Distilled from the CI/Automation Integration Guide delivered at handover; that guide is authoritative if they ever disagree.
ALL automation authenticates as the -svc account's application credential ({{TENANT_SHORT_NAME}}-svc-cred). Never a password. Why:
-svc rights. It cannot touch identity, quotas, or anything outside your domain -- a leaked pipeline credential is contained by design.Platform-enforced corollaries (expected refusals, not bugs): the application credential cannot create/delete Kubernetes clusters (see references/kubernetes.md), cannot create users or grant roles, and cannot change quotas.
The credential's id and secret live in your CI system's native secret store (Jenkins credentials, GitLab CI variables, GitHub Actions secrets), injected into jobs as environment variables. Never:
When asked to verify a credential, check length/format in a script; never print the value.
clouds.yaml and OS_* environment-variable forms are in SKILL.md; the same values work for Terraform/OpenTofu's OpenStack provider, Ansible's openstack.cloud collection, and the OpenStack SDK. In a pipeline step:
export OS_CLOUD={{TENANT_SHORT_NAME}}
openstack token issue # smoke test: token scoped to your project
The delivered starter script bash scripts/smoke-test.sh wraps the full smoke test (token, catalog, quota headroom) as one pipeline-ready step.
Never hardcode service endpoints; authenticate against {{AUTH_URL}} and let the client discover the rest from the catalog. Always ship the delivered CA bundle to the job environment and point cacert / OS_CACERT at it.
Use the handover credential only as the "root" automation credential. Sign in as {{TENANT_SHORT_NAME}}-svc (password, interactively -- not from CI) and mint a narrower credential per pipeline:
openstack application credential create pipeline-nightly \ --role member --expiration <YYYY-MM-DDTHH:MM:SS>
One credential per pipeline means you can revoke one without stopping the others, and the audit trail says which pipeline did what. Revocation is immediate and self-service:
openstack application credential delete pipeline-nightly
Rotate by creating the new credential first, cutting the pipeline over, then deleting the old one.
The same order the Acceptance Checklist proves at onboarding. Name everything with your build id (e.g. ci-<build>-web).
openstack token issue, then openstack catalog list.provider-ext, attach subnet -- or reuse the handover network for simple runs.in-use, detach.provider-ext, attach, verify reachability.list commands that nothing is left.Command sequences for each step are in references/day2-operations.md. Keep a trimmed version of the sequence as the pipeline's recurring smoke test.
openstack limits show --absolute in long pipelines is cheap insurance.--wait.ci-* resources older than your longest pipeline is the cheapest way to keep quota headroom. Floating IPs count against quota even when detached -- release them. The delivered starter script bash scripts/ci-cleanup-sweep.sh reports leftovers and detached floating IPs (dry-run by default -- it deletes nothing unless you pass --apply); schedule the dry-run and act on its report, or schedule --apply once you trust the prefix filter.Triage in order -- see references/troubleshooting.md. Short form: token first, quota second, boundary third, verbatim error to {{ACCOUNT_CONTACT}} last.