It sounds like they might be – but the complaint is perhaps that once kolla-ansible generates the config, that config has the passwords in plain text (i.e. if you SSH into the machine, docker exec
into the container, the /etc/nova/nova.conf has the keys built from the ansible-vault password.yml)
I do not think there is a way around this, nor do I think there needs to be – if the passwords are only in “plain text” in the config on the container only accessibly by root, then privilege escalation
to root is the vulnerability you should be protecting against anyway – even if you somehow worked out a way to have secrets separate in a way that wasn’t just a big house of cards, if there’s a privilege-escalation to root on your host nodes, you’re going
to have massive problems, and some configuration passwords are going to be the least of them.
@elnazcloud@gmail.com can you confirm
you’re using the ansible-vault password encryption for your passwords.yml?
Kolla-ansible has supported it for like 8 years:
https://opendev.org/openstack/kolla-ansible/commit/684194ff9dbd442a93278bec2cef95a21fa62811
Here is the link to the ansible documentation:
https://docs.ansible.com/ansible/latest/vault_guide/vault_encrypting_content.html
Let us know if you need more information.
Kind Regards,
Joel McLean – Micron21 Pty Ltd
From: Satish Patel <satish.txt@gmail.com>
Sent: Tuesday, 29 July 2025 1:29 PM
To: elnazcloud@gmail.com
Cc: openstack-discuss@lists.openstack.org
Subject: Re: [kolla][barbican] Secure password management in Kolla-Ansible using Castellan
Why not using Ansible-Vault to secure passwords?
On Thu, Jul 24, 2025 at 12:57 PM <elnazcloud@gmail.com> wrote:
Hi all,
I have deployed an OpenStack environment using Kolla Ansible. I'm looking for a way to avoid storing service passwords (e.g., database, keystone, etc.) in clear text inside the configuration files.
Is there any recommended method to integrate Barbican and Castellan so that services like Nova, Keystone, or Cinder can fetch secrets securely during runtime using oslo.config?
If not natively supported, are there best practices or known workarounds for achieving this securely in a Kolla-based deployment?
Thanks in advance!