Skip to content

Add application credential finalizer management#454

Merged
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:mainfrom
Deydra71:appcred-finalizer
Jun 3, 2026
Merged

Add application credential finalizer management#454
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:mainfrom
Deydra71:appcred-finalizer

Conversation

@Deydra71

@Deydra71 Deydra71 commented Apr 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Jira: OSPRH-29269

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

  • Tracks the active AC secret name in Status.ApplicationCredentialSecret
  • Add openstack.org/designateapi-ac-consumer finalizer to the AC secret after service config is rendered
  • On AC rotation, move the finalizer from the old secret to the new one
  • On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Designate is still consuming it.

2026-04-28T11:56:32Z	INFO	Controllers.DesignateAPI	Added consumer finalizer	{"controller": "designateapi", "controllerGroup": "designate.openstack.org", "controllerKind": "DesignateAPI", "DesignateAPI": {"name":"designate-api","namespace":"openstack"}, "namespace": "openstack", "name": "designate-api", "reconcileID": "254cd723-8b76-4917-a7c8-0087a040e4c7", "object": "ac-designate-e70e9-secret", "finalizer": "openstack.org/designateapi-ac-consumer"}
2026-04-28T11:56:32Z	INFO	Controllers.DesignateAPI	Removed consumer finalizer	{"controller": "designateapi", "controllerGroup": "designate.openstack.org", "controllerKind": "DesignateAPI", "DesignateAPI": {"name":"designate-api","namespace":"openstack"}, "namespace": "openstack", "name": "designate-api", "reconcileID": "254cd723-8b76-4917-a7c8-0087a040e4c7", "object": "ac-designate-6444d-secret", "finalizer": "openstack.org/designateapi-ac-consumer"}

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

@openshift-ci openshift-ci Bot requested review from abays and karelyatin April 23, 2026 14:08
@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from d048085 to fbdd01c Compare April 24, 2026 10:50
@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from fbdd01c to 49534af Compare April 27, 2026 08:21
@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from 49534af to d732c62 Compare May 20, 2026 11:01
@Deydra71
Add AC finalizer management
39c1152 
Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>
@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from d732c62 to 39c1152 Compare May 25, 2026 10:36
@Deydra71

Deydra71 commented May 25, 2026

Copy link
Copy Markdown
Contributor Author

Following the discussion in watcher-operator the AC finalizer management is now split into two phases:

  • Early phase: adds consumer finalizer to the new AC secret immediately (protects it from premature revocation)
  • Late phase: removes consumer finalizer from the old AC secret only after AllSubConditionIsTrue() (all sub-services deployed with new credentials)

This prevents a race condition where rapid AC rotations could revoke credentials still in use by running pods.

@Deydra71 Deydra71 requested a review from fmount May 27, 2026 05:19
fmount
fmount approved these changes May 27, 2026
View reviewed changes

@fmount fmount left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label May 27, 2026
@fmount

fmount commented May 27, 2026

Copy link
Copy Markdown
Contributor

The implementation is in line with the other (merged) operators. @abays || @karelyatin for a final approve.

beagles
beagles approved these changes Jun 3, 2026
View reviewed changes

@beagles beagles left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci

openshift-ci Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: beagles, Deydra71, fmount

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jun 3, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 74a158e into openstack-k8s-operators:main Jun 3, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fmount fmount fmount approved these changes

@beagles beagles beagles approved these changes

@abays abays Awaiting requested review from abays

@karelyatin karelyatin Awaiting requested review from karelyatin

Assignees

@fmount fmount

@beagles beagles

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Deydra71 @fmount @beagles