Improve EDPM-aware AC revocation: dynamic discovery, Watch, simplified API

Three improvements to the EDPM application credential revocation mechanism:

1. Replace hardcoded edpmServices map with dynamic DataPlaneService discovery
   - getEDPMConfigSecretNames now lists OpenStackDataPlaneService CRs and
     filters by EDPMServiceType, discovering custom services (e.g., HCI nova
     variants) automatically
   - A small edpmACServiceTypes map bridges AC service names to EDPM service
     types for ReconcilePendingEDPMSyncs (AC CR names are deterministic via
     GetACCRName, but the EDPM service type can differ — e.g., "ceilometer"
     maps to "telemetry")
   - Add edpmServiceType parameter to EnsureApplicationCredentialForService
     and CleanupApplicationCredentialForService

2. Revert CleanupApplicationCredentialForService to error-only return
   - Signature reverted from (ctrl.Result, error) to error — all 12
     non-EDPM service files return to the simpler calling pattern
   - When EDPM sync is pending, cleanup defers deletion (returns nil)
   - EDPM sync progression centralized in ReconcilePendingEDPMSyncs
     (replaces HasPendingEDPMSync) at end of reconcileNormal

3. Replace 5-minute polling with NodeSet Watch
   - Add Watch on OpenStackDataPlaneNodeSet with
     ResourceVersionChangedPredicate in SetupWithManager
   - Controller reacts when SecretHashes change after deployment
   - Fallback interval increased to 30 minutes (safety net only)

Adding a new EDPM service with AC support requires:
  1. Add entry to edpmACServiceTypes map in applicationcredential.go:
       "newservice": "newservice-edpm-type",
  2. Pass the EDPM service type in the service reconciler:
       EnsureApplicationCredentialForService(..., "newservice-edpm-type")
       CleanupApplicationCredentialForService(..., "newservice-edpm-type")

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: stuggi

internal/controller/core/openstackcontrolplane_controller.go

@@ -50,6 +50,7 @@ import (
 	octaviav1 "github.com/openstack-k8s-operators/octavia-operator/api/v1beta1"
 	clientv1 "github.com/openstack-k8s-operators/openstack-operator/api/client/v1beta1"
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/api/core/v1beta1"
+	dataplanev1 "github.com/openstack-k8s-operators/openstack-operator/api/dataplane/v1beta1"
 
 	"github.com/openstack-k8s-operators/openstack-operator/internal/openstack"
 
@@ -742,7 +743,7 @@ func (r *OpenStackControlPlaneReconciler) reconcileNormal(ctx context.Context, i
 
 	instance.Status.Conditions.Remove(corev1beta1.OpenStackControlPlaneCertCleanupReadyCondition)
 
-	ctrlResult, err = openstack.HasPendingEDPMSync(ctx, helper, instance.Namespace)
+	ctrlResult, err = openstack.ReconcilePendingEDPMSyncs(ctx, helper, instance.Namespace)
 	if err != nil {
 		return ctrl.Result{}, err
 	} else if (ctrlResult != ctrl.Result{}) {
@@ -902,6 +903,14 @@ func (r *OpenStackControlPlaneReconciler) SetupWithManager(
 			handler.EnqueueRequestsFromMapFunc(r.findControlPlaneForSrc),
 			builder.WithPredicates(backup.AnnotationChangedPredicate(openstack.ServiceCertSelector)),
 		).
+		// Watch NodeSet status changes so EDPM AC sync reacts promptly
+		// when a dataplane deployment completes (SecretHashes update),
+		// instead of relying on the fallback polling interval.
+		Watches(
+			&dataplanev1.OpenStackDataPlaneNodeSet{},
+			handler.EnqueueRequestsFromMapFunc(r.findControlPlaneForSrc),
+			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+		).
 		Complete(r)
 }