[b/r] Document credential rotation gap and EDPM deployment requirement

After restore, credentials (ApplicationCredentials, RabbitMQ) may have
been rotated between the backup and restore point. EDPM nodes still
have the credentials from their last deployment run, which may not
match the restored control plane state.

Document that an EDPM deployment is required after restore to resync
all credentials on dataplane nodes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: stuggi

docs/dev/backup-restore/restore/06-manual-database-restore.md

@@ -175,11 +175,33 @@ oc get pods -n openstack
 oc get openstackcontrolplane -n openstack
 ```
 
+## Important: Credential Rotation and EDPM Nodes
+
+If credentials or certificates were rotated between the backup and the restore, EDPM nodes
+may still have newer credentials/certs that don't match the restored control plane state.
+This applies to:
+
+- **ApplicationCredentials**: The restored Keystone DB contains old ACs. The openstack-operator
+  will create new AC CRs on reconciliation, which generates new AC secrets. EDPM nodes still
+  have the credentials from the last deployment run, which may not match.
+  Additionally, if the backup is old, restored ACs may already be expired in the DB,
+  requiring immediate rotation.
+- **RabbitMQ**: The restored credentials (via `*-restored-user` secrets) match the backup,
+  but EDPM nodes may have been updated with newer credentials since.
+- **TLS/CA certificates**: If CAs were rotated between backup and restore, the restored
+  control plane uses the old CA. EDPM nodes may have certificates signed by a newer CA,
+  causing TLS trust failures in both directions.
+
+**An EDPM deployment is required after restore** to resync all credentials and certificates
+on the dataplane nodes with the restored control plane state.
+
 ## Next Steps
 
 After database restore, RabbitMQ credential restore, and annotation removal, proceed to:
 1. **Order 60**: Restore DataPlane resources (if applicable)
-2. **Re-enable InstanceHa**: After verifying the restored cloud is fully operational,
+2. **Run an EDPM deployment**: Required to resync credentials on dataplane nodes with
+   the restored control plane, especially if credentials were rotated between backup and restore.
+3. **Re-enable InstanceHa**: After verifying the restored cloud is fully operational,
    re-enable InstanceHa (it was restored with `spec.disabled: True` to prevent fencing):
    ```bash
    oc patch instanceha <name> -n openstack --type merge -p '{"spec":{"disabled":"False"}}'

docs/dev/backup-restore/restore/README.md

@@ -18,6 +18,7 @@ Restores must be executed in sequence. Wait for each restore to complete before
 | `06b-restore-rabbitmq-secrets.yaml` | - | Secrets (to temp ns) | Restore secrets to `openstack-restore-tmp`, copy `*-default-user` as `*-restored-user`, create RabbitMQUser CRs |
 | *(Step 9 in playbook)* | - | **Manual** | Remove deployment-stage annotation, wait for control plane ready |
 | `07-restore-order-60-dataplane.yaml` | 60 | OpenStackDataPlaneNodeSet | DataPlane resources (optional) |
+| *(Post-restore)* | - | **Manual** | Run EDPM deployment to resync credentials (required if credentials were rotated between backup and restore) |
 | *(Final step)* | - | **Manual** | Re-enable InstanceHa (`spec.disabled: False`) after verifying the restored cloud is operational |
 
 ## Prerequisites

docs/dev/backup-restore/restore/restore-openstack.yaml

@@ -683,9 +683,12 @@
           - "ControlPlane: {{ ctlplane_name.stdout }}"
           - "Restore suffix: {{ restore_suffix }}"
           - ""
-          - "IMPORTANT: InstanceHa was restored with spec.disabled=True."
-          - "After verifying the restored cloud is fully operational,"
-          - "re-enable InstanceHa manually:"
+          - "IMPORTANT: Post-restore steps required:"
+          - ""
+          - "1. Run an EDPM deployment to resync credentials on dataplane nodes"
+          - "   (required if credentials were rotated between backup and restore)"
+          - ""
+          - "2. Re-enable InstanceHa (restored with spec.disabled=True):"
           - "  oc patch instanceha <name> -n {{ openstack_namespace }} --type merge -p '{\"spec\":{\"disabled\":\"False\"}}'"
           - ""
           - "To verify:"