diff --git a/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml b/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml
index 1f112e985..9c7b6262b 100644
--- a/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml
@@ -47,5 +47,6 @@ tripleo_cephadm_crush_rules: []
 tripleo_cephadm_internal_tls_enabled: false
 tripleo_cephadm_nfs_rados_export_index: 'ganesha-export-index'
 tripleo_cephadm_ceph_nfs_rados_backend: true
+tripleo_cephadm_certs: /etc/pki/tls
 # todo(fultonj) add is_hci boolean for target memory
 # https://lists.ceph.io/hyperkitty/list/dev@ceph.io/thread/Z77XO23JPXDNHKM7IG6UN4URYKA6L7VH/
diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/ceph_cli.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/ceph_cli.yaml
index af4efce19..9896bf017 100644
--- a/tripleo_ansible/roles/tripleo_cephadm/tasks/ceph_cli.yaml
+++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/ceph_cli.yaml
@@ -18,6 +18,12 @@
   set_fact:
     tripleo_cephadm_ceph_cli: >-
       {{ tripleo_cephadm_container_cli }} run --rm {{ tripleo_cephadm_container_options }}
+      {% if mount_certs|default(false) %}
+      --volume {{ tripleo_cephadm_certs }}:/etc/pki/tls:z
+      {% endif %}
+      {% if sensitive_data|default(false) %}
+      --interactive
+      {% endif %}
       --volume {{ tripleo_cephadm_config_home }}:/etc/ceph:z
       {% if mount_spec|default(false) %}
       --volume {{ tripleo_cephadm_spec }}:{{ tripleo_cephadm_container_spec }}:z
diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/dashboard.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/dashboard.yaml
index af0e8b70b..2eccc1cb0 100644
--- a/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/dashboard.yaml
+++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/dashboard.yaml
@@ -18,6 +18,7 @@
   include_tasks: ceph_cli.yaml
   vars:
     mount_spec: true
+    sensitive_data: true
 
 - name: Configure the Ceph Dashboard port
   become: true
@@ -66,6 +67,17 @@
     - name: enable mgr dashboard module (restart)
       command: "{{ tripleo_cephadm_ceph_cli }} mgr module enable dashboard"
 
+- name: create dashboard admin user
+  become: true
+  ceph_dashboard_user:
+    name: "{{ tripleo_cephadm_dashboard_admin_user }}"
+    cluster: "{{ tripleo_cephadm_cluster }}"
+    password: "{{ tripleo_cephadm_dashboard_admin_password }}"
+    roles: ["{{ 'read-only' if tripleo_cephadm_dashboard_admin_user_ro | bool else 'administrator' }}"]
+  environment:
+    CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}"
+    CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}"
+
 - name: Configure Monitoring Stack
   become: true
   block:
@@ -78,7 +90,10 @@
     - name: set grafana api user
       command: "{{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-username {{ tripleo_cephadm_grafana_admin_user }}"
     - name: set grafana api password
-      command: "{{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-password {{ tripleo_cephadm_grafana_admin_password }}"
+      command: "{{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-password -i -"
+      args:
+        stdin: "{{ tripleo_cephadm_grafana_admin_password }}"
+        stdin_add_newline: no
     - name: disable ssl verification for grafana
       command: "{{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-ssl-verify False"
       changed_when: false
@@ -96,7 +111,9 @@
         {{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-url \
         {{ tripleo_cephadm_dashboard_protocol }}://{{ tripleo_cephadm_dashboard_frontend_vip }}:{{ tripleo_cephadm_grafana_port }}
       changed_when: false
-      when: "{{ tripleo_cephadm_dashboard_frontend_vip is defined and tripleo_cephadm_dashboard_frontend_vip |length > 0 }}"
+      when:
+        - tripleo_cephadm_dashboard_frontend_vip is defined
+        - tripleo_cephadm_dashboard_frontend_vip |length > 0
 
 - name: Restart the Ceph dashboard
   become: true
diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/grafana.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/grafana.yaml
deleted file mode 100644
index 8e3c65671..000000000
--- a/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/grafana.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-# Copyright 2021 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-# TODO: MKSPEC TO DEPLOY GRAFANA
-# - name: Deploy the three, unmanaged grafana instances via the orchestrator
-#   mkspec:
-#   service_type: grafana
-#   service_name: grafana
-#   placement:
-#     hosts:
-#       - ctr1
-#       - ctr2
-#       - ctr3
-#   unmanaged: true
-
-- name: Get the current mgr addr
-  set_fact:
-    grafana_addr: "{{ hostvars[dashboard_backend][tripleo_ceph_dashboard_net] }}"
-  vars:
-    tripleo_ceph_dashboard_net: "{{ service_net_map['ceph_dashboard_network'] + '_ip' }}"
-  delegate_to: "{{ dashboard_backend }}"
-
-- name: Render config files
-  block:
-    - name: Configure grafana
-      template:
-        src: grafana.json.j2
-        dest: "/tmp/grafana.json"
-      become: true
-      delegate_to: "{{ dashboard_backend }}"
-
-- name: Reconfigure grafana component
-  shell: |
-    {{ tripleo_cephadm_bin }} \
-    --image {{ tripleo_cephadm_grafana_container_image }} \
-    deploy \
-    --name grafana.{{ dashboard_backend }} \
-    --fsid {{ tripleo_cephadm_fsid }} \
-    --config-json /tmp/grafana.json
-  register: cephadm_grafana
-  become: true
-  delegate_to: "{{ dashboard_backend }}"
diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/mds.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/mds.yaml
index 66edac7ce..d4b60b5a5 100644
--- a/tripleo_ansible/roles/tripleo_cephadm/tasks/mds.yaml
+++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/mds.yaml
@@ -35,7 +35,7 @@
   ceph_mkspec:
     service_type: mds
     apply: true
-    hosts: "{{ _hosts }}"
+    hosts: "{{ _hosts | unique }}"
     render_path: "{{ tripleo_cephadm_spec_home }}"
   register: spc
   environment:
diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/monitoring.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/monitoring.yaml
index 1dc9ff8bf..fa728388f 100644
--- a/tripleo_ansible/roles/tripleo_cephadm/tasks/monitoring.yaml
+++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/monitoring.yaml
@@ -38,10 +38,28 @@
         apply: true
         host_pattern: "*"
         render_path: "{{ tripleo_cephadm_spec_home }}"
+        networks: "{{ tripleo_cephadm_monitoring_address_block }}"
       environment:
         CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}"
         CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}"
 
+    - name: Config ssl cert(s) and key(s) for the exposed components
+      block:
+        - name: Get ceph_cli
+          include_tasks: ceph_cli.yaml
+          vars:
+            mount_certs: true
+
+        - name: import grafana certificate file
+          command: "{{ tripleo_cephadm_ceph_cli }} config-key set mgr/cephadm/grafana_crt -i {{ tripleo_cephadm_grafana_crt }}"
+          changed_when: false
+
+        - name: import grafana certificate key
+          command: "{{ tripleo_cephadm_ceph_cli }} config-key set mgr/cephadm/grafana_key -i {{ tripleo_cephadm_grafana_key }}"
+          changed_when: false
+      when: tripleo_cephadm_dashboard_protocol == "https" and
+            tripleo_cephadm_grafana_crt | length > 0 and tripleo_cephadm_grafana_key | length > 0
+
     - name: Create the monitoring stack Daemon spec definition
       become: true
       ceph_mkspec:
@@ -49,8 +67,9 @@
         service_id: "{{ item }}"
         service_name: "{{ item }}"
         apply: true
-        hosts: "{{ _hosts }}"
+        hosts: "{{ _hosts | unique }}"
         render_path: "{{ tripleo_cephadm_spec_home }}"
+        networks: "{{ tripleo_cephadm_monitoring_address_block }}"
       environment:
         CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}"
         CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}"
diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml
index 7f7367ff2..30ea7a5ae 100644
--- a/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml
+++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml
@@ -34,7 +34,7 @@
       ceph_mkspec:
         service_type: rgw
         apply: true
-        hosts: "{{ _hosts }}"
+        hosts: "{{ _hosts | unique }}"
         spec:
           rgw_frontend_port: "{{ radosgw_frontend_port }}"
           rgw_realm: 'default'
diff --git a/tripleo_ansible/roles/tripleo_cephadm/templates/grafana.json.j2 b/tripleo_ansible/roles/tripleo_cephadm/templates/grafana.json.j2
deleted file mode 100644
index 4ab92977a..000000000
--- a/tripleo_ansible/roles/tripleo_cephadm/templates/grafana.json.j2
+++ /dev/null
@@ -1,39 +0,0 @@
-{
-    "files": {
-        "grafana.ini": [
-            "[users]",
-            "  default_theme = light",
-            "[auth.anonymous]",
-            "  enabled = true",
-            "  org_name = 'Main Org.'",
-            "  org_role = 'Viewer'",
-            "[server]",
-            "  protocol = {{ tripleo_cephadm_dashboard_protocol }}",
-            "  cert_file = /etc/grafana/certs/cert_file",
-            "  cert_key = /etc/grafana/certs/cert_key",
-            "  http_port = {{ tripleo_cephadm_grafana_port }}",
-            "  http_addr = {{ grafana_addr }}",
-            "[security]",
-            "  admin_user = {{ tripleo_cephadm_grafana_admin_user }}",
-            "  admin_password = {{ tripleo_cephadm_grafana_admin_password }}",
-            "  allow_embedding = true"
-        ],
-        "provisioning/datasources/ceph-dashboard.yml": [
-            "deleteDatasources:",
-            "  - name: 'Dashboard'",
-            "    orgId: 1",
-            " ",
-            "datasources:",
-            "  - name: 'Dashboard'",
-            "    type: 'prometheus'",
-            "    access: 'proxy'",
-            "    orgId: 1",
-            "    url: 'http://localhost:{{ tripleo_cephadm_prometheus_port }}'",
-            "    basicAuth: false",
-            "    isDefault: true",
-            "    editable: false"
-        ],
-        "certs/cert_file": [],
-        "certs/cert_key": []
-    }
-}
diff --git a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml
index d92510f07..150abe896 100644
--- a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml
+++ b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml
@@ -118,3 +118,4 @@
       tripleo_cephadm_fqdn: "{{ ceph_spec_fqdn | bool }}"
       tripleo_cephadm_spec_ansible_host: "{{ tripleo_run_cephadm_spec_path }}"
       tripleo_cephadm_internal_tls_enabled: "{{ enable_internal_tls }}"
+      tripleo_cephadm_num_osd_expected: "{{ groups['ceph_osd'] | default([]) | length }}"