diff --git a/components/openstack/kustomization.yaml b/components/openstack/kustomization.yaml
index c7f3ca442..29b5d8e8f 100644
--- a/components/openstack/kustomization.yaml
+++ b/components/openstack/kustomization.yaml
@@ -6,6 +6,11 @@ resources:
   - mariadb-configmap.yaml
   - mariadb-instance.yaml
   - openstack-cluster.yaml
+  # a secret store that let's us copy creds to other namespaces
+  # for service accounts
+  - secretstore-openstack.yaml
+  # defines the service account 'argoworkflow' used by our workflows
+  - svc-acct-argoworkflow.yaml
 
 helmCharts:
   - name: memcached
diff --git a/components/openstack/secretstore-openstack.yaml b/components/openstack/secretstore-openstack.yaml
new file mode 100644
index 000000000..60e7762f9
--- /dev/null
+++ b/components/openstack/secretstore-openstack.yaml
@@ -0,0 +1,65 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eso-openstack
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: eso-openstack
+  name: eso-openstack.service-account-token
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: eso-openstack-role
+rules:
+- apiGroups: [""]
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  resourceNames:
+  - svc-acct-argoworkflow
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - selfsubjectrulesreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eso-openstack-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: eso-openstack-role
+subjects:
+- kind: ServiceAccount
+  name: eso-openstack
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: openstack
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: openstack
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          key: ca.crt
+          namespace: openstack
+      auth:
+        serviceAccount:
+          name: eso-openstack
+          namespace: openstack
diff --git a/components/openstack/svc-acct-argoworkflow.yaml b/components/openstack/svc-acct-argoworkflow.yaml
new file mode 100644
index 000000000..a2e8975cd
--- /dev/null
+++ b/components/openstack/svc-acct-argoworkflow.yaml
@@ -0,0 +1,28 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Fake
+metadata:
+  name: svc-acct-argoworkflow
+spec:
+  data:
+    # this provider needs to go away for a generated account
+    # but it currently must be in sync with the keystone bootstrap
+    # script
+    # this should be the 'service' domain in the future
+    user_domain: default
+    username: argoworkflow
+    password: demo
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: svc-acct-argoworkflow
+spec:
+  refreshInterval: 1h
+  target:
+    name: svc-acct-argoworkflow
+  dataFrom:
+  - sourceRef:
+      generatorRef:
+        apiVersion: generators.external-secrets.io/v1alpha1
+        kind: Fake
+        name: svc-acct-argoworkflow