17 files changed, 330 insertions, 419 deletions

diff --git a/README.rst b/README.rst
index 93c443bb..94f4f63c 100644
--- a/README.rst
+++ b/README.rst
@@ -82,7 +82,7 @@ and should be executed according to the following table:
 | neutron-bgpvpn |             |             |             |      X      |                 |              |
 +----------------+-------------+-------------+-------------+-------------+-----------------+--------------+
 | ovn            |             |             |             |             |                 |      X       |
-+---------------------------------------------------------------------------------------------------------+
++----------------+-------------+-------------+-------------+-------------+-----------------+--------------+
 | neutron-l2gw   |             |             |             |      X      |                 |              |
 +----------------+-------------+-------------+-------------+-------------+-----------------+--------------+
 | rabbitmq       |      X      |      X      |      X      |      X      |        X        |      X       |
diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml
index 73dc5b14..a3bc8fcf 100644
--- a/ci/environments/scenario001-multinode-containers.yaml
+++ b/ci/environments/scenario001-multinode-containers.yaml
@@ -109,6 +109,7 @@ parameter_defaults:
   CephMonKey: 'AQC+Ox1VmEr3BxAALZejqeHj50Nj6wJDvs96OQ=='
   CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ=='
   CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw=='
+  CephPoolDefaultSize: 1
   NovaEnableRbdBackend: true
   CinderEnableRbdBackend: true
   CinderBackupBackend: ceph
diff --git a/ci/environments/scenario004-multinode-containers.yaml b/ci/environments/scenario004-multinode-containers.yaml
index 6d795f97..5590de26 100644
--- a/ci/environments/scenario004-multinode-containers.yaml
+++ b/ci/environments/scenario004-multinode-containers.yaml
@@ -95,6 +95,7 @@ parameter_defaults:
   CephMonKey: 'AQC+Ox1VmEr3BxAALZejqeHj50Nj6wJDvs96OQ=='
   CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ=='
   CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw=='
+  CephPoolDefaultSize: 1
   SwiftCeilometerPipelineEnabled: false
   NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin'
   BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default'
diff --git a/docker/firstboot/setup_docker_host.sh b/docker/firstboot/setup_docker_host.sh
index 8b4c6a03..af213bbd 100755
--- a/docker/firstboot/setup_docker_host.sh
+++ b/docker/firstboot/setup_docker_host.sh
@@ -6,3 +6,6 @@ set -eux
 # Disable libvirtd since it conflicts with nova_libvirt container
 /usr/bin/systemctl disable libvirtd.service
 /usr/bin/systemctl stop libvirtd.service
+# Disable virtlogd since it conflicts with nova_virtlogd container
+/usr/bin/systemctl disable virtlogd.service
+/usr/bin/systemctl stop virtlogd.service
diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 916b057e..7637e6e9 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -12,10 +12,6 @@ parameters:
   DockerNovaLibvirtConfigImage:
     description: The container image to use for the nova_libvirt config_volume
     type: string
-  EnablePackageInstall:
-    default: 'false'
-    description: Set to true to enable package installation at deploy time
-    type: boolean
   ServiceData:
     default: {}
     description: Dictionary packing service data
@@ -144,13 +140,45 @@ outputs:
               dest: "/etc/ceph/"
               merge: true
               preserve_properties: true
+        /var/lib/kolla/config_files/nova_virtlogd.json:
+          command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
+          config_files:
+            - source: "/var/lib/kolla/config_files/src/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
           permissions:
             - path: /var/log/nova
               owner: nova:nova
               recurse: true
       docker_config:
         step_3:
+          nova_virtlogd:
+            start_order: 0
+            image: {get_param: DockerNovaLibvirtImage}
+            net: host
+            pid: host
+            privileged: true
+            restart: always
+            volumes:
+              list_concat:
+                - {get_attr: [ContainersCommon, volumes]}
+                -
+                  - /var/lib/kolla/config_files/nova_virtlogd.json:/var/lib/kolla/config_files/config.json:ro
+                  - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro
+                  - /lib/modules:/lib/modules:ro
+                  - /dev:/dev
+                  - /run:/run
+                  - /sys/fs/cgroup:/sys/fs/cgroup
+                  - /var/lib/nova:/var/lib/nova
+                  - /var/run/libvirt:/var/run/libvirt
+                  - /var/lib/libvirt:/var/lib/libvirt
+                  - /etc/libvirt/qemu:/etc/libvirt/qemu:ro
+                  - /var/log/libvirt/qemu:/var/log/libvirt/qemu
+            environment:
+              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
           nova_libvirt:
+            start_order: 1
             image: {get_param: DockerNovaLibvirtImage}
             net: host
             pid: host
@@ -169,7 +197,6 @@ outputs:
                   - /sys/fs/cgroup:/sys/fs/cgroup
                   - /var/lib/nova:/var/lib/nova
                   - /etc/libvirt:/etc/libvirt
-                  # Needed to use host's virtlogd
                   - /var/run/libvirt:/var/run/libvirt
                   - /var/lib/libvirt:/var/lib/libvirt
                   - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
@@ -216,22 +243,6 @@ outputs:
           file:
             path: /etc/ceph
             state: directory
-        - name: set enable_package_install fact
-          set_fact:
-            enable_package_install: {get_param: EnablePackageInstall}
-        # We use virtlogd on host, so when using Deployed Server
-        # feature, we need to ensure libvirt is installed.
-        - name: install libvirt-daemon
-          package:
-            name: libvirt-daemon
-            state: present
-          when: enable_package_install
-        - name: start virtlogd socket
-          service:
-            name: virtlogd.socket
-            state: started
-            enabled: yes
-          when: enable_package_install
       upgrade_tasks:
         - name: Stop and disable libvirtd service
           tags: step2
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 24155912..5ba54f85 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -41,6 +41,22 @@ parameters:
     default: {}
     description: Parameters specific to the role
     type: json
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
+  InternalTLSCRLPEMFile:
+    default: '/etc/pki/CA/crl/overcloud-crl.pem'
+    type: string
+    description: Specifies the default CRL PEM file to use for revocation if
+                 TLS is used for services in the internal network.
+  HAProxyInternalTLSCertsDirectory:
+    default: '/etc/pki/tls/certs/haproxy'
+    type: string
+  HAProxyInternalTLSKeysDirectory:
+    default: '/etc/pki/tls/private/haproxy'
+    type: string
 
 resources:
 
@@ -65,6 +81,17 @@ outputs:
           - tripleo::haproxy::haproxy_daemon: false
             haproxy_docker: true
             tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage}
+            # the list of directories that contain the certs to bind mount in the countainer
+            # bind-mounting the directories rather than all the cert, key and pem files ensures
+            # that docker won't create directories on the host when then pem files do not exist
+            tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
+              - get_param: InternalTLSCAFile
+              - get_param: HAProxyInternalTLSKeysDirectory
+              - get_param: HAProxyInternalTLSCertsDirectory
+            tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
+            tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
+            # disable the use CRL file until we can restart the container when the file expires
+            tripleo::haproxy::crl_file: null
       step_config: ""
       service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
@@ -80,11 +107,9 @@ outputs:
               - 'include ::tripleo::profile::pacemaker::haproxy_bundle'
         config_image: {get_param: DockerHAProxyConfigImage}
         volumes: &deployed_cert_mount
-          - list_join:
-            - ':'
-            - - {get_param: DeployedSSLCertificatePath}
-              - {get_param: DeployedSSLCertificatePath}
-              - 'ro'
+          yaql:
+            expression: $.data.select($+":"+$+":ro")
+            data: *tls_mapping
       kolla_config:
         /var/lib/kolla/config_files/haproxy.json:
           command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -94,6 +119,28 @@ outputs:
               merge: true
               preserve_properties: true
               optional: true
+            - source: "/var/lib/kolla/config_files/src-tls/*"
+              dest: "/"
+              merge: true
+              optional: true
+              preserve_properties: true
+          permissions:
+            - path:
+                list_join:
+                - ''
+                - - {get_param: HAProxyInternalTLSCertsDirectory}
+                  - '/*'
+              owner: haproxy:haproxy
+              perm: '0600'
+              optional: true
+            - path:
+                list_join:
+                - ''
+                - - {get_param: HAProxyInternalTLSKeysDirectory}
+                  - '/*'
+              owner: haproxy:haproxy
+              perm: '0600'
+              optional: true
       docker_config:
         step_2:
           haproxy_init_bundle:
diff --git a/environments/docker-centos-tripleoupstream.yaml b/environments/docker-centos-tripleoupstream.yaml
deleted file mode 100644
index 01a118e4..00000000
--- a/environments/docker-centos-tripleoupstream.yaml
+++ /dev/null
@@ -1,124 +0,0 @@
-# Generated with the following on 2017-08-11T04:58:59.567629
-#
-#   openstack overcloud container image prepare --env-file environments/docker-centos-tripleoupstream.yaml
-#
-
-parameter_defaults:
-  DockerAodhApiImage: tripleoupstream/centos-binary-aodh-api:latest
-  DockerAodhConfigImage: tripleoupstream/centos-binary-aodh-api:latest
-  DockerAodhEvaluatorImage: tripleoupstream/centos-binary-aodh-evaluator:latest
-  DockerAodhListenerImage: tripleoupstream/centos-binary-aodh-listener:latest
-  DockerAodhNotifierImage: tripleoupstream/centos-binary-aodh-notifier:latest
-  DockerBarbicanApiImage: tripleoupstream/centos-binary-barbican-api:latest
-  DockerCeilometerCentralImage: tripleoupstream/centos-binary-ceilometer-central:latest
-  DockerCeilometerComputeImage: tripleoupstream/centos-binary-ceilometer-compute:latest
-  DockerCeilometerConfigImage: tripleoupstream/centos-binary-ceilometer-central:latest
-  DockerCeilometerIpmiImage: tripleoupstream/centos-binary-ceilometer-ipmi:latest
-  DockerCeilometerNotificationImage: tripleoupstream/centos-binary-ceilometer-notification:latest
-  DockerCinderApiImage: tripleoupstream/centos-binary-cinder-api:latest
-  DockerCinderBackupImage: tripleoupstream/centos-binary-cinder-backup:latest
-  DockerCinderConfigImage: tripleoupstream/centos-binary-cinder-api:latest
-  DockerCinderSchedulerImage: tripleoupstream/centos-binary-cinder-scheduler:latest
-  DockerCinderVolumeImage: tripleoupstream/centos-binary-cinder-volume:latest
-  DockerClustercheckConfigImage: tripleoupstream/centos-binary-mariadb:latest
-  DockerClustercheckImage: tripleoupstream/centos-binary-mariadb:latest
-  DockerCollectdConfigImage: tripleoupstream/centos-binary-collectd:latest
-  DockerCollectdImage: tripleoupstream/centos-binary-collectd:latest
-  DockerCongressApiImage: tripleoupstream/centos-binary-congress-api:latest
-  DockerCongressConfigImage: tripleoupstream/centos-binary-congress-api:latest
-  DockerEc2ApiConfigImage: tripleoupstream/centos-binary-ec2-api:latest
-  DockerEc2ApiImage: tripleoupstream/centos-binary-ec2-api:latest
-  DockerEtcdConfigImage: tripleoupstream/centos-binary-etcd:latest
-  DockerEtcdImage: tripleoupstream/centos-binary-etcd:latest
-  DockerGlanceApiConfigImage: tripleoupstream/centos-binary-glance-api:latest
-  DockerGlanceApiImage: tripleoupstream/centos-binary-glance-api:latest
-  DockerGnocchiApiImage: tripleoupstream/centos-binary-gnocchi-api:latest
-  DockerGnocchiConfigImage: tripleoupstream/centos-binary-gnocchi-api:latest
-  DockerGnocchiMetricdImage: tripleoupstream/centos-binary-gnocchi-metricd:latest
-  DockerGnocchiStatsdImage: tripleoupstream/centos-binary-gnocchi-statsd:latest
-  DockerHAProxyConfigImage: tripleoupstream/centos-binary-haproxy:latest
-  DockerHAProxyImage: tripleoupstream/centos-binary-haproxy:latest
-  DockerHeatApiCfnConfigImage: tripleoupstream/centos-binary-heat-api-cfn:latest
-  DockerHeatApiCfnImage: tripleoupstream/centos-binary-heat-api-cfn:latest
-  DockerHeatApiConfigImage: tripleoupstream/centos-binary-heat-api:latest
-  DockerHeatApiImage: tripleoupstream/centos-binary-heat-api:latest
-  DockerHeatConfigImage: tripleoupstream/centos-binary-heat-api:latest
-  DockerHeatEngineImage: tripleoupstream/centos-binary-heat-engine:latest
-  DockerHorizonConfigImage: tripleoupstream/centos-binary-horizon:latest
-  DockerHorizonImage: tripleoupstream/centos-binary-horizon:latest
-  DockerIronicApiConfigImage: tripleoupstream/centos-binary-ironic-api:latest
-  DockerIronicApiImage: tripleoupstream/centos-binary-ironic-api:latest
-  DockerIronicConductorImage: tripleoupstream/centos-binary-ironic-conductor:latest
-  DockerIronicConfigImage: tripleoupstream/centos-binary-ironic-pxe:latest
-  DockerIronicInspectorConfigImage: tripleoupstream/centos-binary-ironic-inspector:latest
-  DockerIronicInspectorImage: tripleoupstream/centos-binary-ironic-inspector:latest
-  DockerIronicPxeImage: tripleoupstream/centos-binary-ironic-pxe:latest
-  DockerIscsidConfigImage: tripleoupstream/centos-binary-iscsid:latest
-  DockerIscsidImage: tripleoupstream/centos-binary-iscsid:latest
-  DockerKeystoneConfigImage: tripleoupstream/centos-binary-keystone:latest
-  DockerKeystoneImage: tripleoupstream/centos-binary-keystone:latest
-  DockerManilaApiImage: tripleoupstream/centos-binary-manila-api:latest
-  DockerManilaConfigImage: tripleoupstream/centos-binary-manila-api:latest
-  DockerManilaSchedulerImage: tripleoupstream/centos-binary-manila-scheduler:latest
-  DockerManilaShareImage: tripleoupstream/centos-binary-manila-share:latest
-  DockerMemcachedConfigImage: tripleoupstream/centos-binary-memcached:latest
-  DockerMemcachedImage: tripleoupstream/centos-binary-memcached:latest
-  DockerMistralApiImage: tripleoupstream/centos-binary-mistral-api:latest
-  DockerMistralConfigImage: tripleoupstream/centos-binary-mistral-api:latest
-  DockerMistralEngineImage: tripleoupstream/centos-binary-mistral-engine:latest
-  DockerMistralExecutorImage: tripleoupstream/centos-binary-mistral-executor:latest
-  DockerMongodbConfigImage: tripleoupstream/centos-binary-mongodb:latest
-  DockerMongodbImage: tripleoupstream/centos-binary-mongodb:latest
-  DockerMultipathdConfigImage: tripleoupstream/centos-binary-multipathd:latest
-  DockerMultipathdImage: tripleoupstream/centos-binary-multipathd:latest
-  DockerMysqlClientConfigImage: tripleoupstream/centos-binary-mariadb:latest
-  DockerMysqlConfigImage: tripleoupstream/centos-binary-mariadb:latest
-  DockerMysqlImage: tripleoupstream/centos-binary-mariadb:latest
-  DockerNeutronApiImage: tripleoupstream/centos-binary-neutron-server:latest
-  DockerNeutronConfigImage: tripleoupstream/centos-binary-neutron-server:latest
-  DockerNeutronDHCPImage: tripleoupstream/centos-binary-neutron-dhcp-agent:latest
-  DockerNeutronL3AgentImage: tripleoupstream/centos-binary-neutron-l3-agent:latest
-  DockerNeutronMetadataImage: tripleoupstream/centos-binary-neutron-metadata-agent:latest
-  DockerNovaApiImage: tripleoupstream/centos-binary-nova-api:latest
-  DockerNovaComputeImage: tripleoupstream/centos-binary-nova-compute:latest
-  DockerNovaComputeIronicImage: tripleoupstream/centos-binary-nova-compute-ironic:latest
-  DockerNovaConductorImage: tripleoupstream/centos-binary-nova-conductor:latest
-  DockerNovaConfigImage: tripleoupstream/centos-binary-nova-api:latest
-  DockerNovaConsoleauthImage: tripleoupstream/centos-binary-nova-consoleauth:latest
-  DockerNovaLibvirtConfigImage: tripleoupstream/centos-binary-nova-compute:latest
-  DockerNovaLibvirtImage: tripleoupstream/centos-binary-nova-libvirt:latest
-  DockerNovaPlacementConfigImage: tripleoupstream/centos-binary-nova-placement-api:latest
-  DockerNovaPlacementImage: tripleoupstream/centos-binary-nova-placement-api:latest
-  DockerNovaSchedulerImage: tripleoupstream/centos-binary-nova-scheduler:latest
-  DockerNovaVncProxyImage: tripleoupstream/centos-binary-nova-novncproxy:latest
-  DockerOVNControllerConfigImage: tripleoupstream/centos-binary-ovn-controller:latest
-  DockerOVNControllerImage: tripleoupstream/centos-binary-ovn-controller:latest
-  DockerOVNNbDbImage: tripleoupstream/centos-binary-ovn-nb-db-server:latest
-  DockerOVNNorthdImage: tripleoupstream/centos-binary-ovn-northd:latest
-  DockerOVNSbDbImage: tripleoupstream/centos-binary-ovn-sb-db-server:latest
-  DockerOctaviaApiImage: tripleoupstream/centos-binary-octavia-api:latest
-  DockerOctaviaConfigImage: tripleoupstream/centos-binary-octavia-api:latest
-  DockerOctaviaHealthManagerImage: tripleoupstream/centos-binary-octavia-health-manager:latest
-  DockerOctaviaHousekeepingImage: tripleoupstream/centos-binary-octavia-housekeeping:latest
-  DockerOctaviaWorkerImage: tripleoupstream/centos-binary-octavia-worker:latest
-  DockerOpenvswitchImage: tripleoupstream/centos-binary-neutron-openvswitch-agent:latest
-  DockerPankoApiImage: tripleoupstream/centos-binary-panko-api:latest
-  DockerPankoConfigImage: tripleoupstream/centos-binary-panko-api:latest
-  DockerRabbitmqConfigImage: tripleoupstream/centos-binary-rabbitmq:latest
-  DockerRabbitmqImage: tripleoupstream/centos-binary-rabbitmq:latest
-  DockerRedisConfigImage: tripleoupstream/centos-binary-redis:latest
-  DockerRedisImage: tripleoupstream/centos-binary-redis:latest
-  DockerSaharaApiImage: tripleoupstream/centos-binary-sahara-api:latest
-  DockerSaharaConfigImage: tripleoupstream/centos-binary-sahara-api:latest
-  DockerSaharaEngineImage: tripleoupstream/centos-binary-sahara-engine:latest
-  DockerSensuClientImage: tripleoupstream/centos-binary-sensu-client:latest
-  DockerSensuConfigImage: tripleoupstream/centos-binary-sensu-client:latest
-  DockerSwiftAccountImage: tripleoupstream/centos-binary-swift-account:latest
-  DockerSwiftConfigImage: tripleoupstream/centos-binary-swift-proxy-server:latest
-  DockerSwiftContainerImage: tripleoupstream/centos-binary-swift-container:latest
-  DockerSwiftObjectImage: tripleoupstream/centos-binary-swift-object:latest
-  DockerSwiftProxyImage: tripleoupstream/centos-binary-swift-proxy-server:latest
-  DockerTackerConfigImage: tripleoupstream/centos-binary-tacker:latest
-  DockerTackerImage: tripleoupstream/centos-binary-tacker:latest
-  DockerZaqarConfigImage: tripleoupstream/centos-binary-zaqar:latest
-  DockerZaqarImage: tripleoupstream/centos-binary-zaqar:latest
diff --git a/extraconfig/nova_metadata/krb-service-principals.yaml b/extraconfig/nova_metadata/krb-service-principals.j2.yaml
index cdd4341a..b18dba66 100644
--- a/extraconfig/nova_metadata/krb-service-principals.yaml
+++ b/extraconfig/nova_metadata/krb-service-principals.j2.yaml
@@ -5,30 +5,38 @@ parameters:
   RoleData:
      type: json
      description: the list containing the 'role_data' output for the ServiceChain
-
-  # Coming from parameter_defaults
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
+  # Special case the External hostname param, which is CloudName
   CloudName:
     default: overcloud.localdomain
     description: The DNS name of this cloud. E.g. ci-overcloud.tripleo.org
     type: string
+{%- elif network.name == 'InternalApi' %}
+  # Special case the Internal API hostname param, which is CloudNameInternal
   CloudNameInternal:
-    default: overcloud.internalapi.localdomain
+    default: overcloud.{{network.name.lower()}}.localdomain
     description: >
-      The DNS name of this cloud's internal API endpoint. E.g.
-      'ci-overcloud.internalapi.tripleo.org'.
+      The DNS name of this cloud's {{network.name_lower}} endpoint. E.g.
+      'ci-overcloud.{{network.name.lower()}}.tripleo.org'.
     type: string
-  CloudNameStorage:
-    default: overcloud.storage.localdomain
+{%- elif network.name == 'StorageMgmt' %}
+  # Special case StorageMgmt hostname param, which is CloudNameStorageManagement
+  CloudNameStorageManagement:
+    default: overcloud.{{network.name.lower()}}.localdomain
     description: >
-      The DNS name of this cloud's storage endpoint. E.g.
-      'ci-overcloud.storage.tripleo.org'.
+      The DNS name of this cloud's {{network.name_lower}} endpoint. E.g.
+      'ci-overcloud.{{network.name.lower()}}.tripleo.org'.
     type: string
-  CloudNameStorageManagement:
-    default: overcloud.storagemgmt.localdomain
+{%- else %}
+  CloudName{{network.name}}:
+    default: overcloud.{{network.name.lower()}}.localdomain
     description: >
-      The DNS name of this cloud's storage management endpoint. E.g.
-      'ci-overcloud.storagemgmt.tripleo.org'.
+      The DNS name of this cloud's {{network.name_lower}} endpoint. E.g.
+      'ci-overcloud.{{network.name.lower()}}.tripleo.org'.
     type: string
+{%- endif %}
+{%- endfor %}
   CloudNameCtlplane:
     default: overcloud.ctlplane.localdomain
     description: >
@@ -61,10 +69,17 @@ resources:
           data:
             metadata: {get_attr: [IncomingMetadataSettings, value]}
             fqdns:
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
               external: {get_param: CloudName}
+{%- elif network.name == 'InternalApi' %}
               internal_api: {get_param: CloudNameInternal}
-              storage: {get_param: CloudNameStorage}
+{%- elif network.name == 'StorageMgmt' %}
               storage_mgmt: {get_param: CloudNameStorageManagement}
+{%- else %}
+              {{network.name_lower}}: {get_param: CloudName{{network.name}}}
+{%- endif %}
+{%- endfor %}
               ctlplane: {get_param: CloudNameCtlplane}
 
   CompactServices:
@@ -82,3 +97,4 @@ outputs:
       map_merge:
         - {get_attr: [IndividualServices, value]}
         - compact_services: {get_attr: [CompactServices, value]}
+
diff --git a/network/ports/net_vip_map_external.j2.yaml b/network/ports/net_vip_map_external.j2.yaml
new file mode 100644
index 00000000..b17f48b5
--- /dev/null
+++ b/network/ports/net_vip_map_external.j2.yaml
@@ -0,0 +1,40 @@
+heat_template_version: pike
+
+parameters:
+  # Set these via parameter defaults to configure external VIPs
+  ControlPlaneIP:
+    default: ''
+    type: string
+{%- for network in networks if network.vip|default(false) %}
+  {{network.name}}NetworkVip:
+    default: ''
+    type: string
+{%- endfor %}
+  # The following are unused in this template
+  ControlPlaneIp:
+    default: ''
+    type: string
+{%- for network in networks if network.vip|default(false) %}
+  {{network.name}}Ip:
+    default: ''
+    type: string
+  {{network.name}}IpUri:
+    default: ''
+    type: string
+    description: IP address with brackets in case of IPv6
+{%- endfor %}
+
+outputs:
+  net_ip_map:
+    description: >
+      A Hash containing a mapping of network names to assigned IPs
+      for a specific machine.
+    value:
+      ctlplane: {get_param: ControlPlaneIP}
+{%- for network in networks if network.vip|default(false) %}
+      {{network.name_lower}}: {get_param: {{network.name}}NetworkVip}
+{%- endfor %}
+      ctlplane_uri: {get_param: ControlPlaneIP}
+{%- for network in networks if network.vip|default(false) %}
+      {{network.name_lower}}_uri: {get_param: {{network.name}}NetworkVip}
+{%- endfor %}
diff --git a/network/ports/net_vip_map_external.yaml b/network/ports/net_vip_map_external.yaml
deleted file mode 100644
index d0847882..00000000
--- a/network/ports/net_vip_map_external.yaml
+++ /dev/null
@@ -1,68 +0,0 @@
-heat_template_version: pike
-
-parameters:
-  # Set these via parameter defaults to configure external VIPs
-  ControlPlaneIP:
-    default: ''
-    type: string
-  ExternalNetworkVip:
-    default: ''
-    type: string
-  InternalApiNetworkVip:
-    default: ''
-    type: string
-  StorageNetworkVip:
-    default: ''
-    type: string
-  StorageMgmtNetworkVip:
-    default: ''
-    type: string
-  # The following are unused in this template
-  ControlPlaneIp:
-    default: ''
-    type: string
-  ExternalIp:
-    default: ''
-    type: string
-  ExternalIpUri:
-    default: ''
-    type: string
-    description: IP address with brackets in case of IPv6
-  InternalApiIp:
-    default: ''
-    type: string
-  InternalApiIpUri:
-    default: ''
-    type: string
-    description: IP address with brackets in case of IPv6
-  StorageIp:
-    default: ''
-    type: string
-  StorageIpUri:
-    default: ''
-    type: string
-    description: IP address with brackets in case of IPv6
-  StorageMgmtIp:
-    default: ''
-    type: string
-  StorageMgmtIpUri:
-    default: ''
-    type: string
-    description: IP address with brackets in case of IPv6
-
-outputs:
-  net_ip_map:
-    description: >
-      A Hash containing a mapping of network names to assigned IPs
-      for a specific machine.
-    value:
-      ctlplane: {get_param: ControlPlaneIP}
-      external: {get_param: ExternalNetworkVip}
-      internal_api: {get_param: InternalApiNetworkVip}
-      storage: {get_param: StorageNetworkVip}
-      storage_mgmt: {get_param: StorageMgmtNetworkVip}
-      ctlplane_uri: {get_param: ControlPlaneIP}
-      external_uri: {get_param: ExternalNetworkVip}
-      internal_api_uri: {get_param: InternalApiNetworkVip}
-      storage_uri: {get_param: StorageNetworkVip}
-      storage_mgmt_uri: {get_param: StorageMgmtNetworkVip}
diff --git a/network/ports/net_vip_map_external_v6.j2.yaml b/network/ports/net_vip_map_external_v6.j2.yaml
new file mode 100644
index 00000000..5eff73c1
--- /dev/null
+++ b/network/ports/net_vip_map_external_v6.j2.yaml
@@ -0,0 +1,45 @@
+heat_template_version: pike
+
+parameters:
+  # Set these via parameter defaults to configure external VIPs
+  ControlPlaneIP:
+    default: ''
+    type: string
+{%- for network in networks if network.vip|default(false) %}
+  {{network.name}}NetworkVip:
+    default: ''
+    type: string
+{%- endfor %}
+  # The following are unused in this template
+  ControlPlaneIp:
+    default: ''
+    type: string
+{%- for network in networks if network.vip|default(false) %}
+  {{network.name}}Ip:
+    default: ''
+    type: string
+  {{network.name}}IpUri:
+    default: ''
+    type: string
+    description: IP address with brackets in case of IPv6
+{%- endfor %}
+
+outputs:
+  net_ip_map:
+    description: >
+      A Hash containing a mapping of network names to assigned IPs
+      for a specific machine.
+    value:
+      ctlplane: {get_param: ControlPlaneIP}
+{%- for network in networks if network.vip|default(false) %}
+      {{network.name_lower}}: {get_param: {{network.name}}NetworkVip}
+{%- endfor %}
+      ctlplane_uri: {get_param: ControlPlaneIP}
+{%- for network in networks if network.vip|default(false) %}
+      {{network.name_lower}}_uri:
+        list_join:
+          - ''
+          - - '['
+            - {get_param: {{network.name}}NetworkVip}
+            - ']'
+{%- endfor %}
diff --git a/network/ports/net_vip_map_external_v6.yaml b/network/ports/net_vip_map_external_v6.yaml
deleted file mode 100644
index 72e60cb2..00000000
--- a/network/ports/net_vip_map_external_v6.yaml
+++ /dev/null
@@ -1,88 +0,0 @@
-heat_template_version: pike
-
-parameters:
-  # Set these via parameter defaults to configure external VIPs
-  ControlPlaneIP:
-    default: ''
-    type: string
-  ExternalNetworkVip:
-    default: ''
-    type: string
-  InternalApiNetworkVip:
-    default: ''
-    type: string
-  StorageNetworkVip:
-    default: ''
-    type: string
-  StorageMgmtNetworkVip:
-    default: ''
-    type: string
-  # The following are unused in this template
-  ControlPlaneIp:
-    default: ''
-    type: string
-  ExternalIp:
-    default: ''
-    type: string
-  ExternalIpUri:
-    default: ''
-    type: string
-    description: IP address with brackets in case of IPv6
-  InternalApiIp:
-    default: ''
-    type: string
-  InternalApiIpUri:
-    default: ''
-    type: string
-    description: IP address with brackets in case of IPv6
-  StorageIp:
-    default: ''
-    type: string
-  StorageIpUri:
-    default: ''
-    type: string
-    description: IP address with brackets in case of IPv6
-  StorageMgmtIp:
-    default: ''
-    type: string
-  StorageMgmtIpUri:
-    default: ''
-    type: string
-    description: IP address with brackets in case of IPv6
-
-outputs:
-  net_ip_map:
-    description: >
-      A Hash containing a mapping of network names to assigned IPs
-      for a specific machine.
-    value:
-      ctlplane: {get_param: ControlPlaneIP}
-      external: {get_param: ExternalNetworkVip}
-      internal_api: {get_param: InternalApiNetworkVip}
-      storage: {get_param: StorageNetworkVip}
-      storage_mgmt: {get_param: StorageMgmtNetworkVip}
-      ctlplane_uri: {get_param: ControlPlaneIP}
-      external_uri:
-        list_join:
-          - ''
-          - - '['
-            - {get_param: ExternalNetworkVip}
-            - ']'
-      internal_api_uri:
-        list_join:
-          - ''
-          - - '['
-            - {get_param: InternalApiNetworkVip}
-            - ']'
-      storage_uri:
-        list_join:
-          - ''
-          - - '['
-            - {get_param: StorageNetworkVip}
-            - ']'
-      storage_mgmt_uri:
-        list_join:
-          - ''
-          - - '['
-            - {get_param: StorageMgmtNetworkVip}
-            - ']'
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 63868b54..2a9f9d76 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -279,7 +279,6 @@ resource_registry:
   OS::TripleO::Services::NeutronVppAgent: OS::Heat::None
   OS::TripleO::Services::Docker: OS::Heat::None
   OS::TripleO::Services::CertmongerUser: OS::Heat::None
-  OS::TripleO::Services::Iscsid: OS::Heat::None
   OS::TripleO::Services::Clustercheck: OS::Heat::None
   OS::TripleO::Services::VRTSHyperScale: OS::Heat::None
 
diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index a7a4fe25..2e398671 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -21,40 +21,44 @@ description: >
 parameters:
 
   # Common parameters (not specific to a role)
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
+  # Special case the External hostname param, which is CloudName
   CloudName:
     default: overcloud.localdomain
     description: The DNS name of this cloud. E.g. ci-overcloud.tripleo.org
     type: string
+{%- elif network.name == 'InternalApi' %}
+  # Special case the Internal API hostname param, which is CloudNameInternal
   CloudNameInternal:
-    default: overcloud.internalapi.localdomain
+    default: overcloud.{{network.name.lower()}}.localdomain
     description: >
-      The DNS name of this cloud's internal API endpoint. E.g.
-      'ci-overcloud.internalapi.tripleo.org'.
+      The DNS name of this cloud's {{network.name_lower}} endpoint. E.g.
+      'ci-overcloud.{{network.name.lower()}}.tripleo.org'.
     type: string
-  CloudNameStorage:
-    default: overcloud.storage.localdomain
+{%- elif network.name == 'StorageMgmt' %}
+  # Special case StorageMgmt hostname param, which is CloudNameStorageManagement
+  CloudNameStorageManagement:
+    default: overcloud.{{network.name.lower()}}.localdomain
     description: >
-      The DNS name of this cloud's storage endpoint. E.g.
-      'ci-overcloud.storage.tripleo.org'.
+      The DNS name of this cloud's {{network.name_lower}} endpoint. E.g.
+      'ci-overcloud.{{network.name.lower()}}.tripleo.org'.
     type: string
-  CloudNameStorageManagement:
-    default: overcloud.storagemgmt.localdomain
+{%- else %}
+  CloudName{{network.name}}:
+    default: overcloud.{{network.name.lower()}}.localdomain
     description: >
-      The DNS name of this cloud's storage management endpoint. E.g.
-      'ci-overcloud.storagemgmt.tripleo.org'.
+      The DNS name of this cloud's {{network.name_lower}} endpoint. E.g.
+      'ci-overcloud.{{network.name.lower()}}.tripleo.org'.
     type: string
+{%- endif %}
+{%- endfor %}
   CloudNameCtlplane:
     default: overcloud.ctlplane.localdomain
     description: >
       The DNS name of this cloud's provisioning network endpoint. E.g.
       'ci-overcloud.ctlplane.tripleo.org'.
     type: string
-  ControlFixedIPs:
-    default: []
-    description: >
-        Control the IP allocation for the ControlVirtualIP port. E.g.
-        [{'ip_address':'1.2.3.4'}]
-    type: json
   ExtraConfig:
     default: {}
     description: |
@@ -77,12 +81,6 @@ parameters:
     description: |
       DEPRECATED use ComputeExtraConfig instead
     type: json
-  InternalApiVirtualFixedIPs:
-    default: []
-    description: >
-        Control the IP allocation for the InternalApiVirtualInterface port. E.g.
-        [{'ip_address':'1.2.3.4'}]
-    type: json
   NeutronControlPlaneID:
     default: 'ctlplane'
     type: string
@@ -91,28 +89,34 @@ parameters:
     default: nic1
     description: Which interface to add to the NeutronPhysicalBridge.
     type: string
-  PublicVirtualFixedIPs:
+  ControlFixedIPs:
     default: []
     description: >
-        Control the IP allocation for the PublicVirtualInterface port. E.g.
+        Control the IP allocation for the ControlVirtualIP port. E.g.
         [{'ip_address':'1.2.3.4'}]
     type: json
-  RabbitCookieSalt:
-    type: string
-    default: unset
-    description: Salt for the rabbit cookie, change this to force the randomly generated rabbit cookie to change.
-  StorageVirtualFixedIPs:
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
+  # TODO (dsneddon) Legacy name, eventually refactor to match network name
+  PublicVirtualFixedIPs:
     default: []
     description: >
-        Control the IP allocation for the StorageVirtualInterface port. E.g.
+        Control the IP allocation for the PublicVirtualInterface port. E.g.
         [{'ip_address':'1.2.3.4'}]
     type: json
-  StorageMgmtVirtualFixedIPs:
+{%- else %}
+  {{network.name}}VirtualFixedIPs:
     default: []
     description: >
-        Control the IP allocation for the StorageMgmgVirtualInterface port. E.g.
+        Control the IP allocation for the {{network.name}}VirtualInterface port. E.g.
         [{'ip_address':'1.2.3.4'}]
     type: json
+{%- endif %}
+{%- endfor %}
+  RabbitCookieSalt:
+    type: string
+    default: unset
+    description: Salt for the rabbit cookie, change this to force the randomly generated rabbit cookie to change.
   RedisVirtualFixedIPs:
     default: []
     description: >
@@ -240,28 +244,38 @@ resources:
         - - str_replace:
               template: IP  HOST
               params:
-                IP: {get_attr: [VipMap, net_ip_map, external]}
-                HOST: {get_param: CloudName}
+                IP: {get_attr: [VipMap, net_ip_map, ctlplane]}
+                HOST: {get_param: CloudNameCtlplane}
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
+  # Special case the External hostname param, which is CloudName
           - str_replace:
               template: IP  HOST
               params:
-                IP: {get_attr: [VipMap, net_ip_map, ctlplane]}
-                HOST: {get_param: CloudNameCtlplane}
+                IP: {get_attr: [VipMap, net_ip_map, {{network.name_lower}}]}
+                HOST: {get_param: CloudName}
+{%- elif network.name == 'InternalApi' %}
+  # Special case the Internal API hostname param, which is CloudNameInternal
           - str_replace:
               template: IP  HOST
               params:
-                IP: {get_attr: [VipMap, net_ip_map, internal_api]}
+                IP: {get_attr: [VipMap, net_ip_map, {{network.name_lower}}]}
                 HOST: {get_param: CloudNameInternal}
+{%- elif network.name == 'StorageMgmt' %}
+  # Special case StorageMgmt hostname param, which is CloudNameStorageManagement
           - str_replace:
               template: IP  HOST
               params:
-                IP: {get_attr: [VipMap, net_ip_map, storage]}
-                HOST: {get_param: CloudNameStorage}
+                IP: {get_attr: [VipMap, net_ip_map, {{network.name_lower}}]}
+                HOST: {get_param: CloudNameStorageManagement}
+{%- else %}
           - str_replace:
               template: IP  HOST
               params:
-                IP: {get_attr: [VipMap, net_ip_map, storage_mgmt]}
-                HOST: {get_param: CloudNameStorageManagement}
+                IP: {get_attr: [VipMap, net_ip_map, {{network.name_lower}}]}
+                HOST: {get_param: CloudName{{network.name}}}
+{%- endif %}
+{%- endfor %}
 
   HeatAuthEncryptionKey:
     type: OS::TripleO::RandomString
@@ -297,11 +311,21 @@ resources:
     type: OS::TripleO::EndpointMap
     properties:
       CloudEndpoints:
-        external: {get_param: CloudName}
-        internal_api: {get_param: CloudNameInternal}
-        storage: {get_param: CloudNameStorage}
-        storage_mgmt: {get_param: CloudNameStorageManagement}
         ctlplane: {get_param: CloudNameCtlplane}
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
+  # Special case the External hostname param, which is CloudName
+        {{network.name_lower}}: {get_param: CloudName}
+{%- elif network.name == 'InternalApi' %}
+  # Special case the Internal API hostname param, which is CloudNameInternal
+        {{network.name_lower}}: {get_param: CloudNameInternal}
+{%- elif network.name == 'StorageMgmt' %}
+  # Special case StorageMgmt hostname param, which is CloudNameStorageManagement
+        {{network.name_lower}}: {get_param: CloudNameStorageManagement}
+{%- else %}
+        {{network.name_lower}}: {get_param: CloudName{{network.name}}}
+{%- endif %}
+{%- endfor %}
       NetIpMap: {get_attr: [VipMap, net_ip_map]}
       ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]}
 
@@ -458,12 +482,9 @@ resources:
     type: OS::TripleO::Network::Ports::NetIpListMap
     properties:
       ControlPlaneIpList: {get_attr: [{{role.name}}, ip_address]}
-      ExternalIpList: {get_attr: [{{role.name}}, external_ip_address]}
-      InternalApiIpList: {get_attr: [{{role.name}}, internal_api_ip_address]}
-      StorageIpList: {get_attr: [{{role.name}}, storage_ip_address]}
-      StorageMgmtIpList: {get_attr: [{{role.name}}, storage_mgmt_ip_address]}
-      TenantIpList: {get_attr: [{{role.name}}, tenant_ip_address]}
-      ManagementIpList: {get_attr: [{{role.name}}, management_ip_address]}
+{%- for network in networks if network.enabled|default(true) %}
+      {{network.name}}IpList: {get_attr: [{{role.name}}, {{network.name_lower}}_ip_address]}
+{%- endfor %}
       EnabledServices: {get_attr: [{{role.name}}ServiceNames, value]}
       ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map_lower]}
       ServiceHostnameList: {get_attr: [{{role.name}}, hostname]}
@@ -582,10 +603,20 @@ resources:
   allNodesConfig:
     type: OS::TripleO::AllNodes::SoftwareConfig
     properties:
-      cloud_name_external: {get_param: CloudName}
-      cloud_name_internal_api: {get_param: CloudNameInternal}
-      cloud_name_storage: {get_param: CloudNameStorage}
-      cloud_name_storage_mgmt: {get_param: CloudNameStorageManagement}
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
+  # Special case the External hostname param, which is CloudName
+      cloud_name_{{network.name_lower}}: {get_param: CloudName}
+{%- elif network.name == 'InternalApi' %}
+  # Special case the Internal API hostname param, which is CloudNameInternal
+      cloud_name_{{network.name_lower}}: {get_param: CloudNameInternal}
+{%- elif network.name == 'StorageMgmt' %}
+  # Special case StorageMgmt hostname param, which is CloudNameStorageManagement
+      cloud_name_{{network.name_lower}}: {get_param: CloudNameStorageManagement}
+{%- else %}
+      cloud_name_{{network.name_lower}}: {get_param: CloudName{{network.name}}}
+{%- endif %}
+{%- endfor %}
       cloud_name_ctlplane: {get_param: CloudNameCtlplane}
       enabled_services:
         list_join:
@@ -699,6 +730,8 @@ resources:
       ServiceName: redis
       FixedIPs: {get_param: RedisVirtualFixedIPs}
 
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
   # The public VIP is on the External net, falls back to ctlplane
   PublicVirtualIP:
     depends_on: Networks
@@ -708,43 +741,38 @@ resources:
       ControlPlaneNetwork: {get_param: NeutronControlPlaneID}
       PortName: public_virtual_ip
       FixedIPs: {get_param: PublicVirtualFixedIPs}
-
-  InternalApiVirtualIP:
+{%- elif network.name == 'StorageMgmt' %}
+  {{network.name}}VirtualIP:
     depends_on: Networks
-    type: OS::TripleO::Network::Ports::InternalApiVipPort
+    type: OS::TripleO::Network::Ports::{{network.name}}VipPort
     properties:
       ControlPlaneIP: {get_attr: [ControlVirtualIP, fixed_ips, 0, ip_address]}
-      PortName: internal_api_virtual_ip
-      FixedIPs: {get_param: InternalApiVirtualFixedIPs}
-
-  StorageVirtualIP:
-    depends_on: Networks
-    type: OS::TripleO::Network::Ports::StorageVipPort
-    properties:
-      ControlPlaneIP: {get_attr: [ControlVirtualIP, fixed_ips, 0, ip_address]}
-      PortName: storage_virtual_ip
-      FixedIPs: {get_param: StorageVirtualFixedIPs}
-
-  StorageMgmtVirtualIP:
+      PortName: storage_management_virtual_ip
+      FixedIPs: {get_param: {{network.name}}VirtualFixedIPs}
+{%- else %}
+  {{network.name}}VirtualIP:
     depends_on: Networks
-    type: OS::TripleO::Network::Ports::StorageMgmtVipPort
+    type: OS::TripleO::Network::Ports::{{network.name}}VipPort
     properties:
       ControlPlaneIP: {get_attr: [ControlVirtualIP, fixed_ips, 0, ip_address]}
-      PortName: storage_management_virtual_ip
-      FixedIPs: {get_param: StorageMgmtVirtualFixedIPs}
+      PortName: {{network.name_lower}}_virtual_ip
+      FixedIPs: {get_param: {{network.name}}VirtualFixedIPs}
+{%- endif %}
+{%- endfor %}
 
   VipMap:
     type: OS::TripleO::Network::Ports::NetVipMap
     properties:
       ControlPlaneIp: {get_attr: [ControlVirtualIP, fixed_ips, 0, ip_address]}
+{%- for network in networks if network.vip|default(false) %}
+{%- if network.name == 'External' %}
       ExternalIp: {get_attr: [PublicVirtualIP, ip_address]}
       ExternalIpUri: {get_attr: [PublicVirtualIP, ip_address_uri]}
-      InternalApiIp: {get_attr: [InternalApiVirtualIP, ip_address]}
-      InternalApiIpUri: {get_attr: [InternalApiVirtualIP, ip_address_uri]}
-      StorageIp: {get_attr: [StorageVirtualIP, ip_address]}
-      StorageIpUri: {get_attr: [StorageVirtualIP, ip_address_uri]}
-      StorageMgmtIp: {get_attr: [StorageMgmtVirtualIP, ip_address]}
-      StorageMgmtIpUri: {get_attr: [StorageMgmtVirtualIP, ip_address_uri]}
+{%- else %}
+      {{network.name}}Ip: {get_attr: [{{network.name}}VirtualIP, ip_address]}
+      {{network.name}}IpUri: {get_attr: [{{network.name}}VirtualIP, ip_address_uri]}
+{%- endif %}
+{%- endfor %}
       # No tenant or management VIP required
     # Because of nested get_attr functions in the KeystoneAdminVip output, we
     # can't determine which attributes of VipMap are used until after
@@ -758,24 +786,12 @@ resources:
       PingTestIps:
         list_join:
         - ' '
-        - - yaql:
-              expression: coalesce($.data, []).first(null)
-              data: {get_attr: [{{primary_role_name}}, external_ip_address]}
-          - yaql:
-              expression: coalesce($.data, []).first(null)
-              data: {get_attr: [{{primary_role_name}}, internal_api_ip_address]}
-          - yaql:
-              expression: coalesce($.data, []).first(null)
-              data: {get_attr: [{{primary_role_name}}, storage_ip_address]}
-          - yaql:
-              expression: coalesce($.data, []).first(null)
-              data: {get_attr: [{{primary_role_name}}, storage_mgmt_ip_address]}
-          - yaql:
-              expression: coalesce($.data, []).first(null)
-              data: {get_attr: [{{primary_role_name}}, tenant_ip_address]}
+        -
+{%- for network in networks if network.enabled|default(true) %}
           - yaql:
               expression: coalesce($.data, []).first(null)
-              data: {get_attr: [{{primary_role_name}}, management_ip_address]}
+              data: {get_attr: [{{primary_role_name}}, {{network.name_lower}}_ip_address]}
+{%- endfor %}
 
   UpdateWorkflow:
     type: OS::TripleO::Tasks::UpdateWorkflow
diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml
index bc91374a..1ea6b1ae 100644
--- a/puppet/services/neutron-plugin-ml2.yaml
+++ b/puppet/services/neutron-plugin-ml2.yaml
@@ -76,6 +76,12 @@ parameters:
     description: Firewall driver for realizing neutron security group function
     type: string
     default: 'openvswitch'
+  NeutronOverlayIPVersion:
+    default: 4
+    description: IP version used for all overlay network endpoints.
+    type: number
+    constraints:
+    - allowed_values: [4,6]
 resources:
 
   NeutronBase:
@@ -105,6 +111,7 @@ outputs:
             neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges}
             neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType}
             neutron::plugins::ml2::firewall_driver: {get_param: NeutronFirewallDriver}
+            neutron::plugins::ml2::overlay_ip_version: {get_param: NeutronOverlayIPVersion}
 
       step_config: |
         include ::tripleo::profile::base::neutron::plugins::ml2
diff --git a/releasenotes/notes/neutron-ml2-overlay-ip-version-4f14932355847aa0.yaml b/releasenotes/notes/neutron-ml2-overlay-ip-version-4f14932355847aa0.yaml
new file mode 100644
index 00000000..1c20b26d
--- /dev/null
+++ b/releasenotes/notes/neutron-ml2-overlay-ip-version-4f14932355847aa0.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Add NeutronOverlayIPVersion parameter to congfigure neutron ML2
+    overlay_ip_version option. This parameter should be set to 6 when user
+    requires tenant vxlan tunnel endpoints to be IPv6.
diff --git a/tripleo_heat_templates/environment_generator.py b/tripleo_heat_templates/environment_generator.py
index 876dd854..f1469390 100755
--- a/tripleo_heat_templates/environment_generator.py
+++ b/tripleo_heat_templates/environment_generator.py
@@ -50,7 +50,7 @@ _PRIVATE_OVERRIDES = ['server', 'servers', 'NodeIndex', 'DefaultPasswords']
 # static.  This allows us to generate sample environments using them when
 # necessary, but they won't be improperly included by accident.
 _HIDDEN_PARAMS = ['EndpointMap', 'RoleName', 'RoleParameters',
-                  'ServiceNetMap',
+                  'ServiceNetMap', 'ServiceData',
                   ]