Secret Containers

Overview

Containers group related secrets into a named bundle. The most common use case is bundling a TLS certificate, its private key, and the CA chain for use with the Load Balancer service. Containers reference secrets by UUID — they do not copy secret payloads.

Prerequisites

An active Xloud account with appropriate permissions
Access to the Xloud Dashboard (https://connect.<your-domain>) or CLI configured with credentials
API credentials sourced (source admin-openrc.sh)

Container Types

Container Type	Contents	Primary Use Case
`certificate`	Certificate + private key + intermediates + passphrase	TLS for Load Balancer HTTPS listeners
`rsa`	Public key + private key + passphrase	RSA key pair management
`generic`	Any secrets	API credentials, configuration bundles

Create a Certificate Container

Dashboard
CLI

Navigate to Containers

Navigate to Project → Key Manager → Containers. Click Create Container.

Select container type

Select certificate for TLS use cases. This type enforces the correct secret role assignments (certificate, private key, intermediates).

Assign secrets to container

For a certificate container, assign previously stored secrets:

Role	Secret	Requirement
Certificate	Stored certificate secret	Required
Private Key	Stored private key secret	Required
Intermediates	CA chain secret	Recommended
Private Key Passphrase	Passphrase if key is encrypted	Optional

Store the certificate, private key, and CA chain as separate secrets before creating the container — the container references secrets by UUID, it does not copy the data.

Create the container

Click Create Container. The container appears in the list with its UUID.

Container is ready to reference in Load Balancer HTTPS listener configuration.

Store certificate and key secrets first

Store TLS certificate

CERT_HREF=$(openstack secret store \
  --name app-tls-cert \
  --secret-type certificate \
  --payload-content-type "application/pkix-cert" \
  --payload-content-encoding base64 \
  --payload "$(base64 -w 0 certificate.pem)" \
  -f value -c Secret\ href)

Store private key

KEY_HREF=$(openstack secret store \
  --name app-tls-key \
  --secret-type private \
  --payload-content-type "application/pkcs8" \
  --payload-content-encoding base64 \
  --payload "$(base64 -w 0 private_key.pem)" \
  -f value -c Secret\ href)

Create the certificate container

Bundle into certificate container

openstack secret container create \
  --name app-tls-bundle \
  --type certificate \
  --secret "certificate=$CERT_HREF" \
  --secret "private_key=$KEY_HREF"

Container is ready to reference in Load Balancer HTTPS listener configuration.

Manage Containers

openstack secret container list

Deleting a container does not delete the secrets it references. The secrets remain in Key Manager and must be deleted separately if no longer needed.

Next Steps

Certificates

Store externally issued certificates or order new ones via a CA plugin

ACL

Control access to containers and the secrets they reference

Store Secrets

Create the individual secrets to populate containers

Troubleshooting

Resolve Load Balancer TLS container configuration issues

Core Services

Other Services

Secret Containers

Overview

Container Types

Create a Certificate Container

Navigate to Containers

Select container type

Assign secrets to container

Create the container

Store certificate and key secrets first

Create the certificate container

Manage Containers

Next Steps

Certificates

ACL

Store Secrets

Troubleshooting

Core Services

Other Services

​Overview

​Container Types

​Create a Certificate Container

Navigate to Containers

Select container type

Assign secrets to container

Create the container

Store certificate and key secrets first

Create the certificate container

​Manage Containers

​Next Steps

Certificates

ACL

Store Secrets

Troubleshooting

Overview

Container Types

Create a Certificate Container

Manage Containers

Next Steps