OpenStackDeploymentSecret custom resource

Available since MOSK 22.3

The resource of kind OpenStackDeploymentSecret (OsDplSecret) is a custom resource that is intended to aggregate cloud’s confidential settings such as SSL/TLS certificates, external systems access credentials, and other secrets.

To obtain detailed information about the schema of an OsDplSecret custom resource, run:

kubectl get crd openstackdeploymentsecret.lcm.mirantis.com -oyaml

Usage

The resource has similar structure as the OpenStackDeployment custom resource and enables the user to set a limited subset of fields that contain sensitive data.

Important

If you are migrating the related fields from the OpenStackDeployment custom resource, refer to Migrating secrets from OpenStackDeployment to OpenStackDeploymentSecret CR.

Example of an OpenStackDeploymentSecret custom resource of minimum configuration:

 1apiVersion: lcm.mirantis.com/v1alpha1
 2kind: OpenStackDeploymentSecret
 3metadata:
 4  name: osh-dev
 5  namespace: openstack
 6spec:
 7  features:
 8    ssl:
 9      public_endpoints:
10        ca_cert: |-
11          -----BEGIN CERTIFICATE-----
12          ...
13          -----END CERTIFICATE-----
14        api_cert: |-
15          -----BEGIN CERTIFICATE-----
16          ...
17          -----END CERTIFICATE-----
18        api_key: |-
19          -----BEGIN RSA PRIVATE KEY-----
20          ...
21          -----END RSA PRIVATE KEY-----
22    barbican:
23      backends:
24        vault:
25          approle_role_id: f6f0f775-...-cc00a1b7d0c3
26          approle_secret_id: 2b5c4b87-...-9bfc6d796f8c

Public endpoints certificates

features:ssl

Contains the content of SSL/TLS certificates (server, key, and CA bundle) used to enable secure communication to public OpenStack API services.

These certificates must be issued to the DNS domain specified in the public_domain_name field.

Vault back end for Secrets service (OpenStack Barbican)

features:barbican:backends:vault

Specifies the object containing parameters used to connect to a Hashicorp Vault instance. The list of supported configurations includes:

  • approle_role_id – Vault app role ID

  • approle_secret_id – Secret ID created for the app role