Add secret rotation tracking with composite hash drift detection

Track which nodes in a nodeset have been deployed with the latest secret
versions, enabling safe credential rotation by blocking deletion of old
credentials until all nodes are updated.

Design:
- Compute a composite SHA-256 hash from all tracked secrets, sorted by name
  for determinism, using lib-common's secret.Hash() for content-based hashing
- Store the deployed node list in a ConfigMap (<nodeset>-secret-tracking)
  to avoid bloating CR status for large nodesets. The ConfigMap contains
  {deployedSecretHash, deployedNodes[]}
- Detect drift on every reconcile by fetching tracked secrets from the cluster
  and comparing the composite hash against DeployedSecretHash in status. On
  mismatch, set AllNodesUpdated=false and UpdatedNodes=0 immediately
- Accumulate nodes across partial deployments using AnsibleLimit: when the
  deployment hash matches the stored hash, nodes are appended; when the hash
  differs (secrets changed), the node list resets
- Skip stale deployments whose secret hashes no longer match the cluster state
- Prune removed nodes by intersecting DeployedNodes with current Spec.Nodes

SecretDeploymentStatus fields in NodeSet status:
- AllNodesUpdated: all nodes deployed with current secrets (consumed by
  infra-operator's RabbitMQUser controller to block credential deletion)
- TotalNodes / UpdatedNodes: node counts for observability
- DeployedSecretHash: composite hash at last successful deployment
- LastUpdateTime: timestamp of last status update

API exports:
- GetSecretTrackingConfigMapName(nodesetName) returns the deterministic
  ConfigMap name for a given nodeset, allowing consumers to reference it

Watch configuration:
- Secret watch uses ResourceVersionChangedPredicate to avoid reconciling
  on metadata-only updates
- Field index on status.secretHashes.keys enables O(1) lookup of nodesets
  tracking a given secret, replacing O(secrets * nodesets) list scans

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: lmiccini

api/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml

@@ -1987,6 +1987,33 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have been deployed
+                      with current secret versions
+                    type: boolean
+                  deployedSecretHash:
+                    description: |-
+                      DeployedSecretHash is a composite hash of all tracked secrets at the time of
+                      the last successful deployment. Drift is detected when this differs from the
+                      current cluster secret state.
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes deployed with current
+                      secret versions
+                    type: integer
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string

api/dataplane/v1beta1/openstackdataplanenodeset_types.go

@@ -163,6 +163,43 @@ type OpenStackDataPlaneNodeSetStatus struct {
 
 	//DeployedBmhHash - Hash of BMHs deployed
 	DeployedBmhHash string `json:"deployedBmhHash,omitempty"`
+
+	// SecretDeployment tracks secret deployment progress across nodeset nodes
+	// Details are stored in a ConfigMap to avoid bloating the CR status
+	SecretDeployment *SecretDeploymentStatus `json:"secretDeployment,omitempty"`
+}
+
+// GetSecretTrackingConfigMapName returns the name of the ConfigMap that stores
+// per-node secret deployment tracking data for a given nodeset.
+func GetSecretTrackingConfigMapName(nodesetName string) string {
+	return fmt.Sprintf("%s-secret-tracking", nodesetName)
+}
+
+// SecretDeploymentStatus tracks secret deployment progress across nodeset nodes.
+// Summary fields are stored here; the detailed per-node deployed list is in a
+// ConfigMap (<nodeset-name>-secret-tracking) to avoid bloating CR status for large nodesets.
+type SecretDeploymentStatus struct {
+	// +optional
+	// AllNodesUpdated indicates all nodes have been deployed with current secret versions
+	AllNodesUpdated bool `json:"allNodesUpdated,omitempty"`
+
+	// +optional
+	// TotalNodes is the total number of nodes in the nodeset
+	TotalNodes int `json:"totalNodes,omitempty"`
+
+	// +optional
+	// UpdatedNodes is count of nodes deployed with current secret versions
+	UpdatedNodes int `json:"updatedNodes,omitempty"`
+
+	// +optional
+	// DeployedSecretHash is a composite hash of all tracked secrets at the time of
+	// the last successful deployment. Drift is detected when this differs from the
+	// current cluster secret state.
+	DeployedSecretHash string `json:"deployedSecretHash,omitempty"`
+
+	// +optional
+	// LastUpdateTime is when this status was last updated
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -183,6 +220,14 @@ func (instance OpenStackDataPlaneNodeSet) IsReady() bool {
 	return instance.Status.Conditions.IsTrue(condition.ReadyCondition)
 }
 
+// AreAllNodesUpdated returns true if all nodes have been deployed with current
+// secret versions. Returns false if tracking is not initialized or any nodes
+// have pending updates (fail-safe default).
+func (instance OpenStackDataPlaneNodeSet) AreAllNodesUpdated() bool {
+	return instance.Status.SecretDeployment != nil &&
+		instance.Status.SecretDeployment.AllNodesUpdated
+}
+
 // InitConditions - Initializes Status Conditons
 func (instance *OpenStackDataPlaneNodeSet) InitConditions() {
 	instance.Status.Conditions = condition.Conditions{}

api/dataplane/v1beta1/zz_generated.deepcopy.go

@@ -21193,6 +21193,31 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have current
+                      versions of all tracked secrets
+                    type: boolean
+                  configMapName:
+                    description: ConfigMapName references the ConfigMap containing
+                      detailed per-secret tracking
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes with all current secret
+                      versions
+                    type: integer
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string

bindata/crds/crds.yaml

@@ -1987,6 +1987,33 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have been deployed
+                      with current secret versions
+                    type: boolean
+                  deployedSecretHash:
+                    description: |-
+                      DeployedSecretHash is a composite hash of all tracked secrets at the time of
+                      the last successful deployment. Drift is detected when this differs from the
+                      current cluster secret state.
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes deployed with current
+                      secret versions
+                    type: integer
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string