Add application credential finalizer management

[Deydra71]

Jira: OSPRH-29269

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

• Tracks the active AC secret name in Status.ApplicationCredentialSecret
• Add openstack.org/heat-ac-consumer finalizer to the AC secret after service config is rendered
• On AC rotation, move the finalizer from the old secret to the new one
• On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Heat is still consuming it.

2026-04-28T11:55:51Z	INFO	Controllers.Heat	Added consumer finalizer	{"controller": "heat", "controllerGroup": "heat.openstack.org", "controllerKind": "Heat", "Heat": {"name":"heat","namespace":"openstack"}, "namespace": "openstack", "name": "heat", "reconcileID": "82672178-a3a3-4bd4-b3d5-87c6d5853d9b", "object": "ac-heat-aa0a4-secret", "finalizer": "openstack.org/heat-ac-consumer"}
2026-04-28T11:55:51Z	INFO	Controllers.Heat	Removed consumer finalizer	{"controller": "heat", "controllerGroup": "heat.openstack.org", "controllerKind": "Heat", "Heat": {"name":"heat","namespace":"openstack"}, "namespace": "openstack", "name": "heat", "reconcileID": "82672178-a3a3-4bd4-b3d5-87c6d5853d9b", "object": "ac-heat-ba179-secret", "finalizer": "openstack.org/heat-ac-consumer"}

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

[bshephar]

I'm an outsider now, as an outsider it would be nice to have some more context about this change in the commit message. :)

Maybe it's still a WIP, but there's a few important things I've noted in-line.

[openshift-ci]

@bshephar: changing LGTM is restricted to collaborators

Details

In response to this:

I'm an outsider now, as an outsider it would be nice to have some more context about this change in the commit message. :)

Maybe it's still a WIP, but there's a few important things I've noted in-line.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[centosinfra-prod-github-app]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdo/buildset/849a9504196145fea3f5e5dbc21e1456

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 56m 15s
❌ heat-operator-tempest-multinode FAILURE in 1h 36m 21s

[centosinfra-prod-github-app]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/595b169ceb084e46ae2d6f70db2a7b00

❌ openstack-k8s-operators-content-provider FAILURE in 4m 09s
⚠️ heat-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[Deydra71]

/test heat-operator-build-deploy-kuttl

[Deydra71]

recheck

[Deydra71]

Following the discussion in watcher-operator the AC finalizer management is now split into two phases:

• Early phase: adds consumer finalizer to the new AC secret immediately (protects it from premature revocation)
• Late phase: removes consumer finalizer from the old AC secret only after AllSubConditionIsTrue() (all sub-services deployed with new credentials)

This prevents a race condition where rapid AC rotations could revoke credentials still in use by running pods.

The new file api_fixture.go: heat's functional tests need a fake Keystone HTTP server to satisfy Keystone calls. SImilar pattern is used e.g. in octavia-operator - https://github.com/openstack-k8s-operators/octavia-operator/blob/main/test/functional/api_fixture.go

[Deydra71]

@rabi Hi! Is there still any requested change/clarification on your side, or we ready to merge?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, rabi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rabi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Deydra71]

/test heat-operator-build-deploy-kuttl

failed during install_yamls deploy