OpenStackDeploymentSecret custom resource

Deprecated in MOSK 23.1

The resource of kind OpenStackDeploymentSecret (OsDplSecret) is a custom resource that is intended to aggregate cloud’s confidential settings such as SSL/TLS certificates, external systems access credentials, and other secrets.

To obtain detailed information about the schema of an OsDplSecret custom resource, run:

kubectl get crd -o yaml


The resource has similar structure as the OpenStackDeployment custom resource and enables the user to set a limited subset of fields that contain sensitive data.


If you are migrating the related fields from the OpenStackDeployment custom resource, refer to Migrating secrets from OpenStackDeployment to OpenStackDeploymentSecret CR.

Example of an OpenStackDeploymentSecret custom resource of minimum configuration:

 2kind: OpenStackDeploymentSecret
 4  name: osh-dev
 5  namespace: openstack
 7  features:
 8    ssl:
 9      public_endpoints:
10        ca_cert: |-
11          -----BEGIN CERTIFICATE-----
12          ...
13          -----END CERTIFICATE-----
14        api_cert: |-
15          -----BEGIN CERTIFICATE-----
16          ...
17          -----END CERTIFICATE-----
18        api_key: |-
19          -----BEGIN RSA PRIVATE KEY-----
20          ...
21          -----END RSA PRIVATE KEY-----
22    barbican:
23      backends:
24        vault:
25          approle_role_id: f6f0f775-...-cc00a1b7d0c3
26          approle_secret_id: 2b5c4b87-...-9bfc6d796f8c

Public endpoints certificates


Contains the content of SSL/TLS certificates (server, key, and CA bundle) used to enable secure communication to public OpenStack API services.

These certificates must be issued to the DNS domain specified in the public_domain_name field.

Vault back end for Barbican


Specifies the object containing parameters used to connect to a Hashicorp Vault instance. The list of supported configurations includes:

  • approle_role_id – Vault app role ID

  • approle_secret_id – Secret ID created for the app role