Thank you for your response! I'm aware of Ansible Vault and currently use it to protect secrets at rest during deployment. However, my goal is to also avoid having the passwords appear in clear text within the final configuration files on the deployed nodes. I'm specifically looking for a runtime secret management solution, ideally integrating Barbican (via Castellan) with oslo.config, so that services like Keystone, Nova, and Cinder can fetch secrets securely at runtime, instead of reading them from plaintext config files. Does OpenStack currently support such integration in a production-ready way, particularly in Kolla-based deployments? If not, are there any best practices or patterns to follow for achieving this? Thanks again for your guidance.