diff --git a/base/0-deployment-order.yml b/base/0-deployment-order.yml
index 85b50b08..fbea3d53 100644
--- a/base/0-deployment-order.yml
+++ b/base/0-deployment-order.yml
@@ -74,6 +74,7 @@ instance_groups:
   stemcell: default
   networks:
   - name: (( grab params.cf_internal_network ))
+    static_ips: (( static_ips(15, 16, 17, 18, 19) ))
 
 - name: loggregator_trafficcontroller
   instances: (( grab params.loggregator_instances ))
diff --git a/base/cell.yml b/base/cell.yml
index a64cd40a..2e8cf6bb 100644
--- a/base/cell.yml
+++ b/base/cell.yml
@@ -9,7 +9,7 @@ instance_groups:
       consul_server: nil
       consul_client: {from: consul_client_link}
 
-  - { name: cflinuxfs2-rootfs-setup, release: cflinuxfs2-rootfs }
+  - { name: cflinuxfs2-rootfs-setup, release: cflinuxfs2 }
 
   - name: garden
     release: garden-runc
@@ -24,7 +24,6 @@ instance_groups:
         persistent_image_list:
         - "/var/vcap/packages/cflinuxfs2/rootfs"
 
-
   - name: rep
     release: diego
     properties:
diff --git a/base/certs.yml b/base/certs.yml
index b3d599ac..f6824267 100644
--- a/base/certs.yml
+++ b/base/certs.yml
@@ -36,6 +36,9 @@ meta:
         server:
           public_cert: (( vault meta.vault "/diego/certs/capi:certificate" ))
           private_key: (( vault meta.vault "/diego/certs/capi:key" ))
+        client:
+          cert: (( vault meta.vault "/diego/certs/capi_client:certificate" ))
+          key: (( vault meta.vault "/diego/certs/capi_client:key" ))
 
       cc_uploader:
         server:
diff --git a/base/cloud_controller.yml b/base/cloud_controller.yml
index f6a29206..0311c67c 100644
--- a/base/cloud_controller.yml
+++ b/base/cloud_controller.yml
@@ -43,6 +43,8 @@ instance_groups:
           cc-service-dashboards:
             scope: openid,cloud_controller_service_permissions.read
             secret: (( grab meta.uaa.cc_broker_secret ))
+          cc_service_key_client:
+            secret: (( grab meta.uaa.cc_service_key_client_secret ))
           cc_routing:
             secret: (( grab meta.uaa.cc_routing_secret ))
           cloud_controller_username_lookup:
@@ -149,8 +151,7 @@ meta:
     - load_balancer
     default_to_diego_backend: true
 
-    # This Diego block should go away in a future upgrade
-    # when these keys just become the defaults
+    #This is still here even though it was supposed to be gone two releases ago...
     diego:
       temporary_local_staging: true
       temporary_local_tasks: true
@@ -222,7 +223,7 @@ meta:
       rules: (( grab params.app_services_networks ))
     - name: load_balancer
       rules: (( grab params.cf_public_ips ))
-    srv_api_uri: (( concat "https://" meta.api_hostname ))
+
     volume_services_enabled: true
 
   statsd_injector:
diff --git a/base/loggregator.yml b/base/loggregator.yml
index fcc6111a..44e60714 100644
--- a/base/loggregator.yml
+++ b/base/loggregator.yml
@@ -71,14 +71,17 @@ instance_groups:
     properties:
       system_domain: (( grab params.system_domain ))
       cc:
-        srv_api_uri: (( grab meta.cc.srv_api_uri ))
         tls_port: (( grab meta.cc.tls_port ))
+        internal_service_hostname: cloud-controller-ng.service.cf.internal
+        mutual_tls:
+          ca_cert: (( grab meta.cc.mutual_tls.ca_cert ))
       ssl:
         skip_cert_verify: (( grab params.skip_ssl_validation ))
       loggregator:
         tls:
           ca_cert: (( grab meta.certs.loggregator.ca ))
           trafficcontroller: (( grab meta.certs.loggregator.trafficcontroller.server ))
+          cc_trafficcontroller: (( grab meta.certs.diego.capi.client ))
         uaa:
           client_secret: (( grab meta.uaa.doppler_secret ))
         etcd:
@@ -88,7 +91,8 @@ instance_groups:
       traffic_controller:
         etcd: (( grab meta.certs.etcd.client ))
       uaa:
-        url: (( grab meta.uaa.url ))
+        internal_url: (( grab meta.uaa.internal_url ))
+        ca_cert: (( grab meta.certs.uaa.ca ))
 
   - name: route_registrar
     release: routing
diff --git a/base/releases.yml b/base/releases.yml
index 418a4176..792c1368 100644
--- a/base/releases.yml
+++ b/base/releases.yml
@@ -4,82 +4,82 @@ releases:
   version: "1.0.14"
   sha1: c5ba6b6d99b972ec34dece478302351d8b4f6bbc
 - name: capi
-  url: https://bosh.io/d/github.com/cloudfoundry/capi-release?v=1.40.0
-  version: "1.40.0"
-  sha1: 108794c6db23467462af24a6f9c4612269520882
+  url: https://bosh.io/d/github.com/cloudfoundry/capi-release?v=1.43.0
+  version: "1.43.0"
+  sha1: 94da536a79b95bf9b723d30ab42a944938cf2e76
 - name: cf-smoke-tests
   url: https://bosh.io/d/github.com/cloudfoundry/cf-smoke-tests-release?v=40
   version: "40"
   sha1: 97179a05f901e5360178cb6cf8e78dcf9de6d2c2
-- name: cflinuxfs2-rootfs
-  url: https://bosh.io/d/github.com/cloudfoundry/cflinuxfs2-rootfs-release?v=1.60.0
-  version: "1.60.0"
-  sha1: 12b7e2473d0f4e9edc90bc3da873f51e70ede942
+- name: cflinuxfs2
+  url: https://bosh.io/d/github.com/cloudfoundry/cflinuxfs2-release?v=1.157.0
+  version: "1.157.0"
+  sha1: 0a2ce532d4e8e981d411e8a8f71472a2c0c58ad9
 - name: consul
-  url: https://bosh.io/d/github.com/cloudfoundry-incubator/consul-release?v=171
-  version: "171"
-  sha1: e781dd1050c5f90339f3405f07af094a6c46052d
+  url: https://bosh.io/d/github.com/cloudfoundry-incubator/consul-release?v=173
+  version: "173"
+  sha1: a8beaed125cc4edcf7a21ee3bff51985eed2b2a1
 - name: diego
-  url: https://bosh.io/d/github.com/cloudfoundry/diego-release?v=1.25.1
-  version: "1.25.1"
-  sha1: a99d4914d08ea395955163e0b0882221e022248d
+  url: https://bosh.io/d/github.com/cloudfoundry/diego-release?v=1.26.2
+  version: "1.26.2"
+  sha1: 75509c821f15eca32b0e26886a7236b13517bb29
 - name: dotnet-core-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/dotnet-core-buildpack-release?v=1.0.23
-  version: "1.0.23"
-  sha1: ee292aa57b7eab52162a7499ad472864df567695
+  url: https://bosh.io/d/github.com/cloudfoundry/dotnet-core-buildpack-release?v=1.0.27
+  version: "1.0.27"
+  sha1: a81799dc1c05b14d7d46e125a7fe8308385568b0
 - name: etcd
   url: https://bosh.io/d/github.com/cloudfoundry-incubator/etcd-release?v=104
   version: "104"
   sha1: 91d27a5a583d22acaf926023063fcdb2003522e6
 - name: garden-runc
-  url: https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.9.0
-  version: "1.9.0"
-  sha1: 77bfe8bdb2c3daec5b40f5116a6216badabd196c
+  url: https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.9.4
+  version: "1.9.4"
+  sha1: 9cccd7685ac075ad6956cba3ab5881e3435cd7e3
 - name: go-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/go-buildpack-release?v=1.8.6
-  version: "1.8.6"
-  sha1: d9d0f9feb07ca9dd5f58c95d458e5935e69ee892
+  url: https://bosh.io/d/github.com/cloudfoundry/go-buildpack-release?v=1.8.8
+  version: "1.8.8"
+  sha1: b65744415cf7fb901d06df997a82c26618ece17b
 - name: java-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/java-buildpack-release?v=3.19
-  version: "3.19"
-  sha1: 4248c595e596536cdb2ffeeefee153c5d76fbe7d
+  url: https://bosh.io/d/github.com/cloudfoundry/java-buildpack-release?v=4.5.1
+  version: "4.5.1"
+  sha1: d99f66ff5e9182849a5310dbc545eb9af429d187
 - name: loggregator
-  url: https://github.com/cloudfoundry/loggregator-release/releases/download/v92/release.tgz
-  version: "92"
-  sha1: ad497780da9c4dd0e5f7b114637217251168ae6d
+  url: https://bosh.io/d/github.com/cloudfoundry/loggregator-release?v=99
+  version: "99"
+  sha1: 2080e1e0594591dafa716c69f207eb29929bce3d
 - name: nats
   url: https://bosh.io/d/github.com/cloudfoundry/nats-release?v=22
   version: "22"
   sha1: 1300071c7cf43f5d299a6eaec6f6bb6cca7eac3b
 - name: nodejs-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/nodejs-buildpack-release?v=1.6.4
-  version: "1.6.4"
-  sha1: 25a924abd54b029e7f01e80b3dca56bcbab1da32
+  url: https://bosh.io/d/github.com/cloudfoundry/nodejs-buildpack-release?v=1.6.7
+  version: "1.6.7"
+  sha1: 56eeb1dc6fc0664270328c2c0fcff5936aa68d7e
 - name: php-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/php-buildpack-release?v=4.3.39
-  version: "4.3.39"
-  sha1: 7eadd84e55cd6c87510fb75de9d325e61faba1ce
+  url: https://bosh.io/d/github.com/cloudfoundry/php-buildpack-release?v=4.3.42
+  version: "4.3.42"
+  sha1: 8161798443f31242968797da14f2aa905672cac3
 - name: python-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/python-buildpack-release?v=1.5.22
-  version: "1.5.22"
-  sha1: 7b81cbc5694228c7015ee3d39a45a19bd84b336c
+  url: https://bosh.io/d/github.com/cloudfoundry/python-buildpack-release?v=1.5.25
+  version: "1.5.25"
+  sha1: dcd97e1053f0677ed1db9415f7abcd9824c4c2f9
 - name: routing
-  url: https://bosh.io/d/github.com/cloudfoundry-incubator/cf-routing-release?v=0.159.0
-  version: "0.159.0"
-  sha1: 739f663f976fea826595880cfd58470bc8d49172
+  url: https://bosh.io/d/github.com/cloudfoundry-incubator/cf-routing-release?v=0.163.0
+  version: "0.163.0"
+  sha1: f0dacd62bbf23b70684370c7ededaf2733ddb6ae
 - name: ruby-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/ruby-buildpack-release?v=1.6.46
-  version: "1.6.46"
-  sha1: 23e4e12f7a3ccadda59727eb95b26a853e86fbbe
+  url: https://bosh.io/d/github.com/cloudfoundry/ruby-buildpack-release?v=1.7.3
+  version: "1.7.3"
+  sha1: 079d84993e3a854f8e3938f7a4761a0d76fee295
 - name: staticfile-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/staticfile-buildpack-release?v=1.4.12
-  version: "1.4.12"
-  sha1: 40e3b8a5a9d540fc53c41f5e164ed636420e9e3e
+  url: https://bosh.io/d/github.com/cloudfoundry/staticfile-buildpack-release?v=1.4.16
+  version: "1.4.16"
+  sha1: 8fd958f62024be957604277bc104bbef3dd3bfc2
 - name: statsd-injector
-  url: https://bosh.io/d/github.com/cloudfoundry/statsd-injector-release?v=1.0.29
-  version: "1.0.29"
-  sha1: 6e8f626d107c8e2b525b50571393a6eaaf664ad3
+  url: https://bosh.io/d/github.com/cloudfoundry/statsd-injector-release?v=1.0.30
+  version: "1.0.30"
+  sha1: b0f201e0341af9736848514c76149070ea902e41
 - name: uaa
-  url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=45
-  version: "45"
-  sha1: 4d4fba13b724b75206f5eb3abae8efa94dcf7db8
+  url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=51
+  version: "51"
+  sha1: 869b8e6bf58f5431b3579f730f142814aae39d71
diff --git a/base/uaa.yml b/base/uaa.yml
index 4ae7f5a5..a7446f76 100644
--- a/base/uaa.yml
+++ b/base/uaa.yml
@@ -26,6 +26,10 @@ instance_groups:
             authorized-grant-types: client_credentials
             scope: openid,cloud_controller_service_permissions.read
             secret: (( grab meta.uaa.cc_broker_secret ))
+          cc_service_key_client:
+            authorities: credhub.read,credhub.write
+            authorized-grant-types: client_credentials
+            secret: (( grab meta.uaa.cc_service_key_client_secret ))
           cc_routing:
             authorities: routing.router_groups.read
             authorized-grant-types: client_credentials
@@ -158,12 +162,14 @@ meta:
 
   uaa:
     url: (( concat "https://uaa." params.system_domain ))
+    internal_url: "https://uaa.service.cf.internal:8443"
     port: 8080
     ssl_port: 8443
 
     admin_client_secret:   (( vault meta.vault "/uaa/client_secrets:admin_client" ))
     cc_broker_secret:      (( vault meta.vault "/uaa/client_secrets:cc_broker" ))
     cc_routing_secret:     (( vault meta.vault "/uaa/client_secrets:cc_routing" ))
+    cc_service_key_client_secret: (( vault meta.vault "/uaa/client_secrets:cc_service_key_client" ))
     cc_user_lookup_secret: (( vault meta.vault "/uaa/client_secrets:cc_user_lookup" ))
     doppler_secret:        (( vault meta.vault "/uaa/client_secrets:doppler" ))
     firehose_secret:       (( vault meta.vault "/uaa/client_secrets:firehose" ))
diff --git a/kit.yml b/kit.yml
index ebcd89ef..efe6508f 100644
--- a/kit.yml
+++ b/kit.yml
@@ -116,6 +116,9 @@ certificates:
       capi:
         valid_for: 1y
         names: [ "cloud-controller-ng.service.cf.internal" ]
+      capi_client:
+        valid_for: 1y
+        names: [ "cloud controller client" ]
       cc_uploader:
         valid_for: 1y
         names: [ "cc_uploader" ]
@@ -184,6 +187,7 @@ credentials:
     uaa/client_secrets:
       admin_client:   random 64
       cc_broker:      random 64
+      cc_service_key_client: random 64
       cc_routing:     random 64
       cc_user_lookup: random 64
       doppler:        random 64