Add AC finalizer management

Deydra71 · Deydra71 · commit 28fe0a6ecfd6 · 2026-05-12T11:11:46.000+02:00
Signed-off-by: Veronika Fisarova &lt;vfisarov@redhat.com&gt;
diff --git a/api/bases/neutron.openstack.org_neutronapis.yaml b/api/bases/neutron.openstack.org_neutronapis.yaml
@@ -1455,6 +1455,28 @@ spec:
                       from the Secret
                     type: string
                 type: object
+              podAnnotations:
+                description: PodAnnotations are added to the Neutron API Deployment
+                  pod template.
+                items:
+                  description: |-
+                    PodAnnotation is a single key/value pair that will be applied to the Neutron API
+                    Deployment PodTemplate as an annotation.
+                  properties:
+                    name:
+                      description: Name is the annotation key.
+                      type: string
+                    value:
+                      description: Value is the annotation value.
+                      type: string
+                  required:
+                  - name
+                  - value
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
               preserveJobs:
                 default: false
                 description: PreserveJobs - do not delete jobs after they finished
@@ -1607,6 +1629,13 @@ spec:
           status:
             description: NeutronAPIStatus defines the observed state of NeutronAPI
             properties:
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret NeutronAPI is currently
+                  consuming and protecting with the openstack.org/neutronapi-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items:
diff --git a/api/v1beta1/neutronapi_types.go b/api/v1beta1/neutronapi_types.go
@@ -177,6 +177,7 @@ type NeutronAPISpecCore struct {
 	// An empty value "" leaves the notification drivers unconfigured and emitting no notifications at all.
 	// Avoid colocating it with RabbitMqClusterName used for RPC.
 	NotificationsBusInstance *string `json:"notificationsBusInstance,omitempty" deprecated:"notificationsBus.cluster"`
+
 }
 
 type NeutronApiTLS struct {
@@ -237,6 +238,12 @@ type NeutronAPIStatus struct {
 	// NetworkAttachments status of the deployment pods
 	NetworkAttachments map[string][]string `json:"networkAttachments,omitempty"`
 
+	// ApplicationCredentialSecret - the AC secret NeutronAPI is currently
+	// consuming and protecting with the openstack.org/neutronapi-ac-consumer
+	// finalizer. Tracked so the controller can remove its finalizer from the
+	// old secret when the openstack-operator rotates the reference.
+	ApplicationCredentialSecret string `json:"applicationCredentialSecret,omitempty"`
+
 	// ObservedGeneration - the most recent generation observed for this
 	// service. If the observed generation is less than the spec generation,
 	// then the controller has not processed the latest changes injected by
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/neutron.openstack.org_neutronapis.yaml b/config/crd/bases/neutron.openstack.org_neutronapis.yaml
@@ -1455,6 +1455,28 @@ spec:
                       from the Secret
                     type: string
                 type: object
+              podAnnotations:
+                description: PodAnnotations are added to the Neutron API Deployment
+                  pod template.
+                items:
+                  description: |-
+                    PodAnnotation is a single key/value pair that will be applied to the Neutron API
+                    Deployment PodTemplate as an annotation.
+                  properties:
+                    name:
+                      description: Name is the annotation key.
+                      type: string
+                    value:
+                      description: Value is the annotation value.
+                      type: string
+                  required:
+                  - name
+                  - value
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
               preserveJobs:
                 default: false
                 description: PreserveJobs - do not delete jobs after they finished
@@ -1607,6 +1629,13 @@ spec:
           status:
             description: NeutronAPIStatus defines the observed state of NeutronAPI
             properties:
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret NeutronAPI is currently
+                  consuming and protecting with the openstack.org/neutronapi-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items:
diff --git a/go.mod b/go.mod
@@ -143,3 +143,5 @@ replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec //allow-merging
 
 replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250627150254-e9823e99808e //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20260424093804-00a0ccdc9d20
diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+github.com/Deydra71/keystone-operator/api v0.0.0-20260424093804-00a0ccdc9d20 h1:iyxfh2SDvQrOrsHItYAE3A3+8Ku9UnzWAq9jnLJDLjg=
+github.com/Deydra71/keystone-operator/api v0.0.0-20260424093804-00a0ccdc9d20/go.mod h1:SpO4CL7c5/1HG+61fP6kWhL2+3aqR+5SNatdZueKrz8=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
@@ -120,8 +122,6 @@ github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyU
 github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260416122644-5476763a36b6 h1:117Gu9HCSu2tAp579WnCJ9QtnslH2qnPB8UFvn8ZpqE=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260416122644-5476763a36b6/go.mod h1:i7l8cihvFktd/LSuyvL2z6OcwauarQGoVhDMePL4VyI=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260422175310-d957b8482944 h1:C0qDfnVa//1NwYyO6o5EK5RBKohYjldnmbGvj7RTQ2E=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260422175310-d957b8482944/go.mod h1:SpO4CL7c5/1HG+61fP6kWhL2+3aqR+5SNatdZueKrz8=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260417092244-81c71b39e981 h1:v1viH0gmNb+AXMg/0GxDcj8VUTdjVLotfOIGrNyMxHk=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:I/VBXZLdjk8DUGsEbB+Ha72JBFYYntP7Pm2FpEto9K8=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260417092244-81c71b39e981 h1:jN3Kvt+RYUTaL9EXeeeIqRXVjqeNF74SuLTDXmi4X2Y=
diff --git a/internal/controller/neutronapi_controller.go b/internal/controller/neutronapi_controller.go
@@ -492,6 +492,19 @@ func (r *NeutronAPIReconciler) reconcileDelete(ctx context.Context, instance *ne
 	); err != nil {
 		return ctrlResult, err
 	}
+	// Remove consumer finalizer from AC secrets NeutronAPI was consuming.
+	// Check both status and spec to handle the edge case where the reconciler
+	// crashed after adding the finalizer but before updating the status.
+	for _, secretName := range []string{
+		instance.Status.ApplicationCredentialSecret,
+		instance.Spec.Auth.ApplicationCredentialSecret,
+	} {
+		if err := keystonev1.RemoveACSecretConsumerFinalizer(ctx, helper, instance.Namespace,
+			secretName, neutronapi.ACConsumerFinalizer); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
 	// Service is deleted so remove the finalizer.
 	controllerutil.RemoveFinalizer(instance, helper.GetFinalizer())
 	Log.Info("Reconciled Service delete successfully")
@@ -648,6 +661,23 @@ func (r *NeutronAPIReconciler) reconcileInit(
 
 	// Create Secrets - end
 
+	// Manage consumer finalizer, the AC data was already read and rendered to the service config secret
+	if instance.Spec.Auth.ApplicationCredentialSecret != "" || instance.Status.ApplicationCredentialSecret != "" {
+		if err := keystonev1.ManageACSecretFinalizer(ctx, helper, instance.Namespace,
+			instance.Spec.Auth.ApplicationCredentialSecret,
+			instance.Status.ApplicationCredentialSecret,
+			neutronapi.ACConsumerFinalizer); err != nil {
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				condition.ServiceConfigReadyCondition,
+				condition.ErrorReason,
+				condition.SeverityWarning,
+				condition.ServiceConfigReadyErrorMessage,
+				err.Error()))
+			return ctrl.Result{}, err
+		}
+	}
+	instance.Status.ApplicationCredentialSecret = instance.Spec.Auth.ApplicationCredentialSecret
+
 	instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage)
 
 	//
diff --git a/internal/neutronapi/const.go b/internal/neutronapi/const.go
@@ -50,6 +50,9 @@ const (
 
 	// NeutronDhcpAgentSecretKey is the key in external Secret for Neutron DHCP Agent with agent config
 	NeutronDhcpAgentSecretKey = "10-neutron-dhcp.conf"
+
+	// ACConsumerFinalizer is added to AC secrets that neutron is actively consuming
+	ACConsumerFinalizer = "openstack.org/neutronapi-ac-consumer"
 )
 
 // DbsyncPropagation keeps track of the DBSync Service Propagation Type
diff --git a/test/functional/neutronapi_controller_test.go b/test/functional/neutronapi_controller_test.go
@@ -2202,6 +2202,145 @@ func getNeutronAPIControllerSuite(ml2MechanismDrivers []string) func() {
 				}, timeout, interval).Should(Succeed())
 			})
 		})
+
+		When("ApplicationCredential consumer finalizer is managed", func() {
+			var acSecretName string
+
+			BeforeEach(func() {
+				acSecretName = "ac-neutron-a1b2c-secret" //nolint:gosec // G101
+				secret := &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: namespace,
+						Name:      acSecretName,
+					},
+					Data: map[string][]byte{
+						keystonev1.ACIDSecretKey:     []byte("a1b2ctest-ac-id"),
+						keystonev1.ACSecretSecretKey: []byte("test-ac-secret"),
+					},
+				}
+				DeferCleanup(k8sClient.Delete, ctx, secret)
+				Expect(k8sClient.Create(ctx, secret)).To(Succeed())
+
+				spec["auth"] = map[string]any{
+					"applicationCredentialSecret": acSecretName,
+				}
+
+				DeferCleanup(th.DeleteInstance, CreateNeutronAPI(neutronAPIName.Namespace, neutronAPIName.Name, spec))
+				DeferCleanup(k8sClient.Delete, ctx, CreateNeutronAPISecret(namespace, SecretName))
+				DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, "memcached", memcachedSpec))
+				infra.SimulateMemcachedReady(memcachedName)
+				DeferCleanup(
+					mariadb.DeleteDBService,
+					mariadb.CreateDBService(
+						namespace,
+						GetNeutronAPI(neutronAPIName).Spec.DatabaseInstance,
+						corev1.ServiceSpec{
+							Ports: []corev1.ServicePort{{Port: 3306}},
+						},
+					),
+				)
+				SimulateTransportURLReady(apiTransportURLName)
+				mariadb.SimulateMariaDBAccountCompleted(types.NamespacedName{Namespace: namespace, Name: GetNeutronAPI(neutronAPIName).Spec.DatabaseAccount})
+				mariadb.SimulateMariaDBDatabaseCompleted(types.NamespacedName{Namespace: namespace, Name: neutronapi.DatabaseCRName})
+
+				if isOVNEnabled {
+					DeferCleanup(DeleteOVNDBClusters, CreateOVNDBClusters(namespace))
+				}
+				DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(namespace))
+			})
+
+			It("should add the consumer finalizer to the AC secret", func() {
+				Eventually(func(g Gomega) {
+					secret := th.GetSecret(types.NamespacedName{
+						Namespace: namespace,
+						Name:      acSecretName,
+					})
+					g.Expect(secret.Finalizers).To(
+						ContainElement(neutronapi.ACConsumerFinalizer))
+				}, timeout, interval).Should(Succeed())
+			})
+
+			It("should track the consumed AC secret in status", func() {
+				Eventually(func(g Gomega) {
+					n := GetNeutronAPI(neutronAPIName)
+					g.Expect(n.Status.ApplicationCredentialSecret).To(Equal(acSecretName))
+				}, timeout, interval).Should(Succeed())
+			})
+
+			It("should move the finalizer from the old to the new secret on rotation", func() {
+				Eventually(func(g Gomega) {
+					secret := th.GetSecret(types.NamespacedName{
+						Namespace: namespace,
+						Name:      acSecretName,
+					})
+					g.Expect(secret.Finalizers).To(
+						ContainElement(neutronapi.ACConsumerFinalizer))
+				}, timeout, interval).Should(Succeed())
+
+				newACSecretName := "ac-neutron-x9y8z-secret" //nolint:gosec // G101
+				newSecret := &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: namespace,
+						Name:      newACSecretName,
+					},
+					Data: map[string][]byte{
+						keystonev1.ACIDSecretKey:     []byte("x9y8zrotated-ac-id"),
+						keystonev1.ACSecretSecretKey: []byte("rotated-ac-secret"),
+					},
+				}
+				DeferCleanup(k8sClient.Delete, ctx, newSecret)
+				Expect(k8sClient.Create(ctx, newSecret)).To(Succeed())
+
+				Eventually(func(g Gomega) {
+					n := GetNeutronAPI(neutronAPIName)
+					n.Spec.Auth.ApplicationCredentialSecret = newACSecretName
+					g.Expect(k8sClient.Update(ctx, n)).Should(Succeed())
+				}, timeout, interval).Should(Succeed())
+
+				Eventually(func(g Gomega) {
+					secret := th.GetSecret(types.NamespacedName{
+						Namespace: namespace,
+						Name:      newACSecretName,
+					})
+					g.Expect(secret.Finalizers).To(
+						ContainElement(neutronapi.ACConsumerFinalizer))
+				}, timeout, interval).Should(Succeed())
+
+				Eventually(func(g Gomega) {
+					secret := th.GetSecret(types.NamespacedName{
+						Namespace: namespace,
+						Name:      acSecretName,
+					})
+					g.Expect(secret.Finalizers).NotTo(
+						ContainElement(neutronapi.ACConsumerFinalizer))
+				}, timeout, interval).Should(Succeed())
+
+				Eventually(func(g Gomega) {
+					n := GetNeutronAPI(neutronAPIName)
+					g.Expect(n.Status.ApplicationCredentialSecret).To(Equal(newACSecretName))
+				}, timeout, interval).Should(Succeed())
+			})
+
+			It("should remove the consumer finalizer from AC secret on CR deletion", func() {
+				Eventually(func(g Gomega) {
+					secret := th.GetSecret(types.NamespacedName{
+						Namespace: namespace,
+						Name:      acSecretName,
+					})
+					g.Expect(secret.Finalizers).To(
+						ContainElement(neutronapi.ACConsumerFinalizer))
+				}, timeout, interval).Should(Succeed())
+
+				th.DeleteInstance(GetNeutronAPI(neutronAPIName))
+
+				secret := th.GetSecret(types.NamespacedName{
+					Namespace: namespace,
+					Name:      acSecretName,
+				})
+				Expect(secret.Finalizers).NotTo(
+					ContainElement(neutronapi.ACConsumerFinalizer))
+			})
+		})
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,9 @@ const (`
`50`	`50`
`51`	`51`	`// NeutronDhcpAgentSecretKey is the key in external Secret for Neutron DHCP Agent with agent config`
`52`	`52`	`NeutronDhcpAgentSecretKey = "10-neutron-dhcp.conf"`
	`53`	`+`
	`54`	`+ // ACConsumerFinalizer is added to AC secrets that neutron is actively consuming`
	`55`	`+ ACConsumerFinalizer = "openstack.org/neutronapi-ac-consumer"`
`53`	`56`	`)`
`54`	`57`
`55`	`58`	`// DbsyncPropagation keeps track of the DBSync Service Propagation Type`