apiVersion: batch/v1 kind: CronJob metadata: annotations: meta.helm.sh/release-name: keystone meta.helm.sh/release-namespace: openstack openstackhelm.openstack.org/release_uuid: "" creationTimestamp: "2026-03-13T23:12:39Z" generation: 1 labels: app.kubernetes.io/managed-by: Helm name: keystone-credential-rotate namespace: openstack resourceVersion: "5288" uid: 59aa74b6-8984-43be-b9b9-2aa5179a53d2 spec: concurrencyPolicy: Forbid failedJobsHistoryLimit: 1 jobTemplate: metadata: creationTimestamp: null labels: application: keystone component: credential-rotate release_group: keystone spec: template: metadata: creationTimestamp: null labels: application: keystone component: credential-rotate release_group: keystone spec: containers: - command: - python - /tmp/fernet-manage.py - credential_rotate env: - name: KEYSTONE_USER value: keystone - name: KEYSTONE_GROUP value: keystone - name: KUBERNETES_NAMESPACE value: openstack - name: KEYSTONE_KEYS_REPOSITORY value: /etc/keystone/credential-keys/ - name: KEYSTONE_CREDENTIAL_MIGRATE_WAIT value: "120" image: harbor.atmosphere.dev/ghcr.io/vexxhost/keystone:2023.2@sha256:eb86ead217c544f44554f2144dac61db3fff2270c48e8f79cd31b54b58cf1289 imagePullPolicy: IfNotPresent name: keystone-credential-rotate resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /tmp name: pod-tmp - mountPath: /etc/keystone name: etckeystone - mountPath: /etc/keystone/keystone.conf name: keystone-etc readOnly: true subPath: keystone.conf - mountPath: /tmp/fernet-manage.py name: keystone-bin readOnly: true subPath: fernet-manage.py dnsPolicy: ClusterFirst initContainers: - command: - kubernetes-entrypoint env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INTERFACE_NAME value: eth0 - name: PATH value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ - name: DEPENDENCY_SERVICE - name: DEPENDENCY_JOBS value: keystone-credential-setup - name: DEPENDENCY_DAEMONSET - name: DEPENDENCY_CONTAINER - name: DEPENDENCY_POD_JSON - name: DEPENDENCY_CUSTOM_RESOURCE image: harbor.atmosphere.dev/ghcr.io/vexxhost/kubernetes-entrypoint:edge@sha256:8921b64b87af184a1421dd856b2703bcf3cff9f50863cd0d18371cf964a87bd3 imagePullPolicy: IfNotPresent name: init resources: {} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 65534 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File nodeSelector: openstack-control-plane: enabled restartPolicy: OnFailure schedulerName: default-scheduler securityContext: {} serviceAccount: keystone-credential-rotate serviceAccountName: keystone-credential-rotate terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: pod-tmp - emptyDir: {} name: etckeystone - name: keystone-etc secret: defaultMode: 292 secretName: keystone-etc - configMap: defaultMode: 365 name: keystone-bin name: keystone-bin schedule: 0 0 1 * * successfulJobsHistoryLimit: 3 suspend: false status: {}