Credentials
===========

For offering an option to update secrets at any time we have build credential rotation directly into Yaook.

Whenever a new Service (for api's) or a new Pod (for per-node things) is generated, new credentials are requested from Keystone.
These credentials are only in use for this specific use case and are deleted after the Service/Pod is gone.

Rotation process
----------------

The rotation of credentials for per-node Services will be done whenever the node is removed and added again.
Since this is the same as our software update flow, the rotation is triggered with each update.

api services: TBD

Cross service credentials
-------------------------

Some services have dependencies on the credentials generated by other services.
This is currently only relevant for the ``nova-metadata`` service and its ``metadata_proxy_shared_secret``.
The shared secret is generated by the Nova Operator and placed in a Kubernetes secret.
To ensure that the secret name does not need to be well known it is referenced in an annotation on the ``nova-metadata`` service.
The Neutron Operator can then pick up the secret from the service annotations and place it in the ``neutron-metadata-agent`` configuration.