Set EDPM service annotation on nova and ceilometer ACs

Deydra71 · Deydra71 · commit aa52627ffa18 · 2026-05-20T12:05:18.000+02:00
Set the `keystone.openstack.org/edpm-service` annotation on nova and
ceilometer ApplicationCredential CRs so the keystone-operator AC
controller can gate secret rotation and deletion on EDPM NodeSet
hash sync. Other services are not EDPM services and can proceed
without the NodeSet check.

Signed-off-by: Veronika Fisarova &lt;vfisarov@redhat.com&gt;
Assisted-by: Claude Opus 4.6 noreply@anthropic.com
diff --git a/api/go.mod b/api/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260519055836-98aca178b9cd
 	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-513cdc50e41c
 	github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c
-	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5
+	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260518125357-72bdd580c587
 	github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260518125357-72bdd580c587
 	github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260519055834-18a3bfb29f4a
diff --git a/api/go.sum b/api/go.sum
@@ -130,8 +130,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-5
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-513cdc50e41c/go.mod h1:RFFB4Zs9IJv1jXs/yMjo+VswSW+rsrFZsoP0QrB1EbI=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c h1:441tIuWdcTeeNDWjILS4XScC3hd65tWRb7YyUBe8F24=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c/go.mod h1:R3MsU1uiqYkLXw7yRJ9VZYvpPDiQAJK08EfyZLZZeZk=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5 h1:eKSWFldHZyv3Q6Q8xO6IfvlKUxcQ1GstOPCa8HnlWEc=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5/go.mod h1:voVyXEWocD4O+I+bIXLZovkzL51RE17deynYYgKbs0w=
+github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf h1:FoKK0zNo48i4ZMFxScupCK/YAmy6Ps4IILz3CK4BCTI=
+github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf/go.mod h1:VNX1Mda2u5+yGxycIyVrgABucitMDR9ct3Lj6ROS92I=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260518125357-72bdd580c587 h1:p03uEXoSreyu7LpFmb9YyYM8tEx2D2+7qqhLXNWHTq0=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260518125357-72bdd580c587/go.mod h1:JC04T5G4E/he5ukonV1oCqa0QzFkLv761VbLruVghJM=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260506154724-30a976ba8ef0 h1:kMie+G0aHlGwDHjimjj8AUxTl2R7LGfai/8pev2T+TY=
diff --git a/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml b/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml
@@ -209,6 +209,10 @@ spec:
                   for this ApplicationCredential.
                 format: int64
                 type: integer
+              previousSecretName:
+                description: PreviousSecretName - name of the previous AC secret.
+                  Only current and previous are protected by finalizer.
+                type: string
               rotationEligibleAt:
                 description: |-
                   RotationEligibleAt indicates when rotation becomes eligible (start of grace period window).
diff --git a/bindata/rbac/keystone-operator-rbac.yaml b/bindata/rbac/keystone-operator-rbac.yaml
@@ -135,6 +135,14 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - dataplane.openstack.org
+  resources:
+    - openstackdataplanenodesets
+  verbs:
+    - get
+    - list
+    - watch
 - apiGroups:
     - k8s.cni.cncf.io
   resources:
diff --git a/config/operator/manager_operator_images.yaml b/config/operator/manager_operator_images.yaml
@@ -30,7 +30,7 @@ spec:
         - name: RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL
           value: quay.io/openstack-k8s-operators/ironic-operator@sha256:2c3cb7bbab9f294b00f302ad7f951fe888d80e4acc78aef7ef23a4869711d2bf
         - name: RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL
-          value: quay.io/openstack-k8s-operators/keystone-operator@sha256:d92d73580846a154e5c5746370e4223e5473f231a816b0b3a4060f149cac4586
+          value: quay.io/openstack-k8s-operators/keystone-operator@sha256:c9270b37a19ec4637f8f69bd0973724f71e1376cfc002d0265137b8a57f505a6
         - name: RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL
           value: quay.io/openstack-k8s-operators/manila-operator@sha256:f0aed94235d37b13ae9e6163655dbbb9df7a309e495ebba7f4cd1747d5e72391
         - name: RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL
diff --git a/go.mod b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260519055836-98aca178b9cd
 	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-513cdc50e41c
 	github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c
-	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5
+	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf
 	github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260518125357-72bdd580c587
 	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260518125357-72bdd580c587
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260518125357-72bdd580c587
diff --git a/go.sum b/go.sum
@@ -154,8 +154,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-5
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-513cdc50e41c/go.mod h1:RFFB4Zs9IJv1jXs/yMjo+VswSW+rsrFZsoP0QrB1EbI=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c h1:441tIuWdcTeeNDWjILS4XScC3hd65tWRb7YyUBe8F24=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c/go.mod h1:R3MsU1uiqYkLXw7yRJ9VZYvpPDiQAJK08EfyZLZZeZk=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5 h1:eKSWFldHZyv3Q6Q8xO6IfvlKUxcQ1GstOPCa8HnlWEc=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5/go.mod h1:voVyXEWocD4O+I+bIXLZovkzL51RE17deynYYgKbs0w=
+github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf h1:FoKK0zNo48i4ZMFxScupCK/YAmy6Ps4IILz3CK4BCTI=
+github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf/go.mod h1:VNX1Mda2u5+yGxycIyVrgABucitMDR9ct3Lj6ROS92I=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260518125357-72bdd580c587 h1:VvXvQw3t7slykvGeb+/CzmnTilSpQV2ji6gjJhHD/XU=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260518125357-72bdd580c587/go.mod h1:tXxVkkk8HlATwTmDA5RTP3b+c8apfuMM15mZ2wW5iNs=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260518125357-72bdd580c587 h1:vCttV5sUx7vQLsQGBEjfXvp/xJo29UyW2srkyAcoTbc=
diff --git a/hack/export_operator_related_images.sh b/hack/export_operator_related_images.sh
@@ -8,7 +8,7 @@ export RELATED_IMAGE_HEAT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-opera
 export RELATED_IMAGE_HORIZON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/horizon-operator@sha256:7800616b815863423484fe0537ef77fbb7cd3f635c864c098ec95dd004d4224b
 export RELATED_IMAGE_INFRA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/infra-operator@sha256:938b73f665d9d432a4a7e67d347f1504f06b8e143c740246a9c7c6d5630a7ff4
 export RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/ironic-operator@sha256:2c3cb7bbab9f294b00f302ad7f951fe888d80e4acc78aef7ef23a4869711d2bf
-export RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/keystone-operator@sha256:d92d73580846a154e5c5746370e4223e5473f231a816b0b3a4060f149cac4586
+export RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/keystone-operator@sha256:c9270b37a19ec4637f8f69bd0973724f71e1376cfc002d0265137b8a57f505a6
 export RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/manila-operator@sha256:f0aed94235d37b13ae9e6163655dbbb9df7a309e495ebba7f4cd1747d5e72391
 export RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/mariadb-operator@sha256:db4edc84736a517e632c7201fc7015fea401d997ffcfa9d60ca11c46df74224e
 export RELATED_IMAGE_NEUTRON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/neutron-operator@sha256:ad4a7d9fb687b6d89ecda9b03067f9baa002c7c7f8ac89daebf9732351c86b9e
diff --git a/internal/openstack/applicationcredential.go b/internal/openstack/applicationcredential.go
@@ -68,14 +68,15 @@ func CleanupApplicationCredentialForService(
 	instance *corev1beta1.OpenStackControlPlane,
 	serviceName string,
 ) error {
+	Log := GetLogger(ctx)
 	acName := keystonev1.GetACCRName(serviceName)
+
 	acCR := &keystonev1.KeystoneApplicationCredential{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      acName,
 			Namespace: instance.Namespace,
 		},
 	}
-	Log := GetLogger(ctx)
 	err := helper.GetClient().Delete(ctx, acCR)
 	if k8s_errors.IsNotFound(err) {
 		return nil
@@ -106,6 +107,7 @@ func EnsureApplicationCredentialForService(
 	passwordSelector string,
 	serviceUser string,
 	acConfig *corev1beta1.ServiceAppCredSection,
+	edpmService bool,
 ) (acSecretName string, result ctrl.Result, err error) {
 	Log := GetLogger(ctx)
 
@@ -154,7 +156,7 @@ func EnsureApplicationCredentialForService(
 	// Check if AC CR exists and is ready
 	if acExists {
 		// We want to run reconcileApplicationCredential to update the AC CR if it exists and is ready and AC config fields changed
-		err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged)
+		err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged, edpmService)
 		if err != nil {
 			return "", ctrl.Result{}, err
 		}
@@ -177,7 +179,7 @@ func EnsureApplicationCredentialForService(
 	// Service is ready, create Application Credential CR
 	Log.Info("Service is ready, creating Application Credential", "service", serviceName, "acName", acName)
 
-	err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged)
+	err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged, edpmService)
 	if err != nil {
 		return "", ctrl.Result{}, err
 	}
@@ -196,6 +198,7 @@ func reconcileApplicationCredential(
 	secretName string,
 	passwordSelector string,
 	effective corev1beta1.ApplicationCredentialSection,
+	edpmService bool,
 ) error {
 	log := GetLogger(ctx)
 
@@ -215,6 +218,17 @@ func reconcileApplicationCredential(
 		acObj.Spec.Roles = effective.Roles
 		acObj.Spec.Unrestricted = *effective.Unrestricted
 
+		annotations := acObj.GetAnnotations()
+		if annotations == nil {
+			annotations = map[string]string{}
+		}
+		if edpmService {
+			annotations[keystonev1.EDPMServiceAnnotation] = "true"
+		} else {
+			annotations[keystonev1.EDPMServiceAnnotation] = "false"
+		}
+		acObj.SetAnnotations(annotations)
+
 		if len(effective.AccessRules) > 0 {
 			kr := make([]keystonev1.ACRule, 0, len(effective.AccessRules))
 			for _, r := range effective.AccessRules {
diff --git a/internal/openstack/barbican.go b/internal/openstack/barbican.go
@@ -91,6 +91,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr
 			instance.Spec.Barbican.Template.PasswordSelectors.Service,
 			instance.Spec.Barbican.Template.ServiceUser,
 			instance.Spec.Barbican.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/cinder.go b/internal/openstack/cinder.go
@@ -115,6 +115,7 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Cinder.Template.PasswordSelectors.Service,
 			instance.Spec.Cinder.Template.ServiceUser,
 			instance.Spec.Cinder.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/designate.go b/internal/openstack/designate.go
@@ -103,6 +103,7 @@ func ReconcileDesignate(ctx context.Context, instance *corev1beta1.OpenStackCont
 			instance.Spec.Designate.Template.PasswordSelectors.Service,
 			instance.Spec.Designate.Template.ServiceUser,
 			instance.Spec.Designate.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/glance.go b/internal/openstack/glance.go
@@ -145,6 +145,7 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Glance.Template.PasswordSelectors.Service,
 			instance.Spec.Glance.Template.ServiceUser,
 			instance.Spec.Glance.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/heat.go b/internal/openstack/heat.go
@@ -134,6 +134,7 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			instance.Spec.Heat.Template.PasswordSelectors.Service,
 			instance.Spec.Heat.Template.ServiceUser,
 			instance.Spec.Heat.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/ironic.go b/internal/openstack/ironic.go
@@ -147,6 +147,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Ironic.Template.PasswordSelectors.Service,
 			instance.Spec.Ironic.Template.ServiceUser,
 			instance.Spec.Ironic.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
@@ -173,6 +174,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Ironic.Template.IronicInspector.PasswordSelectors.Service,
 			instance.Spec.Ironic.Template.IronicInspector.ServiceUser,
 			instance.Spec.Ironic.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/manila.go b/internal/openstack/manila.go
@@ -93,6 +93,7 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Manila.Template.PasswordSelectors.Service,
 			instance.Spec.Manila.Template.ServiceUser,
 			instance.Spec.Manila.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/neutron.go b/internal/openstack/neutron.go
@@ -137,6 +137,7 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Neutron.Template.PasswordSelectors.Service,
 			instance.Spec.Neutron.Template.ServiceUser,
 			instance.Spec.Neutron.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/nova.go b/internal/openstack/nova.go
@@ -209,6 +209,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			instance.Spec.Nova.Template.PasswordSelectors.Service,
 			instance.Spec.Nova.Template.ServiceUser,
 			instance.Spec.Nova.ApplicationCredential,
+			true,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/octavia.go b/internal/openstack/octavia.go
@@ -185,6 +185,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Octavia.Template.PasswordSelectors.Service,
 			instance.Spec.Octavia.Template.ServiceUser,
 			instance.Spec.Octavia.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/placement.go b/internal/openstack/placement.go
@@ -97,6 +97,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 			instance.Spec.Placement.Template.PasswordSelectors.Service,
 			instance.Spec.Placement.Template.ServiceUser,
 			instance.Spec.Placement.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/swift.go b/internal/openstack/swift.go
@@ -127,6 +127,7 @@ func ReconcileSwift(ctx context.Context, instance *corev1beta1.OpenStackControlP
 			instance.Spec.Swift.Template.SwiftProxy.PasswordSelectors.Service,
 			instance.Spec.Swift.Template.SwiftProxy.ServiceUser,
 			instance.Spec.Swift.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/telemetry.go b/internal/openstack/telemetry.go
@@ -153,6 +153,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 				instance.Spec.Telemetry.Template.Autoscaling.Aodh.PasswordSelectors.AodhService,
 				instance.Spec.Telemetry.Template.Autoscaling.Aodh.ServiceUser,
 				instance.Spec.Telemetry.ApplicationCredentialAodh,
+				false,
 			)
 			if err != nil {
 				return ctrl.Result{}, err
@@ -198,6 +199,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 				instance.Spec.Telemetry.Template.Ceilometer.PasswordSelectors.CeilometerService,
 				instance.Spec.Telemetry.Template.Ceilometer.ServiceUser,
 				instance.Spec.Telemetry.ApplicationCredentialCeilometer,
+				true,
 			)
 			if err != nil {
 				return ctrl.Result{}, err
@@ -242,6 +244,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 				instance.Spec.Telemetry.Template.CloudKitty.PasswordSelectors.CloudKittyService,
 				instance.Spec.Telemetry.Template.CloudKitty.ServiceUser,
 				instance.Spec.Telemetry.ApplicationCredentialCloudKitty,
+				false,
 			)
 			if err != nil {
 				return ctrl.Result{}, err
diff --git a/internal/openstack/watcher.go b/internal/openstack/watcher.go
@@ -106,6 +106,7 @@ func ReconcileWatcher(ctx context.Context, instance *corev1beta1.OpenStackContro
 			getWatcherPasswordSelector(),
 			getWatcherServiceUser(),
 			instance.Spec.Watcher.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml
@@ -44,6 +44,16 @@ commands:
         echo "✓ ac-$name.roles = [${expected_roles[*]}]"
       }
 
+      check_edpm_annotation() {
+        local name=$1 expected=$2
+        local actual=$(oc get appcred ac-$name -n "$NS" -o jsonpath="{.metadata.annotations.keystone\.openstack\.org/edpm-service}" 2>/dev/null || echo "")
+        if [ "$actual" != "$expected" ]; then
+          echo "ERROR: ac-$name edpm-service annotation: expected '$expected', got '$actual'"
+          exit 1
+        fi
+        echo "✓ ac-$name edpm-service = $expected"
+      }
+
       echo "========================================="
       echo "Testing Application Credential CRs"
       echo "========================================="
@@ -66,6 +76,7 @@ commands:
       check_field barbican gracePeriodDays 364
       check_roles barbican "admin" "service"
       check_field barbican unrestricted "false"
+      check_edpm_annotation barbican "false"
       echo
 
       # ---- ac-cinder ----
@@ -76,6 +87,7 @@ commands:
       check_field cinder gracePeriodDays 5
       check_roles cinder "admin" "service"
       check_field cinder unrestricted "true"
+      check_edpm_annotation cinder "false"
       echo
 
       # ---- ac-glance ----
@@ -86,6 +98,7 @@ commands:
       check_field glance gracePeriodDays 60
       check_roles glance "admin" "service"
       check_field glance unrestricted "false"
+      check_edpm_annotation glance "false"
       echo
 
       # ---- ac-swift ----
@@ -96,6 +109,7 @@ commands:
       check_field swift gracePeriodDays 364
       check_roles swift "service"
       check_field swift unrestricted "false"
+      check_edpm_annotation swift "false"
       echo
 
       # ---- ac-neutron ----
@@ -106,6 +120,7 @@ commands:
       check_field neutron gracePeriodDays 364
       check_roles neutron "admin" "service"
       check_field neutron unrestricted "false"
+      check_edpm_annotation neutron "false"
       echo
 
       # ---- ac-placement ----
@@ -116,26 +131,29 @@ commands:
       check_field placement gracePeriodDays 30
       check_roles placement "admin" "service"
       check_field placement unrestricted "false"
+      check_edpm_annotation placement "false"
       echo
 
       # ---- ac-nova ----
-      # Multiple roles
-      echo "=== Testing ac-nova (multiple roles) ==="
+      # Multiple roles, EDPM service
+      echo "=== Testing ac-nova (multiple roles, EDPM service) ==="
       wait_ready nova
       check_field nova expirationDays 730
       check_field nova gracePeriodDays 364
       check_roles nova "admin" "service" "member"
       check_field nova unrestricted "false"
+      check_edpm_annotation nova "true"
       echo
 
       # ---- ac-ceilometer ----
-      # Telemetry/Ceilometer component (enabled by default in base sample)
-      echo "=== Testing ac-ceilometer (telemetry/ceilometer) ==="
+      # Telemetry/Ceilometer component, EDPM service
+      echo "=== Testing ac-ceilometer (telemetry/ceilometer, EDPM service) ==="
       wait_ready ceilometer
       check_field ceilometer expirationDays 45
       check_field ceilometer gracePeriodDays 20
       check_roles ceilometer "service"
       check_field ceilometer unrestricted "false"
+      check_edpm_annotation ceilometer "true"
       echo
 
       echo "All ApplicationCredential CRs validated successfully"

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr`
`91`	`91`	`instance.Spec.Barbican.Template.PasswordSelectors.Service,`
`92`	`92`	`instance.Spec.Barbican.Template.ServiceUser,`
`93`	`93`	`instance.Spec.Barbican.ApplicationCredential,`
	`94`	`+ false,`
`94`	`95`	`)`
`95`	`96`	`if err != nil {`
`96`	`97`	`return ctrl.Result{}, err`