Current OpenStack services require plaintext passwords and credentials for various access, e.g. database, keystoneauth, etc. Even with proper file permissions set on these files, often time during troubleshooting sessions, these configuration files are send via emails without the passwords properly redacted. Also, the ability to change passwords across multiple nodes are heavily relying on the deployment tools of choice (ansible, fuel, etc.). This talk discusses a proof of concept in the work to leverage barbican key-management service as a way to mitigate these two problems and handle configuration management.
Some of the results from the proof of concepts conducted internally, and discussion on additional improvement in this space.