Update Openstack credentials in Kubernetes


March 23, 2023

If you are deploying Kubernetes on top of Openstack, the Openstack External cloud provider stores the ID and Secret necessary to authenticate with the cloud infrastructure in a Secret.

Let’s see how to replece those credentials, for example if they expired.

First dump the base64 encoded secret to the terminal:

kubectl get secret -n kube-system external-openstack-cloud-config -o jsonpath='{.data}'

Then copy-paste just the encoded part:

echo xxxxxx | base64 –decode > cloud.conf

Now we can edit it to replace the credentials

Set the new OS_APPLICATION_CREDENTIAL_ID in application-credential-id and application-credential-name. Set the value of OS_APPLICATION_CREDENTIAL_SECRET in application-credential-secret.

Finally encode the content of the file again (-w0 gives the output in 1 line without wrapping):

cat cloud.conf | base64 -w0

and overwrite the cloud.conf value in the secret:

kubectl edit secret -n kube-system external-openstack-cloud-config

Now repeat the process with the cloud-config secret, which is used by Cinder CSI, you can copy the 3 relevant lines from the previous file.

Finally we need to restart the affected pods, however, to make it easier I just rebooted all the nodes via openstack server reboot.