diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
index 3415b9a224..ab375d0885 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@@ -44,6 +44,11 @@ MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
 if [[ -n "${MASTER_HOSTNAME}" ]]; then
     sans="${sans},DNS:${MASTER_HOSTNAME}"
 fi
+
+if [[ -n "${ETCD_LB_VIP}" ]]; then
+    sans="${sans},IP:${ETCD_LB_VIP}"
+fi
+
 sans="${sans},IP:127.0.0.1"
 
 KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
index 9fba497acb..5f0bb5c7ba 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -42,3 +42,4 @@ write_files:
       INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
       SYSTEM_PODS_INITIAL_DELAY="$SYSTEM_PODS_INITIAL_DELAY"
       SYSTEM_PODS_TIMEOUT="$SYSTEM_PODS_TIMEOUT"
+      ETCD_LB_VIP="$ETCD_LB_VIP"
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index 0053284963..2836490cbc 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -326,7 +326,7 @@ resources:
     properties:
       fixed_subnet: {get_attr: [network, fixed_subnet]}
       external_network: {get_param: external_network}
-      protocol: HTTP
+      protocol: {get_param: loadbalancing_protocol}
       port: 2379
 
   ######################################################################
@@ -458,6 +458,7 @@ resources:
           trust_id: {get_param: trust_id}
           auth_url: {get_param: auth_url}
           insecure_registry_url: {get_param: insecure_registry_url}
+          etcd_lb_vip: {get_attr: [etcd_lb, address]}
 
   ######################################################################
   #
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
index ac60e04773..d587d01381 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@@ -202,6 +202,12 @@ parameters:
     type: string
     description: insecure registry url
 
+  etcd_lb_vip:
+    type: string
+    description: >
+      etcd lb vip private used to generate certs on master.
+    default: ""
+
 resources:
 
   master_wait_handle:
@@ -278,6 +284,7 @@ resources:
             "$TRUSTEE_PASSWORD": {get_param: trustee_password}
             "$TRUST_ID": {get_param: trust_id}
             "$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
+            "$ETCD_LB_VIP": {get_param: etcd_lb_vip}
 
   make_cert:
     type: OS::Heat::SoftwareConfig
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
index 7b1e64d454..50e853de6a 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
@@ -311,7 +311,7 @@ resources:
     properties:
       fixed_subnet: {get_param: fixed_subnet}
       external_network: {get_param: external_network}
-      protocol: HTTP
+      protocol: {get_param: loadbalancing_protocol}
       port: 2379
 
   ######################################################################
@@ -446,6 +446,7 @@ resources:
           auth_url: {get_param: auth_url}
           insecure_registry_url: {get_param: insecure_registry_url}
           wc_curl_cli: {get_attr: [master_wait_handle, curl_cli]}
+          etcd_lb_vip: {get_attr: [etcd_lb, address]}
 
   ######################################################################
   #
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
index d6e6435c94..8cc1d4baa2 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
@@ -202,6 +202,12 @@ parameters:
     description : >
       Wait condition notify command for Master.
 
+  etcd_lb_vip:
+    type: string
+    description: >
+      etcd lb vip private used to generate certs on master.
+    default: ""
+
 resources:
 
   ######################################################################
@@ -266,6 +272,7 @@ resources:
             "$TRUST_ID": {get_param: trust_id}
             "$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
             "$ENABLE_CINDER": "False"
+            "$ETCD_LB_VIP": {get_param: etcd_lb_vip}
 
   make_cert:
     type: OS::Heat::SoftwareConfig