OpenStackDeploymentSecret custom resource¶
Available since MOSK 22.3
The resource of kind OpenStackDeploymentSecret
(OsDplSecret) is a custom
resource that is intended to aggregate cloud’s confidential settings such
as SSL/TLS certificates, external systems access credentials, and other
secrets.
To obtain detailed information about the schema of an OsDplSecret custom resource, run:
kubectl get crd openstackdeploymentsecret.lcm.mirantis.com -o yaml
Usage¶
The resource has similar structure as the OpenStackDeployment
custom
resource and enables the user to set a limited subset of fields that
contain sensitive data.
Important
If you are migrating the related fields from the
OpenStackDeployment
custom resource, refer to
Migrating secrets from OpenStackDeployment to OpenStackDeploymentSecret CR.
Example of an OpenStackDeploymentSecret
custom resource of minimum
configuration:
1apiVersion: lcm.mirantis.com/v1alpha1
2kind: OpenStackDeploymentSecret
3metadata:
4 name: osh-dev
5 namespace: openstack
6spec:
7 features:
8 ssl:
9 public_endpoints:
10 ca_cert: |-
11 -----BEGIN CERTIFICATE-----
12 ...
13 -----END CERTIFICATE-----
14 api_cert: |-
15 -----BEGIN CERTIFICATE-----
16 ...
17 -----END CERTIFICATE-----
18 api_key: |-
19 -----BEGIN RSA PRIVATE KEY-----
20 ...
21 -----END RSA PRIVATE KEY-----
22 barbican:
23 backends:
24 vault:
25 approle_role_id: f6f0f775-...-cc00a1b7d0c3
26 approle_secret_id: 2b5c4b87-...-9bfc6d796f8c
Public endpoints certificates¶
features:ssl
¶
Contains the content of SSL/TLS certificates (server, key, and CA bundle) used to enable secure communication to public OpenStack API services.
These certificates must be issued to the DNS domain specified in the
public_domain_name
field.
Vault back end for Secrets service (OpenStack Barbican)¶
features:barbican:backends:vault
¶
Specifies the object containing parameters used to connect to a Hashicorp Vault instance. The list of supported configurations includes:
approle_role_id
– Vault app role IDapprole_secret_id
– Secret ID created for the app role