[Question] How to achieve OpenStack project isolation for LoadBalancers in a multi-tenant Kamaji + CAPO setup?

[ErfanThaGreat]

The Goal: I am building a multi-tenant service. I want each Workload Cluster (both worker nodes and the Control Plane LoadBalancer) to reside in its own dedicated OpenStack Project.

The Current Setup:

Management Cluster: Running Kamaji and cluster-api-provider-openstack (CAPO).

Workload Clusters: CAPO successfully uses cluster-specific Secret credentials to provision worker nodes in separate OpenStack Projects.

Control Plane: Kamaji creates a Service type: LoadBalancer in the Management Cluster, which relies on the Management Cluster's OCCM to provision the VIP.

The Problem: The Management Cluster's OCCM is configured with a single set of OpenStack credentials. Consequently, every LoadBalancer for every tenant is being created in the same OpenStack Project (the one belonging to the Management Cluster).

This prevents true project isolation and causes networking issues, as the LoadBalancer cannot easily reach worker nodes in different OpenStack Projects/Subnets.

My Questions:

The "Correct" Way: How is Kamaji intended to handle multiple OpenStack project isolation where each workload cluster requires its own infrastructure project?

Current Workaround: Is there a way to force the Management Cluster's OCCM to use specific credentials (e.g., from the CAPO Secret) when reconciling the LoadBalancer Service for a particular cluster?

Fix/Implementation: If this is not currently supported, is there a planned path to allow Kamaji to delegate LB creation to CAPO or to an OCCM instance that is "tenant-aware"?

I am looking for a fix or a recommended architectural pattern to ensure the Control Plane VIP is provisioned in the same project as the worker nodes. Any guidance would be greatly appreciated!

[prometherion]

@ErfanThaGreat I moved your question to Discussions since it's not an Issue affecting the codebase, rather, a general question.