Add application credential finalizer management

[Deydra71]

Jira: OSPRH-29269

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

• Tracks the active AC secret name in Status.ApplicationCredentialSecret for ceilometer, cloudkitty and aodh service CRs
• Add openstack.org/ceilometer-ac-consumer, openstack.org/cloudkitty-ac-consumer and openstack.org/aodh-ac-consumer finalizers to the relevant AC secret after service config is rendered
• On AC rotation, move the finalizer from the old secret to the new one
• On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Telemetry services are still consuming it.

2026-04-28T11:17:30Z	INFO	Controllers.CloudKitty	Added consumer finalizer	{"controller": "cloudkitty", "controllerGroup": "telemetry.openstack.org", "controllerKind": "CloudKitty", "CloudKitty": {"name":"cloudkitty","namespace":"openstack"}, "namespace": "openstack", "name": "cloudkitty", "reconcileID": "d5c49b36-852a-49b2-8959-1b53e28a6659", "object": "ac-cloudkitty-808d6-secret", "finalizer": "openstack.org/cloudkitty-ac-consumer"}
2026-04-28T11:17:31Z	INFO	Controllers.CloudKitty	Removed consumer finalizer	{"controller": "cloudkitty", "controllerGroup": "telemetry.openstack.org", "controllerKind": "CloudKitty", "CloudKitty": {"name":"cloudkitty","namespace":"openstack"}, "namespace": "openstack", "name": "cloudkitty", "reconcileID": "d5c49b36-852a-49b2-8959-1b53e28a6659", "object": "ac-cloudkitty-95014-secret", "finalizer": "openstack.org/cloudkitty-ac-consumer"}

2026-04-28T12:06:19Z	INFO	Controllers.Ceilometer	Added consumer finalizer	{"controller": "ceilometer", "controllerGroup": "telemetry.openstack.org", "controllerKind": "Ceilometer", "Ceilometer": {"name":"ceilometer","namespace":"openstack"}, "namespace": "openstack", "name": "ceilometer", "reconcileID": "ef189530-c791-4806-986f-7e31451b5119", "object": "ac-ceilometer-86b0f-secret", "finalizer": "openstack.org/ceilometer-ac-consumer"}
2026-04-28T12:06:19Z	INFO	Controllers.Ceilometer	Removed consumer finalizer	{"controller": "ceilometer", "controllerGroup": "telemetry.openstack.org", "controllerKind": "Ceilometer", "Ceilometer": {"name":"ceilometer","namespace":"openstack"}, "namespace": "openstack", "name": "ceilometer", "reconcileID": "ef189530-c791-4806-986f-7e31451b5119", "object": "ac-ceilometer-e10b5-secret", "finalizer": "openstack.org/ceilometer-ac-consumer"}

2026-04-28T12:12:49Z	INFO	Controllers.Autoscaling	Added consumer finalizer	{"controller": "autoscaling", "controllerGroup": "telemetry.openstack.org", "controllerKind": "Autoscaling", "Autoscaling": {"name":"autoscaling","namespace":"openstack"}, "namespace": "openstack", "name": "autoscaling", "reconcileID": "d260075a-257b-4452-8368-fb1e4833344a", "object": "ac-aodh-516d1-secret", "finalizer": "openstack.org/autoscaling-ac-consumer"}
2026-04-28T12:12:49Z	INFO	Controllers.Autoscaling	Removed consumer finalizer	{"controller": "autoscaling", "controllerGroup": "telemetry.openstack.org", "controllerKind": "Autoscaling", "Autoscaling": {"name":"autoscaling","namespace":"openstack"}, "namespace": "openstack", "name": "autoscaling", "reconcileID": "d260075a-257b-4452-8368-fb1e4833344a", "object": "ac-aodh-73396-secret", "finalizer": "openstack.org/autoscaling-ac-consumer"}

Note: AoDH service as for now doesn't have usptream application crededntial support - OSPRH-25436, but AoDH controller support is included in this PR.

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Deydra71
Once this PR has been reviewed and has the lgtm label, please assign dprince for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/92698f2a553140b1b27ae8fe695783dd

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 04m 08s
✔️ telemetry-operator-multinode-cloudkitty SUCCESS in 1h 38m 51s
✔️ telemetry-openstack-meta-content-provider-master SUCCESS in 2h 20m 38s
✔️ telemetry-operator-multinode-default-telemetry SUCCESS in 1h 28m 57s
❌ functional-tests-osp18 FAILURE in 1h 44m 06s

[Deydra71]

Note: this PR does not include EDPM-aware revocation blocking. Nova-operator and telemetry-operator will not need code changes for the EDPM tracking problem.

The EDPM credential lifecycle gap (old AC secrets being revoked while EDPM nodes still use them) will be handled entirely in keystone-operator, building on the SecretDeploymentStatus / AreAllNodesUpdated() tracking from openstack-operator PR #1781.

The plan:

• keystone-operator's cleanupUnusedRotatedSecrets() will add a NodeSet status check only for EDPM-consuming ACs (ac-nova, ac-ceilometer). Before revoking an old Keystone AC or deleting its K8s Secret, it will list all OpenStackDataPlaneNodeSet CRs and check AreAllNodesUpdated(). If any NodeSet has pending node updates, revocation/deletion is skipped and retried on the next reconcile.
• The same guard will apply during reconcileDelete() for Keystone-side revocation.
• Nova-operator and telemetry-operator continue managing their control-plane consumer finalizers (openstack.org/nova-ac-consumer, openstack.org/ceilometer-ac-consumer) exactly as implemented in this PR. No EDPM specific finalizer or NodeSet watch is needed in the service operators.

This keeps the tracking responsibility centralized in keystone-operator (the credential owner) rather than duplicating NodeSet awareness across service operators. Same pattern as infra-operator's ae1787c for RabbitMQ user deletion.