openstack has supported used keystone application credentials in openstack service config for many years. as a operator i would like to replace the usage of usernames and password for service authentication with applciation credentaisl so that they can eaisly revoked and roated without service interuption.

useing password today its not currenlty possible to rotate the password without service downtime as you cannot have two passwords active for a given user/project at the same time. that means that when passwords are roated there is an interval of time when the openstack services are not able to connect (after the password has been updated in keystone but before the config has been updated).

by using application credentials instead a new application credential can be issues for the same user/service before the old one expires. this will enable rolling updates of service passwords.

The exception to this is rabbitmq and mysql which do not support keystone auth.
as such they will still need to rely on usernames and passwords however this can be implemnted for all openstack services