For offering an option to update secrets at any time we have build credential rotation directly into Yaook.
Whenever a new Service (for api’s) or a new Pod (for per-node things) is generated, new credentials are requested from Keystone. These credentials are only in use for this specific use case and are deleted after the Service/Pod is gone.
The rotation of credentials for per-node Services will be done whenever the node is removed and added again. Since this is the same as our software update flow, the rotation is triggered with each update.
api services: TBD
Cross service credentials
Some services have dependencies on the credentials generated by other services.
This is currently only relevant for the
nova-metadata service and its
The shared secret is generated by the Nova Operator and placed in a Kubernetes secret.
To ensure that the secret name does not need to be well known it is referenced in an annotation on the
The Neutron Operator can then pick up the secret from the service annotations and place it in the