On 2025-07-29 07:20:39 -0000 (-0000), elnazcloud@gmail.com wrote: [...]
However, our concern is that—even though the secrets are encrypted at deployment time—they still end up as plaintext in the final config files inside the containers (e.g., nova.conf). [...]
I think oslo.config's remote_file driver was intended for this: https://docs.openstack.org/oslo.config/latest/configuration/options.html Of course you still need the backend securely configured with per-service client certs authorized for the specific blobs, and this only works for services relying on oslo.config. I'm not sure if there's a documented walkthrough for this sort of deployment, nor whether Kolla has any integrated support for setting it up. I've added ops and security-sig to the list of subject tags in case it bubbles this up to the attention of anyone in those circles who knows the answer. -- Jeremy Stanley