Credentials
For offering an option to update secrets at any time we have build credential rotation directly into Yaook.
Whenever a new Service (for api’s) or a new Pod (for per-node things) is generated, new credentials are requested from Keystone. These credentials are only in use for this specific use case and are deleted after the Service/Pod is gone.
Rotation process
The rotation of credentials for per-node Services will be done whenever the node is removed and added again. Since this is the same as our software update flow, the rotation is triggered with each update.
api services: TBD
Cross service credentials
Some services have dependencies on the credentials generated by other services.
This is currently only relevant for the nova-metadata service and its metadata_proxy_shared_secret.
The shared secret is generated by the Nova Operator and placed in a Kubernetes secret.
To ensure that the secret name does not need to be well known it is referenced in an annotation on the nova-metadata service.
The Neutron Operator can then pick up the secret from the service annotations and place it in the neutron-metadata-agent configuration.
Service Roles
We started with the implementation of special roles for each openstack service.
Currently we only have it implemented for the nova-compute service with the role nova-compute.
This role is used in order to have a limited set of permissions for the nova-compute service in the OpenStack environment.