Improve EDPM-aware AC revocation: dynamic discovery, Watch, simplified API

Three improvements to the EDPM application credential revocation mechanism:

1. Replace hardcoded edpmServices map with dynamic discovery
   - Remove the static map and isEDPMService() function
   - Add edpmServiceType parameter to EnsureApplicationCredentialForService
     and CleanupApplicationCredentialForService — callers pass the EDPM
     service type ("nova", "telemetry") or "" for ctlplane-only services
   - getEDPMConfigSecretNames now lists OpenStackDataPlaneService CRs and
     filters by EDPMServiceType, discovering custom services automatically
   - New EDPMServiceTypeAnnotation on AC CR enables ReconcilePendingEDPMSyncs
     to discover service types without the hardcoded map

2. Revert CleanupApplicationCredentialForService to error-only return
   - Signature reverted from (ctrl.Result, error) to error — all 12
     non-EDPM service files return to the simpler calling pattern
   - When EDPM sync is pending, cleanup defers deletion (returns nil)
     instead of returning RequeueAfter
   - EDPM sync progression centralized in ReconcilePendingEDPMSyncs
     (replaces HasPendingEDPMSync) which runs at end of reconcileNormal
   - reconcileEDPMSync moved out of EnsureApplicationCredentialForService
     into the centralized function

3. Replace 5-minute polling with NodeSet Watch
   - Add Watch on OpenStackDataPlaneNodeSet with
     ResourceVersionChangedPredicate in SetupWithManager
   - Controller reacts promptly when SecretHashes change after deployment
   - Fallback interval increased to 30 minutes (safety net only)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Martin Schuppert <mschuppert@redhat.com>

Author: stuggi

internal/controller/core/openstackcontrolplane_controller.go

@@ -50,6 +50,7 @@ import (
 	octaviav1 "github.com/openstack-k8s-operators/octavia-operator/api/v1beta1"
 	clientv1 "github.com/openstack-k8s-operators/openstack-operator/api/client/v1beta1"
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/api/core/v1beta1"
+	dataplanev1 "github.com/openstack-k8s-operators/openstack-operator/api/dataplane/v1beta1"
 
 	"github.com/openstack-k8s-operators/openstack-operator/internal/openstack"
 
@@ -742,7 +743,7 @@ func (r *OpenStackControlPlaneReconciler) reconcileNormal(ctx context.Context, i
 
 	instance.Status.Conditions.Remove(corev1beta1.OpenStackControlPlaneCertCleanupReadyCondition)
 
-	ctrlResult, err = openstack.HasPendingEDPMSync(ctx, helper, instance.Namespace)
+	ctrlResult, err = openstack.ReconcilePendingEDPMSyncs(ctx, helper, instance.Namespace)
 	if err != nil {
 		return ctrl.Result{}, err
 	} else if (ctrlResult != ctrl.Result{}) {
@@ -902,6 +903,14 @@ func (r *OpenStackControlPlaneReconciler) SetupWithManager(
 			handler.EnqueueRequestsFromMapFunc(r.findControlPlaneForSrc),
 			builder.WithPredicates(backup.AnnotationChangedPredicate(openstack.ServiceCertSelector)),
 		).
+		// Watch NodeSet status changes so EDPM AC sync reacts promptly
+		// when a dataplane deployment completes (SecretHashes update),
+		// instead of relying on the fallback polling interval.
+		Watches(
+			&dataplanev1.OpenStackDataPlaneNodeSet{},
+			handler.EnqueueRequestsFromMapFunc(r.findControlPlaneForSrc),
+			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+		).
 		Complete(r)
 }