For offering an option to update secrets at any time we have build credential rotation directly into Yaook.

Whenever a new Service (for api’s) or a new Pod (for per-node things) is generated, new credentials are requested from Keystone. These credentials are only in use for this specific use case and are deleted after the Service/Pod is gone.

Rotation process

The rotation of credentials for per-node Services will be done whenever the node is removed and added again. Since this is the same as our software update flow, the rotation is triggered with each update.

api services: TBD

Cross service credentials

Some services have dependencies on the credentials generated by other services. This is currently only relevant for the nova-metadata service and its metadata_proxy_shared_secret. The shared secret is generated by the Nova Operator and placed in a Kubernetes secret. To ensure that the secret name does not need to be well known it is referenced in an annotation on the nova-metadata service. The Neutron Operator can then pick up the secret from the service annotations and place it in the neutron-metadata-agent configuration.