diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
new file mode 100644
index 000000000..b82daadde
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,47 @@
+<!-- Thanks for filing an issue! Before hitting the button, please answer these questions.-->
+
+**Is this a BUG REPORT or FEATURE REQUEST?** (choose one):
+
+<!--
+If this is a BUG REPORT, please:
+  - Fill in as much of the template below as you can.  If you leave out
+    information, we can't help you as well.
+
+If this is a FEATURE REQUEST, please:
+  - Describe *in detail* the feature/behavior/change you'd like to see.
+
+In both cases, be ready for followup questions, and please respond in a timely
+manner.  If we can't reproduce a bug or think a feature already exists, we
+might close your issue.  If we're wrong, PLEASE feel free to reopen it and
+explain why.
+-->
+
+**Environment**:
+- **Cloud provider or hardware configuration:**
+
+- **OS (`printf "$(uname -srm)\n$(cat /etc/os-release)\n"`):**
+
+- **Version of Ansible** (`ansible --version`):
+
+
+**Kargo version (commit) (`git rev-parse --short HEAD`):**
+
+
+**Network plugin used**:
+
+
+**Copy of your inventory file:**
+
+
+**Command used to invoke ansible**:
+
+
+**Output of ansible run**:
+<!-- We recommend using snippets services like https://gist.github.com/ etc. -->
+
+**Anything else do we need to know**:
+<!-- By running scripts/collect-info.yaml you can get a lot of useful informations.
+Script can be started by:
+ansible-playbook -i <inventory_file_path> -u <ssh_user> -e ansible_ssh_user=<ssh_user> -b --become-user=root -e dir=`pwd` scripts/collect-info.yaml
+(If you using CoreOS remember to add '-e ansible_python_interpreter=/opt/bin/python').
+After running this command you can find logs in `pwd`/logs.tar.gz. You can even upload somewhere entire file and paste link here.-->
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index feb84e4b4..cc86762ae 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -51,7 +51,8 @@ before_script:
   LOG_LEVEL: "-vv"
   ETCD_DEPLOYMENT: "docker"
   KUBELET_DEPLOYMENT: "docker"
-
+  MAGIC: "ci check this"
+  
 .gce: &gce
   <<: *job
   <<: *docker_service
@@ -215,7 +216,7 @@ before_script:
   ETCD_DEPLOYMENT: rkt
   KUBELET_DEPLOYMENT: rkt
 
-# Builds for PRs only (auto) and triggers (auto)
+# Builds for PRs only (premoderated by unit-tests step) and triggers (auto)
 coreos-calico-sep:
   stage: deploy-gce-part1
   <<: *job
@@ -429,12 +430,16 @@ ubuntu-rkt-sep:
   except: ['triggers']
   only: ['master', /^pr-.*$/]
 
+# Premoderated with manual actions
 syntax-check:
   <<: *job
   stage: unit-tests
+  before_script:
+    - apt-get -y install jq
   script:
     - ansible-playbook -i inventory/local-tests.cfg -u root -e ansible_ssh_user=root  -b --become-user=root cluster.yml -vvv  --syntax-check
-  except: ['triggers']
+    - /bin/sh scripts/premoderator.sh
+  except: ['triggers', 'master']
 
 tox-inventory-builder:
   stage: unit-tests
@@ -443,4 +448,4 @@ tox-inventory-builder:
     - pip install tox
     - cd contrib/inventory_builder && tox
   when: manual
-  except: ['triggers']
+  except: ['triggers', 'master']
diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 90a5702bb..0a4319baa 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -51,3 +51,5 @@ netchecker_kubectl_memory_requests: 64M
 
 # SSL
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
+calico_cert_dir: "/etc/calico/certs"
+canal_cert_dir: "/etc/canal/certs"
diff --git a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
index a3915f9ba..447fb719f 100644
--- a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
+++ b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
@@ -1,8 +1,13 @@
+---
+- set_fact:
+    calico_cert_dir: "{{ canal_cert_dir }}"
+  when: kube_network_plugin == 'canal'
+  tags: facts
+
 - name: Write calico-policy-controller yaml
   template: src=calico-policy-controller.yml.j2 dest={{kube_config_dir}}/calico-policy-controller.yml
   when: inventory_hostname == groups['kube-master'][0]
 
-
 - name: Start of Calico policy controller
   kube:
     name: "calico-policy-controller"
diff --git a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
index c92328f15..06bb78b7c 100644
--- a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
@@ -36,11 +36,11 @@ spec:
             - name: ETCD_ENDPOINTS
               value: "{{ etcd_access_endpoint }}"
             - name: ETCD_CA_CERT_FILE
-              value: "{{ etcd_cert_dir }}/ca.pem"
+              value: "{{ calico_cert_dir }}/ca_cert.crt"
             - name: ETCD_CERT_FILE
-              value: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+              value: "{{ calico_cert_dir }}/cert.crt"
             - name: ETCD_KEY_FILE
-              value: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+              value: "{{ calico_cert_dir }}/key.pem"
             # Location of the Kubernetes API - this shouldn't need to be
             # changed so long as it is used in conjunction with
             # CONFIGURE_ETC_HOSTS="true".
@@ -53,10 +53,10 @@ spec:
             - name: CONFIGURE_ETC_HOSTS
               value: "true"
           volumeMounts:
-          - mountPath: {{ etcd_cert_dir }}
+          - mountPath: {{ calico_cert_dir }}
             name: etcd-certs
             readOnly: true
       volumes:
       - hostPath:
-          path: {{ etcd_cert_dir }}
+          path: {{ calico_cert_dir }}
         name: etcd-certs
diff --git a/roles/network_plugin/calico/templates/calicoctl-container.j2 b/roles/network_plugin/calico/templates/calicoctl-container.j2
index 0ecfba0c1..ec8642c01 100644
--- a/roles/network_plugin/calico/templates/calicoctl-container.j2
+++ b/roles/network_plugin/calico/templates/calicoctl-container.j2
@@ -2,13 +2,13 @@
 {{ docker_bin_dir }}/docker run -i --privileged --rm \
 --net=host --pid=host \
 -e ETCD_ENDPOINTS={{ etcd_access_endpoint }} \
--e ETCD_CA_CERT_FILE=/etc/calico/certs/ca_cert.crt \
--e ETCD_CERT_FILE=/etc/calico/certs/cert.crt \
--e ETCD_KEY_FILE=/etc/calico/certs/key.pem \
+-e ETCD_CA_CERT_FILE={{ calico_cert_dir }}/ca_cert.crt \
+-e ETCD_CERT_FILE={{ calico_cert_dir }}/cert.crt \
+-e ETCD_KEY_FILE={{ calico_cert_dir }}/key.pem \
 -v {{ docker_bin_dir }}/docker:{{ docker_bin_dir }}/docker \
 -v /var/run/docker.sock:/var/run/docker.sock \
 -v /var/run/calico:/var/run/calico \
--v /etc/calico/certs:/etc/calico/certs:ro \
+-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
 --memory={{ calicoctl_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calicoctl_cpu_limit|regex_replace('m', '') }} \
 {{ calicoctl_image_repo }}:{{ calicoctl_image_tag}} \
 $@
diff --git a/roles/network_plugin/flannel/defaults/main.yml b/roles/network_plugin/flannel/defaults/main.yml
index b6768f1bd..f8be25969 100644
--- a/roles/network_plugin/flannel/defaults/main.yml
+++ b/roles/network_plugin/flannel/defaults/main.yml
@@ -16,3 +16,6 @@ flannel_memory_limit: 500M
 flannel_cpu_limit: 300m
 flannel_memory_requests: 256M
 flannel_cpu_requests: 150m
+
+flannel_cert_dir: /etc/flannel/certs
+etcd_cert_dir: /etc/ssl/etcd/ssl
diff --git a/roles/network_plugin/flannel/tasks/main.yml b/roles/network_plugin/flannel/tasks/main.yml
index 47aec49d9..4fb637975 100644
--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
@@ -7,6 +7,25 @@
   delegate_to: "{{groups['etcd'][0]}}"
   run_once: true
 
+- name: Flannel | Create flannel certs directory
+  file:
+    dest: "{{ flannel_cert_dir }}"
+    state: directory
+    mode: 0750
+    owner: root
+    group: root
+
+- name: Flannel | Link etcd certificates for flanneld
+  file:
+    src: "{{ etcd_cert_dir }}/{{ item.s }}"
+    dest: "{{ flannel_cert_dir }}/{{ item.d }}"
+    state: hard
+    force: yes
+  with_items:
+    - {s: "ca.pem", d: "ca_cert.crt"}
+    - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
+    - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
+
 - name: Flannel | Create flannel pod manifest
   template:
     src: flannel-pod.yml
diff --git a/roles/network_plugin/flannel/templates/flannel-pod.yml b/roles/network_plugin/flannel/templates/flannel-pod.yml
index f9b76ce5f..92ecada69 100644
--- a/roles/network_plugin/flannel/templates/flannel-pod.yml
+++ b/roles/network_plugin/flannel/templates/flannel-pod.yml
@@ -14,7 +14,7 @@
           path: "/run/flannel"
       - name: "etcd-certs"
         hostPath:
-          path: "{{ etcd_cert_dir }}"
+          path: "{{ flannel_cert_dir }}"
     containers:
       - name: "flannel-container"
         image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
@@ -29,7 +29,7 @@
         command:
           - "/bin/sh"
           - "-c"
-          - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ etcd_cert_dir }}/ca.pem -etcd-certfile {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -etcd-keyfile {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
+          - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ flannel_cert_dir }}/ca_cert.crt -etcd-certfile {{ flannel_cert_dir }}/cert.crt -etcd-keyfile {{ flannel_cert_dir }}/key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
         ports:
           - hostPort: 10253
             containerPort: 10253
@@ -37,7 +37,7 @@
           - name: "subnetenv"
             mountPath: "/run/flannel"
           - name: "etcd-certs"
-            mountPath: "{{ etcd_cert_dir }}"
+            mountPath: "{{ flannel_cert_dir }}"
             readOnly: true
         securityContext:
           privileged: true
diff --git a/scripts/premoderator.sh b/scripts/premoderator.sh
new file mode 100644
index 000000000..2e730df7b
--- /dev/null
+++ b/scripts/premoderator.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -eux -o pipefail
+# A naive premoderation script to allow Gitlab CI pipeline on a specific PRs' comment
+# Exits with 0, if the pipeline is good to go
+
+CURL_ARGS="-fs --connect-timeout 5 --max-time 5 --retry-max-time 20 --retry 4 --retry-delay 5"
+MAGIC="${MAGIC:-ci check this}"
+
+# Get PR number from CI_BUILD_REF_NAME
+issue=$(echo ${CI_BUILD_REF_NAME} | perl -ne '/^pr-(\d+)-\S+$/ && print $1')
+# Get the user name from the PR comments with the wanted magic incantation casted
+user=$(curl ${CURL_ARGS} "https://api.github.com/repos/kubernetes-incubator/kargo/issues/${issue}/comments" \
+  | jq -M "map(select(.body | contains (\"$MAGIC\"))) | .[0] .user.login" | tr -d '"')
+# Check for the required user group membership to allow (exit 0) or decline (exit >0) the pipeline
+[ "$user" != "null" ] || exit 1
+curl ${CURL_ARGS} "https://api.github.com/orgs/kubernetes-incubator/members/${user}"