Parameters

The parent key for all of the following parameters is cloud_provider_openstack.

namespace

type

dictionary
default

See class/defaults.yml

Configures the namespace in which to deploy this component.

namespace.name

type

string
default

syn-cloud-provider-openstack

The namespace name.

namespace.labels

type

dictionary
default

{}

Labels applied to the namespace when the component owns it (i.e. namespace.name != kube-system). Entries with value null (or ~) are dropped, letting hierarchy overrides remove defaults set in a parent class.

Both the CCM DaemonSet (hostNetwork: true) and the CSI node plugin (privileged: true, SYS_ADMIN, hostPath volumes for kubelet/registration/socket dirs) require the privileged Pod Security Standard. On clusters that enforce Pod Security Standards, set pod-security.kubernetes.io/enforce: privileged here or label the namespace externally, otherwise the pods will be rejected by the admission webhook. 
parameters:
  cloud_provider_openstack:
    namespace:
      labels:
        pod-security.kubernetes.io/enforce: privileged

namespace.annotations

type

dictionary
default

{}

Annotations applied to the namespace when the component owns it (i.e. namespace.name != kube-system). Entries with value null (or ~) are dropped.

charts

type

dictionary
default

See class/defaults.yml

Helm chart sources and versions for both the CCM and Cinder CSI charts.

images

type

dictionary
default

See class/defaults.yml

Container images for the CCM and Cinder CSI plugin. Each image is specified with separate registry, repository, and tag fields.

cloud_config_secret_name

type

string
default

cloud-config

Name of the Kubernetes Secret which holds the rendered cloud.conf. The component renders and manages this Secret itself; both charts' own Secret rendering is disabled via secret.create: false in ccm.helm_values and csi.helm_values.

cloud_conf

type

dictionary
default

See class/defaults.yml

Structured input for the rendered cloud.conf INI file. Each sub-section maps to an INI section. Both the CCM and CSI driver consume this shared Secret; empty sections are suppressed.

Keys inside every cloud_conf. dictionary must use the same *kebab-case names as the upstream cloud.conf format (e.g. auth-url, floating-network-id). The component passes keys through to the INI file as-is.

Render behavior:

  • null values are dropped (no line emitted).

  • Boolean values render as lowercase true/false.

  • List values render as multiple lines with the same key (used for multi-value keys such as public-network-name).

  • Empty sections are suppressed entirely.

Sensitive fields (passwords, application credential secrets, tokens) can be supplied as Vault references directly in cloud_conf.global:

parameters:
  cloud_provider_openstack:
    cloud_conf:
      global:
        auth-url: https://identity.api.example.cloud/v3
        application-credential-id: d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6
        application-credential-secret: '?{vaultkv:${cluster:tenant}/${cluster:name}/openstack/application-credential-secret}'

cloud_conf.global

Maps to [Global]. Holds Keystone authentication endpoint, identifiers, and credentials. See the upstream CCM documentation for the full list of supported keys.

cloud_conf.networking

Maps to [Networking]. Controls how the CCM discovers node addresses. See the upstream CCM documentation for all supported keys.

Multi-value keys (e.g. public-network-name) are specified as lists:

parameters:
  cloud_provider_openstack:
    cloud_conf:
      networking:
        public-network-name:
          - public
          - public-v6
        internal-network-name:
          - internal

cloud_conf.load_balancer

Maps to [LoadBalancer]. Configures the Octavia integration used by the CCM service controller. See the upstream CCM documentation for all supported keys.

parameters:
  cloud_provider_openstack:
    cloud_conf:
      load_balancer:
        manage-security-groups: true
        lb-provider: ovn
        lb-method: SOURCE_IP_PORT
        floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890

cloud_conf.load_balancer_classes

type

dictionary
default

{}

Maps to one [LoadBalancerClass "<name>"] INI section per dictionary key. Each value is itself a dictionary of kebab-case keys following the same rendering rules. See the upstream CCM documentation for supported keys per class.

The upstream Helm chart’s cloudConfig template helper does not support [LoadBalancerClass "<name>"] sub-sections. This component renders cloud.conf itself, so LoadBalancerClass definitions configured here work as documented by cloud-provider-openstack.

 
parameters:
  cloud_provider_openstack:
    cloud_conf:
      load_balancer_classes:
        public:
          floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
        internal:
          subnet-id: b2c3d4e5-f6a7-8901-bcde-f12345678901

Renders to:

[LoadBalancerClass "public"]
floating-network-id=a1b2c3d4-e5f6-7890-abcd-ef1234567890

[LoadBalancerClass "internal"]
subnet-id=b2c3d4e5-f6a7-8901-bcde-f12345678901

To use a named class on a Service, set the loadbalancer.openstack.org/class annotation.

cloud_conf.block_storage

Maps to [BlockStorage]. Consumed by the Cinder CSI driver. See the upstream CSI documentation for all supported keys.

parameters:
  cloud_provider_openstack:
    cloud_conf:
      block_storage:
        ignore-volume-az: true
        rescan-on-resize: true

cloud_conf.metadata

Maps to [Metadata]. Controls how the CCM and CSI driver retrieve instance metadata.

parameters:
  cloud_provider_openstack:
    cloud_conf:
      metadata:
        search-order: configDrive

cloud_conf.route

Maps to [Route]. Only needed when the route controller is enabled in ccm.enabled_controllers. See the upstream CCM documentation for details.

parameters:
  cloud_provider_openstack:
    cloud_conf:
      route:
        router-id: c3d4e5f6-a7b8-9012-cdef-123456789012

CCM parameters

Parameters under the ccm key configure the OpenStack Cloud Controller Manager.

ccm.enabled

type

boolean
default

true

When false, the CCM chart output is skipped entirely.

ccm.cluster_name

type

string
default

${cluster:name}

The cluster name passed to the CCM. OpenStack uses this value to tag resources (e.g. load balancers) so they can be cleaned up if the cluster is deleted.

ccm.service_account_name

type

string
default

cloud-controller-manager

Name of the Kubernetes ServiceAccount used by the CCM DaemonSet.

ccm.resources

type

dictionary
default

See class/defaults.yml

Resource requests and limits for the CCM container.

ccm.enabled_controllers

type

list
default

[cloud-node, cloud-node-lifecycle, service]

List of CCM sub-controllers to enable. The list is processed with com.renderArray(), so entries prefixed with ~ are removed.

parameters:
  cloud_provider_openstack:
    ccm:
      enabled_controllers:
        - ~service   # drop the service controller
        - route      # add the route controller
Controller Purpose Default

cloud-node

Initializes nodes with OpenStack metadata (ProviderID, availability zone, addresses, instance type)

Enabled

cloud-node-lifecycle

Monitors whether the underlying OpenStack instance still exists; removes the Node if the VM is deleted

Enabled

service

Manages LoadBalancer-type Services via Octavia

Enabled

route

Manages pod network routes via a Neutron router. Requires router-id in cloud_conf.route.

Disabled

ccm.log_verbosity_level

type

integer
default

2

Log verbosity level passed to the CCM via --v=.

ccm.node_selector

type

dictionary
default

{node-role.kubernetes.io/control-plane: ""}

Node selector for the CCM DaemonSet.

ccm.tolerations

type

dictionary
default

See class/defaults.yml

Tolerations for the CCM DaemonSet, keyed by toleration key. Defaults allow scheduling on control-plane nodes and on freshly-initialized nodes (node.cloudprovider.kubernetes.io/uninitialized). Set an entry to null (or ~) to drop it via hierarchy merge.

parameters:
  cloud_provider_openstack:
    ccm:
      tolerations:
        node-role.kubernetes.io/control-plane:
          effect: NoSchedule
        node.cloudprovider.kubernetes.io/uninitialized: ~

ccm.service_monitor

type

dictionary
default 
enabled: false
additionalLabels: {}

Enables and configures a Prometheus Operator ServiceMonitor resource via the chart.

ccm.extra_volumes

type

list
default

[]

Extra volumes to attach to the CCM DaemonSet pod spec.

ccm.extra_volume_mounts

type

list
default

[]

Extra volume mounts for the CCM container, paired with ccm.extra_volumes.

Mounting a custom CA certificate

If the OpenStack API endpoint uses a custom CA, mount the certificate via ccm.extra_volumes / ccm.extra_volume_mounts and reference it from cloud_conf.global.ca-file:

parameters:
  cloud_provider_openstack:
    cloud_conf:
      global:
        ca-file: /etc/cacert/ca.crt
    ccm:
      extra_volumes:
        - name: ca-cert
          secret:
            secretName: openstack-ca-cert
      extra_volume_mounts:
        - name: ca-cert
          mountPath: /etc/cacert
          readOnly: true

ccm.helm_values

type

dictionary
default

See class/defaults.yml

Escape hatch for any upstream CCM chart value not promoted to a top-level parameter. See the upstream values.yaml for the full list.

The component sets secret.create: false and manages the cloud.conf Secret itself via cloud_conf. Do not re-enable secret.create.

CSI parameters

Parameters under the csi key configure the Cinder CSI driver.

csi.enabled

type

boolean
default

true

When false, the CSI chart output is skipped entirely.

csi.cluster_id

type

string
default

${cluster:name}

The cluster identifier passed to the CSI driver.

csi.fs_type

type

string
default

ext4

Default filesystem type for dynamically provisioned volumes. Set to null to omit fsType from StorageClass parameters.

csi.volume_binding_mode

type

string
default

WaitForFirstConsumer

The volumeBindingMode set on all StorageClasses created by this component.

csi.log_verbosity_level

type

integer
default

2

Log verbosity level for the CSI driver.

csi.pod_monitor

type

dictionary
default 
enabled: false
additionalLabels: {}

Enables and configures a Prometheus Operator PodMonitor for the CSI driver.

csi.controller_plugin

type

dictionary
default

See class/defaults.yml

Scheduling config for the CSI controller plugin Deployment. node_selector and tolerations are maps keyed by selector/toleration key; entries can be disabled by setting their value to null.

csi.node_plugin

type

dictionary
default

See class/defaults.yml

Scheduling config for the CSI node plugin DaemonSet. tolerations is a map keyed by toleration key; an empty key ("") with operator: Exists tolerates all taints.

csi.resources

type

dictionary
default

See class/defaults.yml

Resource requests and limits for all CSI containers, organized by controller and node sub-keys.

csi.storage_classes

type

dictionary
default

{}

StorageClass definitions. No storage classes are created by default; users must define all classes explicitly.

The default StorageClass is managed cluster-wide via component-storageclass using parameters.storageclass.defaultClass.

Each entry is keyed by the StorageClass name and supports:

  • allow_volume_expansion (boolean, default true)

  • reclaim_policy (Delete or Retain, default Delete)

  • parameters (dictionary) — passed to the Cinder provisioner (e.g. type: standard)

  • allowed_topologies (list)

parameters:
  storageclass:
    defaultClass: standard-delete

  cloud_provider_openstack:
    csi:
      storage_classes:
        standard-delete:
          allow_volume_expansion: true
          reclaim_policy: Delete
          parameters:
            type: standard
        performance-retain:
          allow_volume_expansion: true
          reclaim_policy: Retain
          parameters:
            type: performance

csi.volume_snapshot_classes

type

dictionary
default

{}

VolumeSnapshotClass definitions.

Each entry supports:

  • deletion_policy (Delete or Retain) — required

  • parameters (dictionary, optional) — passed to the Cinder snapshotter

VolumeSnapshotClasses require the snapshot CRDs and snapshot-controller to be installed on the cluster.
Set force-create: "true" in parameters to allow snapshots of in-use (attached) volumes. Without this, Cinder rejects snapshots unless the volume is detached. 
parameters:
  cloud_provider_openstack:
    csi:
      volume_snapshot_classes:
        cinder-snapshot:
          deletion_policy: Delete
          parameters:
            force-create: "true"

csi.helm_values

type

dictionary
default

See class/defaults.yml

Escape hatch for any upstream Cinder CSI chart value not promoted to a top-level parameter. See the upstream values.yaml for the full list.

Example

Realistic configuration using application credentials, Octavia with OVN, Cinder StorageClasses, and monitoring:

parameters:
  storageclass:
    defaultClass: standard-delete

  cloud_provider_openstack:
    cloud_conf:
      global:
        auth-url: https://identity.api.example.cloud/v3
        region: zhw
        application-credential-id: d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6
        application-credential-secret: '?{vaultkv:${cluster:tenant}/${cluster:name}/openstack/application-credential-secret}'
      load_balancer:
        manage-security-groups: true
        lb-version: v2
        lb-provider: ovn
        lb-method: SOURCE_IP_PORT
        floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      block_storage:
        ignore-volume-az: false
        trust-device-path: false
        bs-version: auto
      metadata:
        search-order: configDrive

    ccm:
      service_monitor:
        enabled: true

    csi:
      storage_classes:
        standard-delete:
          reclaim_policy: Delete
          parameters:
            type: standard
        standard-retain:
          reclaim_policy: Retain
          parameters:
            type: standard
        performance-delete:
          reclaim_policy: Delete
          parameters:
            type: performance
      volume_snapshot_classes:
        cinder-snapshot:
          deletion_policy: Delete
          parameters:
            force-create: "true"
      pod_monitor:
        enabled: true