diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md
index 45faa2d4..1274128f 100644
--- a/docs/infrastructure-mariadb.md
+++ b/docs/infrastructure-mariadb.md
@@ -1,22 +1,5 @@
 # Deploy the MariaDB Operator and a Galera Cluster
 
-## Create secret
-
-``` shell
-# MariaDB
-kubectl --namespace openstack \
-        create secret generic mariadb \
-        --type Opaque \
-        --from-literal=root-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-
-# MaxScale
-kubectl --namespace openstack \
-        create secret generic maxscale \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-```
-
 ## Deploy the mariadb operator
 
 ``` shell
@@ -37,6 +20,82 @@ kubectl --namespace mariadb-system get pods -w
 
 ## Deploy the MariaDB Cluster
 
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/mariadb/` path in the Vault
+
+## Create secrets in the vault:
+
+### Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=mariadb
+```
+
+### List the existing secrets from `osh/mariadb/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/mariadb
+```
+
+### Create the secrets
+
+- Mariadb root-password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/mariadb mariadb root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- MaxScale password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/mariadb maxscale password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/mariadb
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/mariadb mariadb
+```
+
+## Install mariadb cluster
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+``` shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the mariadb installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/mariadb-cluster/base/vault
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+### Deploy mariadb-cluster
+
 ``` shell
 kubectl --namespace openstack apply -k /opt/genestack/kustomize/mariadb-cluster/base
 ```
diff --git a/docs/infrastructure-postgresql.md b/docs/infrastructure-postgresql.md
index 23536cf9..8804764c 100644
--- a/docs/infrastructure-postgresql.md
+++ b/docs/infrastructure-postgresql.md
@@ -1,23 +1,94 @@
 # Deploy PostgreSQL
 
-## Create Secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/postgresql/` path in the Vault
+
+## Create secrets in the vault:
+
+### Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=postgresql
+```
+
+### List the existing secrets from `osh/postgresql/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/postgresql
+```
+
+### Create the secrets
+
+- Postgresql-identity-admin:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/postgresql postgresql-identity-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Postgresql-db-admin:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/postgresql postgresql-db-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Postgresql-db-exporter:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/postgresql postgresql-db-exporter password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Postgresql-db-audit:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/postgresql postgresql-db-audit password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/postgresql
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/postgresql postgresql-identity-admin
+```
+
+## Install PostgreSQL
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+``` shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the postgresql installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/postgresql/base/vault
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
 
 ``` shell
-kubectl --namespace openstack create secret generic postgresql-identity-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic postgresql-db-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic postgresql-db-exporter \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic postgresql-db-audit \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl get secrets -n openstack
 ```
 
-## Run the package deployment
+### Deploy PostgreSQL
 
 !!! tip
 
diff --git a/docs/openstack-ceilometer.md b/docs/openstack-ceilometer.md
index 9d67fb4f..2ee3c7f9 100644
--- a/docs/openstack-ceilometer.md
+++ b/docs/openstack-ceilometer.md
@@ -1,20 +1,89 @@
 # Deploy Ceilometer
 
-## Create Secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/ceilometer/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=ceilometer
+```
+
+### List the existing secrets from `osh/ceilometer/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ceilometer
+```
+
+### Create the secrets
+
+- Ceilometer-keystone-admin-password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/ceilometer/ceilometer-keystone-admin-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Ceilometer-keystone-test-password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/ceilometer ceilometer-keystone-test-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Ceilometer-rabbitmq-password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/ceilometer ceilometer-rabbitmq-password  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ceilometer
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/ceilometer  ceilometer-keystone-admin-password
+```
+
+## Install Ceilometer
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Ceilometer installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/ceilometer/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
 
 ``` shell
-kubectl --namespace openstack create secret generic ceilometer-keystone-admin-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic ceilometer-keystone-test-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic ceilometer-rabbitmq-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl get secrets -n openstack
 ```
 
-## Run the package deployment
+### Deploy Ceilometer helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
diff --git a/docs/openstack-cinder.md b/docs/openstack-cinder.md
index 72fc3f26..ee95c771 100644
--- a/docs/openstack-cinder.md
+++ b/docs/openstack-cinder.md
@@ -2,25 +2,94 @@
 
 [![asciicast](https://asciinema.org/a/629808.svg)](https://asciinema.org/a/629808)
 
-## Create secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/cinder/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=cinder
+```
+
+### List the existing secrets from `osh/cinder/`
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/cinder
+```
+
+### Create the secrets
+
+- Cinder RabbitMQ Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/cinder/cinder-rabbitmq-password username=cinder
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/cinder cinder-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Cinder Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/cinder cinder-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Cinder Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/cinder cinder-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/cinder
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/cinder  cinder-admin
+```
+
+## Install Cinder
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Cinder installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/cinder/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
 
 ``` shell
-kubectl --namespace openstack \
-        create secret generic cinder-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="cinder" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic cinder-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic cinder-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl get secrets -n openstack
 ```
 
-## Run the package deployment
+### Deploy Cinder helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
diff --git a/docs/openstack-compute-kit.md b/docs/openstack-compute-kit.md
index 3e33cd95..e9d6a860 100644
--- a/docs/openstack-compute-kit.md
+++ b/docs/openstack-compute-kit.md
@@ -2,81 +2,284 @@
 
 [![asciicast](https://asciinema.org/a/629813.svg)](https://asciinema.org/a/629813)
 
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to following paths in the Vault:
+  - `osh/nova/`
+  - `osh/ironic/`
+  - `osh/designate/`
+  - `osh/neutron/`
+
 ## Creating the Compute Kit Secrets
 
 Part of running Nova is also running placement. Setup all credentials now so we can use them across the nova and placement services.
 
+### Create the secrets - Placement
+
+- Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=nova
+```
+
+- List the existing secrets from `osh/placement/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/placement
+```
+
+- Placement Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/placement placement-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Placement Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/placement placement-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+#### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/placement
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/placement  placement-admin
+```
+
+### Create the secrets - Nova
+
+- List the existing secrets from `osh/nova/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/nova
+```
+
+- Metadata-shared-secret Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/nova metadata-shared-secret \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Nova Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/nova nova-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Nova Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/nova nova-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Nova RabbitMQ Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/nova/nova-rabbitmq-password username=nova
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/nova nova-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+#### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/nova
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/nova  nova-admin
+```
+
+### Create the secrets - Ironic(NOT IMPLEMENTED YET)
+
+- Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=ironic
+```
+
+- List the existing secrets from `osh/ironic/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ironic
+```
+
+- Ironic Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/ironic ironic-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+#### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ironic
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/ironic  ironic-admin
+```
+
+### Create the secrets - Designate(NOT IMPLEMENTED YET)
+
+- Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=designate
+```
+
+- List the existing secrets from `osh/designate/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/designate
+```
+
+- Designate Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/designate designate-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+#### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/designate
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/designate  designate-admin
+```
+
+### Create the secrets - Neutron
+
+- Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=neutron
+```
+
+- List the existing secrets from `osh/neutron/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/neutron
+```
+
+- Neutron Database Password:
+
 ``` shell
-# Shared
-kubectl --namespace openstack \
-        create secret generic metadata-shared-secret \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/neutron neutron-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
 ```
 
+- Neutron Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/neutron neutron-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Neutron RabbitMQ Username and Password:
+
 ``` shell
-# Placement
-kubectl --namespace openstack \
-        create secret generic placement-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic placement-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/neutron/neutron-rabbitmq-password username=neutron
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/neutron neutron-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
 ```
 
+#### Validate the secrets
+
 ``` shell
-# Nova
-kubectl --namespace openstack \
-        create secret generic nova-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic nova-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic nova-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="nova" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/neutron
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/neutron  neutron-admin
+```
+
+## Deploy vault-secret-operator resources
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
 ```
 
+- If it is absent, create one using the following command:
+
 ``` shell
-# Ironic (NOT IMPLEMENTED YET)
-kubectl --namespace openstack \
-        create secret generic ironic-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
 ```
 
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the placement installation:
+
 ``` shell
-# Designate (NOT IMPLEMENTED YET)
-kubectl --namespace openstack \
-        create secret generic designate-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl apply -k /opt/genestack/kustomize/placement/base/vault/
 ```
 
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the nova installation:
+
 ``` shell
-# Neutron
-kubectl --namespace openstack \
-        create secret generic neutron-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="neutron" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic neutron-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic neutron-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl apply -k /opt/genestack/kustomize/nova/base/vault/
 ```
 
-## Deploy Placement
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the ironic installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/ironic/base/vault/
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the designate installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/designate/base/vault/
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the neutron installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/neutron/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+## Deploy Placement helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
@@ -94,7 +297,7 @@ helm upgrade --install placement ./placement --namespace=openstack \
     --post-renderer-args placement/base
 ```
 
-## Deploy Nova
+## Deploy Nova helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
@@ -140,7 +343,8 @@ If running in an environment that doesn't have hardware virtualization extension
 
     In a production like environment you may need to include production specific files like the example variable file found in `helm-configs/prod-example-openstack-overrides.yaml`.
 
-## Deploy Neutron
+
+## Deploy Neutron helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md
index 63e2aaac..e0c15f24 100644
--- a/docs/openstack-glance.md
+++ b/docs/openstack-glance.md
@@ -2,29 +2,98 @@
 
 [![asciicast](https://asciinema.org/a/629806.svg)](https://asciinema.org/a/629806)
 
-## Create secrets.
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/glance/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=glance
+```
+
+### List the existing secrets from `osh/glance/`
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/glance
+```
+
+### Create the secrets
+
+- Glance RabbitMQ Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/glance/glance-rabbitmq-password username=glance
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/glance glance-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Glance Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/glance glance-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Glance Admin Password:
 
 ``` shell
-kubectl --namespace openstack \
-        create secret generic glance-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="glance" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic glance-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic glance-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/glance glance-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/glance
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/glance  glance-admin
 ```
 
 !!! info
 
     Before running the Glance deployment you should configure the backend which is defined in the `helm-configs/glance/glance-helm-overrides.yaml` file. The default is a making the assumption we're running with Ceph deployed by Rook so the backend is configured to be cephfs with multi-attach functionality. While this works great, you should consider all of the available storage backends and make the right decision for your environment.
 
-## Run the package deployment
+## Install Glance
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Glance installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/glance/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+### Deploy Glance helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
diff --git a/docs/openstack-gnocchi.md b/docs/openstack-gnocchi.md
index 3961d0ee..3efee557 100644
--- a/docs/openstack-gnocchi.md
+++ b/docs/openstack-gnocchi.md
@@ -1,20 +1,90 @@
 # Deploy Gnocchi
 
-## Create Secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/gnocchi/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=gnocchi
+```
+
+### List the existing secrets from `osh/gnocchi/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/gnocchi
+```
+
+### Create the secrets
+
+- Gnocchi Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/gnocchi gnocchi-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Gnocchi Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/gnocchi gnocchi-admin  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Gnocchi-pgsql Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/gnocchi gnocchi-pgsql-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ghocchi
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/ghocchi  gnocchi-admin
+```
+
+## Install Gnocchi
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Gnocchi installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/gnocchi/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
 
 ``` shell
-kubectl --namespace openstack create secret generic gnocchi-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic gnocchi-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic gnocchi-pgsql-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl get secrets -n openstack
 ```
 
-## Create ceph-etc configmap
+### Create ceph-etc configmap
 
 While the below example should work fine for most environments, depending
 on the use case it may be necessary to provide additional client configuration
@@ -38,7 +108,7 @@ data:
 EOF
 ```
 
-## Verify the ceph-etc configmap is sane
+### Verify the ceph-etc configmap is sane
 
 Below is an example of what you're looking for to verify the configmap was
 created as expected - a CSV of the mon hosts, colon seperated with default
@@ -50,7 +120,7 @@ mon port, 6789.
 mon_host = 172.31.3.7:6789,172.31.1.112:6789,172.31.0.46:6789
 ```
 
-## Run the package deployment
+### Deploy Gnocchi helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm-infra
diff --git a/docs/openstack-heat.md b/docs/openstack-heat.md
index 9578cddc..85e96521 100644
--- a/docs/openstack-heat.md
+++ b/docs/openstack-heat.md
@@ -2,33 +2,110 @@
 
 [![asciicast](https://asciinema.org/a/629807.svg)](https://asciinema.org/a/629807)
 
-## Create secrets
-
-``` shell
-kubectl --namespace openstack \
-        create secret generic heat-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="heat" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic heat-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic heat-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic heat-trustee \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic heat-stack-user \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-```
-
-## Run the package deployment
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/heat/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=heat
+```
+
+### List the existing secrets from `osh/heat/`
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/heat
+```
+
+### Create the secrets
+
+- Heat RabbitMQ Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/heat/heat-rabbitmq-password username=heat
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/heat heat-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Heat Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Heat Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-admin  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Heat Trustee Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-trustee  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Heat Stack User Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-stack-user  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/heat
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/heat  heat-admin
+```
+
+## Install Heat
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Heat installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/heat/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+### Deploy Heat helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
diff --git a/docs/openstack-horizon.md b/docs/openstack-horizon.md
index 6672744c..4156c5e0 100644
--- a/docs/openstack-horizon.md
+++ b/docs/openstack-horizon.md
@@ -2,21 +2,86 @@
 
 [![asciicast](https://asciinema.org/a/629815.svg)](https://asciinema.org/a/629815)
 
-## Create secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/horizon/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=horizon
+```
+
+### List the existing secrets from `osh/horizon/`
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/horizon
+```
+
+### Create the secrets
+
+- Horizon-secrete-key Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/horizon/horizon-secrete-key username=horizon
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/horizon horizon-secrete-key \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Horizon Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/horizon horizon-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/horizon
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/horizon horizon-secrete-key
+```
+
+## Install Horizon
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Horizon installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/horizon/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
 
 ``` shell
-kubectl --namespace openstack \
-        create secret generic horizon-secrete-key \
-        --type Opaque \
-        --from-literal=username="horizon" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic horizon-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl get secrets -n openstack
 ```
 
-## Run the package deployment
+### Deploy Horizon helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md
index 6e57225d..f878b578 100644
--- a/docs/openstack-keystone.md
+++ b/docs/openstack-keystone.md
@@ -2,29 +2,94 @@
 
 [![asciicast](https://asciinema.org/a/629802.svg)](https://asciinema.org/a/629802)
 
-## Create secrets.
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/keystone/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=keystone
+```
+
+### List the existing secrets from `osh/keystone/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/keystone
+```
+
+### Create the secrets
+
+- Keystone RabbitMQ Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/keystone/keystone-rabbitmq-password username=keystone
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/keystone keystone-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Keystone Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/keystone keystone-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Keystone Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/keystone keystone-admin  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/keystone
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/keystone  keystone-admin
+```
+
+## Install Keystone
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Keystone installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
 
 ``` shell
-kubectl --namespace openstack \
-        create secret generic keystone-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="keystone" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic keystone-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic keystone-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic keystone-credential-keys \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl get secrets -n openstack
 ```
 
-## Run the package deployment
+### Deploy Keystone helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
diff --git a/docs/openstack-octavia.md b/docs/openstack-octavia.md
index 51c8b669..d8853922 100644
--- a/docs/openstack-octavia.md
+++ b/docs/openstack-octavia.md
@@ -2,29 +2,102 @@
 
 [![asciicast](https://asciinema.org/a/629814.svg)](https://asciinema.org/a/629814)
 
-### Create secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/octavia/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=octavia
+```
+
+### List the existing secrets from `osh/octavia/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/octavia
+```
+
+### Create the secrets
+
+- Octavia RabbitMQ Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/octavia/octavia-rabbitmq-password username=octavia
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/octavia octavia-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Octavia Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/octavia octavia-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Octavia Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/octavia octavia-admin  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Octavia-certificates Password:
 
 ``` shell
-kubectl --namespace openstack \
-        create secret generic octavia-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="octavia" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic octavia-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic octavia-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic octavia-certificates \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/octavia octavia-certificates  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
 ```
 
-## Run the package deployment
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/octavia
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/octavia  octavia-admin
+```
+
+## Install Octavia
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Octavia installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/octavia/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+### Deploy Octavia helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
@@ -52,7 +125,3 @@ helm upgrade --install octavia ./octavia \
     In a production like environment you may need to include production specific files like the example variable file found in `helm-configs/prod-example-openstack-overrides.yaml`.
 
 Now validate functionality
-
-``` shell
-
-```
diff --git a/docs/openstack-skyline.md b/docs/openstack-skyline.md
index 70f4a095..c05fd929 100644
--- a/docs/openstack-skyline.md
+++ b/docs/openstack-skyline.md
@@ -4,38 +4,97 @@
 
 Skyline is an alternative Web UI for OpenStack. If you deploy horizon there's no need for Skyline.
 
-## Create secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/skyline/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=skyline
+```
+
+### List the existing secrets from `osh/skyline/`
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/skyline
+```
+
+### Create the secrets
 
 Skyline is a little different because there's no helm integration. Given this difference the deployment is far simpler, and all secrets can be managed in one object.
 
+- Skyline-apiserver-secrets:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/skyline skyline-apiserver-secrets \
+    service-username=skyline \
+    service-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \
+    service-domain=service \
+    service-project=service \
+    service-project-domain=service \
+    db-endpoint=maxscale-galera.openstack.svc.cluster.local \
+    db-name=skyline \
+    db-username=skyline \
+    db-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \
+    secret-key=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \
+    keystone-endpoint="$(kubectl --namespace openstack get secret keystone-keystone-admin -o jsonpath='{.data.OS_AUTH_URL}' | base64 -d)" \
+    keystone-username=skyline \
+    default-region=RegionOne \
+    prometheus_basic_auth_password="" \
+    prometheus_basic_auth_user="" \
+    prometheus_enable_basic_auth=false \
+    prometheus_endpoint=http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/skyline
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/skyline skyline-apiserver-secrets
+```
+
+## Install Skyline
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Skyline installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/skyline/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
 ``` shell
-kubectl --namespace openstack \
-        create secret generic skyline-apiserver-secrets \
-        --type Opaque \
-        --from-literal=service-username="skyline" \
-        --from-literal=service-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=service-domain="service" \
-        --from-literal=service-project="service" \
-        --from-literal=service-project-domain="service" \
-        --from-literal=db-endpoint="maxscale-galera.openstack.svc.cluster.local" \
-        --from-literal=db-name="skyline" \
-        --from-literal=db-username="skyline" \
-        --from-literal=db-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=secret-key="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=keystone-endpoint="$(kubectl --namespace openstack get secret keystone-keystone-admin -o jsonpath='{.data.OS_AUTH_URL}' | base64 -d)" \
-        --from-literal=keystone-username="skyline" \
-        --from-literal=default-region="RegionOne" \
-        --from-literal=prometheus_basic_auth_password="" \
-        --from-literal=prometheus_basic_auth_user="" \
-        --from-literal=prometheus_enable_basic_auth="false" \
-        --from-literal=prometheus_endpoint="http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090"
+kubectl get secrets -n openstack
 ```
 
 !!! note
 
     All the configuration is in this one secret, so be sure to set your entries accordingly.
 
-## Run the deployment
+### Deploy Skyline
 
 !!! tip
 
diff --git a/docs/vault.md b/docs/vault.md
index 8be0fbde..b8338e83 100644
--- a/docs/vault.md
+++ b/docs/vault.md
@@ -189,4 +189,72 @@ vault kv put -mount=osh/keystone keystone-credential-keys  password=$(< /dev/ura
 
 ---
 
+## Example to create local users in Vault and provide access to the secret path
+
+- Login with root token and enable userpass authentication method:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- sh
+vault login
+vault auth enable userpass
+```
+
+- Create keystone user and the required policy:
+
+```
+vault policy write keystone - <<EOF
+path "osh/keystone/*" {
+   capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+EOF
+exit
+```
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault write auth/userpass/users/keystone password=8EaQwtdt policies=keystone
+```
+
+- Tune token duration:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault write sys/auth/userpass/tune default_lease_ttl=8h max_lease_ttl=720h
+```
+
+### Validation
+
+- Login to the vault using `keystone` user and try accessing secret path to which it has access:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=keystone
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/keystone
+```
+
+- Accessing to other secret path will fail:
+
+``` shell
+# kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/keystone
+Keys
+----
+keystone-admin
+keystone-db-password
+keystone-rabbitmq-password
+
+# kubectl exec --stdin=true --tty=true vault-0 -n vault --  \
+    vault kv list osh/glance
+Error making API request.
+
+URL: GET https://127.0.0.1:8200/v1/sys/internal/ui/mounts/osh/glance
+Code: 403. Errors:
+
+* preflight capability check returned 403, please ensure client's policies grant access to path "osh/glance/"
+```
+
+---
+
 Once the secrets are created in Vault, we can use [vault-secrets-operator](https://github.com/rackerlabs/genestack/blob/main/docs/vault-secrets-operator.md) to populate the Kubernetes secret resources in Kubernetes cluster.
diff --git a/kustomize/ceilometer/base/vault/ceilometer-keystone-admin-password.yaml b/kustomize/ceilometer/base/vault/ceilometer-keystone-admin-password.yaml
new file mode 100644
index 00000000..aefd9c4d
--- /dev/null
+++ b/kustomize/ceilometer/base/vault/ceilometer-keystone-admin-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ceilometer-keystone-admin-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/ceilometer'
+
+  # path of the secret
+  path: ceilometer-keystone-admin-password
+
+  # dest k8s secret
+  destination:
+    name: ceilometer-keystone-admin-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/ceilometer/base/vault/ceilometer-keystone-test-password.yaml b/kustomize/ceilometer/base/vault/ceilometer-keystone-test-password.yaml
new file mode 100644
index 00000000..0c74d01e
--- /dev/null
+++ b/kustomize/ceilometer/base/vault/ceilometer-keystone-test-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ceilometer-keystone-test-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/ceilometer'
+
+  # path of the secret
+  path: ceilometer-keystone-test-password
+
+  # dest k8s secret
+  destination:
+    name: ceilometer-keystone-test-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/ceilometer/base/vault/ceilometer-rabbitmq-password.yaml b/kustomize/ceilometer/base/vault/ceilometer-rabbitmq-password.yaml
new file mode 100644
index 00000000..da0bae5a
--- /dev/null
+++ b/kustomize/ceilometer/base/vault/ceilometer-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ceilometer-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/ceilometer'
+
+  # path of the secret
+  path: ceilometer-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: ceilometer-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/ceilometer/base/vault/kustomization.yaml b/kustomize/ceilometer/base/vault/kustomization.yaml
new file mode 100644
index 00000000..6c9be785
--- /dev/null
+++ b/kustomize/ceilometer/base/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - ceilometer-keystone-admin-password.yaml
+  - ceilometer-keystone-test-password.yaml
+  - ceilometer-rabbitmq-password.yaml
diff --git a/kustomize/ceilometer/base/vault/vaultauth.yaml b/kustomize/ceilometer/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/ceilometer/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/ceilometer/base/vault/vaultconnection.yaml b/kustomize/ceilometer/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/ceilometer/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/cinder/base/vault/cinder-admin.yaml b/kustomize/cinder/base/vault/cinder-admin.yaml
new file mode 100644
index 00000000..1f6b158f
--- /dev/null
+++ b/kustomize/cinder/base/vault/cinder-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: cinder-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/cinder'
+
+  # path of the secret
+  path: cinder-admin
+
+  # dest k8s secret
+  destination:
+    name: cinder-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/cinder/base/vault/cinder-db-password.yaml b/kustomize/cinder/base/vault/cinder-db-password.yaml
new file mode 100644
index 00000000..cafa36cf
--- /dev/null
+++ b/kustomize/cinder/base/vault/cinder-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: cinder-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/cinder'
+
+  # path of the secret
+  path: cinder-db-password
+
+  # dest k8s secret
+  destination:
+    name: cinder-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml b/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml
new file mode 100644
index 00000000..9c80467a
--- /dev/null
+++ b/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: cinder-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/cinder'
+
+  # path of the secret
+  path: cinder-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: cinder-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/cinder/base/vault/kustomization.yaml b/kustomize/cinder/base/vault/kustomization.yaml
new file mode 100644
index 00000000..fc1b85fc
--- /dev/null
+++ b/kustomize/cinder/base/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - cinder-admin.yaml
+  - cinder-db-password.yaml
+  - cinder-rabbitmq-password.yaml
diff --git a/kustomize/cinder/base/vault/vaultauth.yaml b/kustomize/cinder/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/cinder/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/cinder/base/vault/vaultconnection.yaml b/kustomize/cinder/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/cinder/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/designate/base/vault/designate-admin.yaml b/kustomize/designate/base/vault/designate-admin.yaml
new file mode 100644
index 00000000..ee509cee
--- /dev/null
+++ b/kustomize/designate/base/vault/designate-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: designate-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/designate'
+
+  # path of the secret
+  path: designate-admin
+
+  # dest k8s secret
+  destination:
+    name: designate-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/designate/base/vault/kustomization.yaml b/kustomize/designate/base/vault/kustomization.yaml
new file mode 100644
index 00000000..1cf12f2b
--- /dev/null
+++ b/kustomize/designate/base/vault/kustomization.yaml
@@ -0,0 +1,5 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - designate-admin.yaml
diff --git a/kustomize/designate/base/vault/vaultauth.yaml b/kustomize/designate/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/designate/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/designate/base/vault/vaultconnection.yaml b/kustomize/designate/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/designate/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/glance/base/vault/glance-admin.yaml b/kustomize/glance/base/vault/glance-admin.yaml
new file mode 100644
index 00000000..c87efe28
--- /dev/null
+++ b/kustomize/glance/base/vault/glance-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: glance-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/glance'
+
+  # path of the secret
+  path: glance-admin
+
+  # dest k8s secret
+  destination:
+    name: glance-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/glance/base/vault/glance-db-password.yaml b/kustomize/glance/base/vault/glance-db-password.yaml
new file mode 100644
index 00000000..bfb33277
--- /dev/null
+++ b/kustomize/glance/base/vault/glance-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: glance-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/glance'
+
+  # path of the secret
+  path: glance-db-password
+
+  # dest k8s secret
+  destination:
+    name: glance-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/glance/base/vault/glance-rabbitmq-password.yaml b/kustomize/glance/base/vault/glance-rabbitmq-password.yaml
new file mode 100644
index 00000000..54be28a7
--- /dev/null
+++ b/kustomize/glance/base/vault/glance-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: glance-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/glance'
+
+  # path of the secret
+  path: glance-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: glance-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/glance/base/vault/kustomization.yaml b/kustomize/glance/base/vault/kustomization.yaml
new file mode 100644
index 00000000..2dda30af
--- /dev/null
+++ b/kustomize/glance/base/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - glance-admin.yaml
+  - glance-db-password.yaml
+  - glance-rabbitmq-password.yaml
diff --git a/kustomize/glance/base/vault/vaultauth.yaml b/kustomize/glance/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/glance/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/glance/base/vault/vaultconnection.yaml b/kustomize/glance/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/glance/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/gnocchi/base/vault/gnocchi-admin.yaml b/kustomize/gnocchi/base/vault/gnocchi-admin.yaml
new file mode 100644
index 00000000..c48ab5b0
--- /dev/null
+++ b/kustomize/gnocchi/base/vault/gnocchi-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gnocchi-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/gnocchi'
+
+  # path of the secret
+  path: gnocchi-admin
+
+  # dest k8s secret
+  destination:
+    name: gnocchi-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/gnocchi/base/vault/gnocchi-db-password.yaml b/kustomize/gnocchi/base/vault/gnocchi-db-password.yaml
new file mode 100644
index 00000000..c2474d2a
--- /dev/null
+++ b/kustomize/gnocchi/base/vault/gnocchi-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gnocchi-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/gnocchi'
+
+  # path of the secret
+  path: gnocchi-db-password
+
+  # dest k8s secret
+  destination:
+    name: gnocchi-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/gnocchi/base/vault/gnocchi-pgsql-password.yaml b/kustomize/gnocchi/base/vault/gnocchi-pgsql-password.yaml
new file mode 100644
index 00000000..fb974d00
--- /dev/null
+++ b/kustomize/gnocchi/base/vault/gnocchi-pgsql-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gnocchi-pgsql-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/gnocchi'
+
+  # path of the secret
+  path: gnocchi-pgsql-password
+
+  # dest k8s secret
+  destination:
+    name: gnocchi-pgsql-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/gnocchi/base/vault/kustomization.yaml b/kustomize/gnocchi/base/vault/kustomization.yaml
new file mode 100644
index 00000000..bbe46cca
--- /dev/null
+++ b/kustomize/gnocchi/base/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - gnocchi-admin.yaml
+  - gnocchi-db-password.yaml
+  - gnocchi-pgsql-password.yaml
diff --git a/kustomize/gnocchi/base/vault/vaultauth.yaml b/kustomize/gnocchi/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/gnocchi/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/gnocchi/base/vault/vaultconnection.yaml b/kustomize/gnocchi/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/gnocchi/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/heat/base/vault/heat-admin.yaml b/kustomize/heat/base/vault/heat-admin.yaml
new file mode 100644
index 00000000..a0ef04ff
--- /dev/null
+++ b/kustomize/heat/base/vault/heat-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-admin
+
+  # dest k8s secret
+  destination:
+    name: heat-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/heat/base/vault/heat-db-password.yaml b/kustomize/heat/base/vault/heat-db-password.yaml
new file mode 100644
index 00000000..b159e4c7
--- /dev/null
+++ b/kustomize/heat/base/vault/heat-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-db-password
+
+  # dest k8s secret
+  destination:
+    name: heat-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/heat/base/vault/heat-rabbitmq-password.yaml b/kustomize/heat/base/vault/heat-rabbitmq-password.yaml
new file mode 100644
index 00000000..12847512
--- /dev/null
+++ b/kustomize/heat/base/vault/heat-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: heat-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/heat/base/vault/heat-stack-user.yaml b/kustomize/heat/base/vault/heat-stack-user.yaml
new file mode 100644
index 00000000..386620a4
--- /dev/null
+++ b/kustomize/heat/base/vault/heat-stack-user.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-stack-user
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-stack-user
+
+  # dest k8s secret
+  destination:
+    name: heat-stack-user
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/heat/base/vault/heat-trustee.yaml b/kustomize/heat/base/vault/heat-trustee.yaml
new file mode 100644
index 00000000..3bb348c4
--- /dev/null
+++ b/kustomize/heat/base/vault/heat-trustee.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-trustee
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-trustee
+
+  # dest k8s secret
+  destination:
+    name: heat-trustee
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/heat/base/vault/kustomization.yaml b/kustomize/heat/base/vault/kustomization.yaml
new file mode 100644
index 00000000..14dd4832
--- /dev/null
+++ b/kustomize/heat/base/vault/kustomization.yaml
@@ -0,0 +1,9 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - heat-admin.yaml
+  - heat-db-password.yaml
+  - heat-rabbitmq-password.yaml
+  - heat-stack-user.yaml
+  - heat-trustee.yaml
diff --git a/kustomize/heat/base/vault/vaultauth.yaml b/kustomize/heat/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/heat/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/heat/base/vault/vaultconnection.yaml b/kustomize/heat/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/heat/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/horizon/base/vault/horizon-db-password.yaml b/kustomize/horizon/base/vault/horizon-db-password.yaml
new file mode 100644
index 00000000..14dedb24
--- /dev/null
+++ b/kustomize/horizon/base/vault/horizon-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: horizon-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/horizon'
+
+  # path of the secret
+  path: horizon-db-password
+
+  # dest k8s secret
+  destination:
+    name: horizon-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/horizon/base/vault/horizon-secrete-key.yaml b/kustomize/horizon/base/vault/horizon-secrete-key.yaml
new file mode 100644
index 00000000..60c52a48
--- /dev/null
+++ b/kustomize/horizon/base/vault/horizon-secrete-key.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: horizon-secrete-key
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/horizon'
+
+  # path of the secret
+  path: horizon-secrete-key
+
+  # dest k8s secret
+  destination:
+    name: horizon-secrete-key
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/horizon/base/vault/kustomization.yaml b/kustomize/horizon/base/vault/kustomization.yaml
new file mode 100644
index 00000000..83a19417
--- /dev/null
+++ b/kustomize/horizon/base/vault/kustomization.yaml
@@ -0,0 +1,6 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - horizon-db-password.yaml
+  - horizon-secrete-key.yaml
diff --git a/kustomize/horizon/base/vault/vaultauth.yaml b/kustomize/horizon/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/horizon/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/horizon/base/vault/vaultconnection.yaml b/kustomize/horizon/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/horizon/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/ironic/base/vault/ironic-admin.yaml b/kustomize/ironic/base/vault/ironic-admin.yaml
new file mode 100644
index 00000000..99558377
--- /dev/null
+++ b/kustomize/ironic/base/vault/ironic-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ironic-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/ironic'
+
+  # path of the secret
+  path: ironic-admin
+
+  # dest k8s secret
+  destination:
+    name: ironic-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/ironic/base/vault/kustomization.yaml b/kustomize/ironic/base/vault/kustomization.yaml
new file mode 100644
index 00000000..78034a91
--- /dev/null
+++ b/kustomize/ironic/base/vault/kustomization.yaml
@@ -0,0 +1,5 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - ironic-admin.yaml
diff --git a/kustomize/ironic/base/vault/vaultauth.yaml b/kustomize/ironic/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/ironic/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/ironic/base/vault/vaultconnection.yaml b/kustomize/ironic/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/ironic/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/keystone/base/vault/keystone-admin.yaml b/kustomize/keystone/base/vault/keystone-admin.yaml
new file mode 100644
index 00000000..62451f2a
--- /dev/null
+++ b/kustomize/keystone/base/vault/keystone-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: keystone-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/keystone'
+
+  # path of the secret
+  path: keystone-admin
+
+  # dest k8s secret
+  destination:
+    name: keystone-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/keystone/base/vault/keystone-db-password.yaml b/kustomize/keystone/base/vault/keystone-db-password.yaml
new file mode 100644
index 00000000..23c9d323
--- /dev/null
+++ b/kustomize/keystone/base/vault/keystone-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: keystone-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/keystone'
+
+  # path of the secret
+  path: keystone-db-password
+
+  # dest k8s secret
+  destination:
+    name: keystone-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml b/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml
new file mode 100644
index 00000000..af0b4178
--- /dev/null
+++ b/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: keystone-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/keystone'
+
+  # path of the secret
+  path: keystone-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: keystone-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/keystone/base/vault/kustomization.yaml b/kustomize/keystone/base/vault/kustomization.yaml
new file mode 100644
index 00000000..551a31d5
--- /dev/null
+++ b/kustomize/keystone/base/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - keystone-admin.yaml
+  - keystone-db-password.yaml
+  - keystone-rabbitmq-password.yaml
diff --git a/kustomize/keystone/base/vault/vaultauth.yaml b/kustomize/keystone/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/keystone/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/keystone/base/vault/vaultconnection.yaml b/kustomize/keystone/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/keystone/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml
new file mode 100644
index 00000000..e759ecb7
--- /dev/null
+++ b/kustomize/mariadb-cluster/base/vault/kustomization.yaml
@@ -0,0 +1,6 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - mariadb.yaml
+  - mariadb-maxscale.yaml
diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml b/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml
new file mode 100644
index 00000000..a4ef5265
--- /dev/null
+++ b/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: maxscale
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/mariadb'
+
+# path of the secret
+  path: maxscale
+
+# dest k8s secret
+  destination:
+     name: maxscale
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/mariadb-cluster/base/vault/mariadb.yaml b/kustomize/mariadb-cluster/base/vault/mariadb.yaml
new file mode 100644
index 00000000..e26bb546
--- /dev/null
+++ b/kustomize/mariadb-cluster/base/vault/mariadb.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: mariadb
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/mariadb'
+
+# path of the secret
+  path: mariadb
+
+# dest k8s secret
+  destination:
+     name: mariadb
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/mariadb-cluster/base/vault/vaultauth.yaml b/kustomize/mariadb-cluster/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/mariadb-cluster/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml b/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/neutron/base/vault/kustomization.yaml b/kustomize/neutron/base/vault/kustomization.yaml
new file mode 100644
index 00000000..c96cbe7d
--- /dev/null
+++ b/kustomize/neutron/base/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - neutron-admin.yaml
+  - neutron-db-password.yaml
+  - neutron-rabbitmq-password.yaml
diff --git a/kustomize/neutron/base/vault/neutron-admin.yaml b/kustomize/neutron/base/vault/neutron-admin.yaml
new file mode 100644
index 00000000..a34ecc70
--- /dev/null
+++ b/kustomize/neutron/base/vault/neutron-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: neutron-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/neutron'
+
+  # path of the secret
+  path: neutron-admin
+
+  # dest k8s secret
+  destination:
+    name: neutron-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/neutron/base/vault/neutron-db-password.yaml b/kustomize/neutron/base/vault/neutron-db-password.yaml
new file mode 100644
index 00000000..96cee38c
--- /dev/null
+++ b/kustomize/neutron/base/vault/neutron-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: neutron-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/neutron'
+
+  # path of the secret
+  path: neutron-db-password
+
+  # dest k8s secret
+  destination:
+    name: neutron-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml b/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml
new file mode 100644
index 00000000..27461c1c
--- /dev/null
+++ b/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: neutron-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/neutron'
+
+  # path of the secret
+  path: neutron-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: neutron-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/neutron/base/vault/vaultauth.yaml b/kustomize/neutron/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/neutron/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/neutron/base/vault/vaultconnection.yaml b/kustomize/neutron/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/neutron/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/nova/base/vault/kustomization.yaml b/kustomize/nova/base/vault/kustomization.yaml
new file mode 100644
index 00000000..803c3f2c
--- /dev/null
+++ b/kustomize/nova/base/vault/kustomization.yaml
@@ -0,0 +1,8 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - metadata-shared-secret.yaml
+  - nova-admin.yaml
+  - nova-db-password.yaml
+  - nova-rabbitmq-password.yaml
diff --git a/kustomize/nova/base/vault/metadata-shared-secret.yaml b/kustomize/nova/base/vault/metadata-shared-secret.yaml
new file mode 100644
index 00000000..f92dcc54
--- /dev/null
+++ b/kustomize/nova/base/vault/metadata-shared-secret.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: metadata-shared-secret
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/nova'
+
+  # path of the secret
+  path: metadata-shared-secret
+
+  # dest k8s secret
+  destination:
+    name: metadata-shared-secret
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/nova/base/vault/nova-admin.yaml b/kustomize/nova/base/vault/nova-admin.yaml
new file mode 100644
index 00000000..019e96f9
--- /dev/null
+++ b/kustomize/nova/base/vault/nova-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: nova-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/nova'
+
+  # path of the secret
+  path: nova-admin
+
+  # dest k8s secret
+  destination:
+    name: nova-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/nova/base/vault/nova-db-password.yaml b/kustomize/nova/base/vault/nova-db-password.yaml
new file mode 100644
index 00000000..72d3ff8c
--- /dev/null
+++ b/kustomize/nova/base/vault/nova-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: nova-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/nova'
+
+  # path of the secret
+  path: nova-db-password
+
+  # dest k8s secret
+  destination:
+    name: nova-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/nova/base/vault/nova-rabbitmq-password.yaml b/kustomize/nova/base/vault/nova-rabbitmq-password.yaml
new file mode 100644
index 00000000..cd091480
--- /dev/null
+++ b/kustomize/nova/base/vault/nova-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: nova-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/nova'
+
+  # path of the secret
+  path: nova-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: nova-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/nova/base/vault/vaultauth.yaml b/kustomize/nova/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/nova/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/nova/base/vault/vaultconnection.yaml b/kustomize/nova/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/nova/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/octavia/base/vault/kustomization.yaml b/kustomize/octavia/base/vault/kustomization.yaml
new file mode 100644
index 00000000..4f2eff2c
--- /dev/null
+++ b/kustomize/octavia/base/vault/kustomization.yaml
@@ -0,0 +1,8 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - octavia-admin.yaml
+  - octavia-db-password.yaml
+  - octavia-rabbitmq-password.yaml
+  - octavia-certificates.yaml
diff --git a/kustomize/octavia/base/vault/octavia-admin.yaml b/kustomize/octavia/base/vault/octavia-admin.yaml
new file mode 100644
index 00000000..fb81715e
--- /dev/null
+++ b/kustomize/octavia/base/vault/octavia-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: octavia-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/octavia'
+
+  # path of the secret
+  path: octavia-admin
+
+  # dest k8s secret
+  destination:
+    name: octavia-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/octavia/base/vault/octavia-certificates.yaml b/kustomize/octavia/base/vault/octavia-certificates.yaml
new file mode 100644
index 00000000..6b93f94b
--- /dev/null
+++ b/kustomize/octavia/base/vault/octavia-certificates.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: octavia-certificates
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/octavia'
+
+  # path of the secret
+  path: octavia-certificates
+
+  # dest k8s secret
+  destination:
+    name: octavia-certificates
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/octavia/base/vault/octavia-db-password.yaml b/kustomize/octavia/base/vault/octavia-db-password.yaml
new file mode 100644
index 00000000..0e50e95f
--- /dev/null
+++ b/kustomize/octavia/base/vault/octavia-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: octavia-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/octavia'
+
+  # path of the secret
+  path: octavia-db-password
+
+  # dest k8s secret
+  destination:
+    name: octavia-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/octavia/base/vault/octavia-rabbitmq-password.yaml b/kustomize/octavia/base/vault/octavia-rabbitmq-password.yaml
new file mode 100644
index 00000000..26070251
--- /dev/null
+++ b/kustomize/octavia/base/vault/octavia-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: octavia-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/octavia'
+
+  # path of the secret
+  path: octavia-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: octavia-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/octavia/base/vault/vaultauth.yaml b/kustomize/octavia/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/octavia/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/octavia/base/vault/vaultconnection.yaml b/kustomize/octavia/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/octavia/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/placement/base/vault/kustomization.yaml b/kustomize/placement/base/vault/kustomization.yaml
new file mode 100644
index 00000000..d29125d7
--- /dev/null
+++ b/kustomize/placement/base/vault/kustomization.yaml
@@ -0,0 +1,6 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - placement-admin.yaml
+  - placement-db-password.yaml
diff --git a/kustomize/placement/base/vault/placement-admin.yaml b/kustomize/placement/base/vault/placement-admin.yaml
new file mode 100644
index 00000000..886f03a1
--- /dev/null
+++ b/kustomize/placement/base/vault/placement-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: placement-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/placement'
+
+  # path of the secret
+  path: placement-admin
+
+  # dest k8s secret
+  destination:
+    name: placement-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/placement/base/vault/placement-db-password.yaml b/kustomize/placement/base/vault/placement-db-password.yaml
new file mode 100644
index 00000000..8ffdea42
--- /dev/null
+++ b/kustomize/placement/base/vault/placement-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: placement-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/placement'
+
+  # path of the secret
+  path: placement-db-password
+
+  # dest k8s secret
+  destination:
+    name: placement-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/placement/base/vault/vaultauth.yaml b/kustomize/placement/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/placement/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/placement/base/vault/vaultconnection.yaml b/kustomize/placement/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/placement/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/postgresql/base/vault/kustomization.yaml b/kustomize/postgresql/base/vault/kustomization.yaml
new file mode 100644
index 00000000..f2e6fc7a
--- /dev/null
+++ b/kustomize/postgresql/base/vault/kustomization.yaml
@@ -0,0 +1,8 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - postgresql-db-audit.yaml
+  - postgresql-identity-admin.yaml
+  - postgresql-db-admin.yaml
+  - postgresql-db-exporter.yaml
diff --git a/kustomize/postgresql/base/vault/postgresql-db-admin.yaml b/kustomize/postgresql/base/vault/postgresql-db-admin.yaml
new file mode 100644
index 00000000..69c396ee
--- /dev/null
+++ b/kustomize/postgresql/base/vault/postgresql-db-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: postgresql-db-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/postgresql'
+
+# path of the secret
+  path: postgresql-db-admin
+
+# dest k8s secret
+  destination:
+     name: postgresql-db-admin
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/postgresql/base/vault/postgresql-db-audit.yaml b/kustomize/postgresql/base/vault/postgresql-db-audit.yaml
new file mode 100644
index 00000000..3263f25e
--- /dev/null
+++ b/kustomize/postgresql/base/vault/postgresql-db-audit.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: postgresql-db-audit
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/postgresql'
+
+# path of the secret
+  path: postgresql-db-audit
+
+# dest k8s secret
+  destination:
+     name: postgresql-db-audit
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml b/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml
new file mode 100644
index 00000000..7b844cbd
--- /dev/null
+++ b/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: postgresql-db-exporter
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/postgresql'
+
+# path of the secret
+  path: postgresql-db-exporter
+
+# dest k8s secret
+  destination:
+     name: postgresql-db-exporter
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml b/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml
new file mode 100644
index 00000000..3d482233
--- /dev/null
+++ b/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: postgresql-identity-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/postgresql'
+
+# path of the secret
+  path: postgresql-identity-admin
+
+# dest k8s secret
+  destination:
+     name: postgresql-identity-admin
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/postgresql/base/vault/vaultauth.yaml b/kustomize/postgresql/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/postgresql/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/postgresql/base/vault/vaultconnection.yaml b/kustomize/postgresql/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/postgresql/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/skyline/base/vault/kustomization.yaml b/kustomize/skyline/base/vault/kustomization.yaml
new file mode 100644
index 00000000..bc700885
--- /dev/null
+++ b/kustomize/skyline/base/vault/kustomization.yaml
@@ -0,0 +1,5 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - skyline-apiserver-secrets.yaml
diff --git a/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml b/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml
new file mode 100644
index 00000000..96a5a0cf
--- /dev/null
+++ b/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: skyline-apiserver-secrets
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/skyline'
+
+  # path of the secret
+  path: skyline-apiserver-secrets
+
+  # dest k8s secret
+  destination:
+    name: skyline-apiserver-secrets
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/skyline/base/vault/vaultauth.yaml b/kustomize/skyline/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/skyline/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/skyline/base/vault/vaultconnection.yaml b/kustomize/skyline/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/skyline/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"