Hi all,

I have deployed OpenStack using Kolla Ansible.

By default, service passwords (e.g., for MySQL, Keystone, etc.) are stored in clear text inside configuration files rendered by Kolla (such as nova.conf, keystone.conf, etc.). I'm looking for a more secure approach to avoid exposing these secrets.

Specifically, is there a way to integrate Barbican and Castellan with Kolla-based deployments, so that secrets can be securely loaded at runtime using oslo.config (e.g., using {{ secret:UUID }})?

If this is not natively supported, are there any best practices or workarounds for handling this securely?

Thanks in advance for any guidance.

Best,  
[Your Name]