Add EDPM-aware application credential revocation for Nova and Ceilometer

For ctlplane only services (Barbican, Glance...), the existing
consumer finalizer added by each service operator is sufficient: once
the service pod restarts with the new secret, the operator removes its
finalizer and keystone-operator's cleanupUnusedRotatedSecrets revokes
the old credential in Keystone and deletes the K8s Secret.

For EDPM services (Nova, Ceilometer) the service operator restarts its
control plane pod quickly, but the old credential
is still baked into dataplane node configs. Revoking it before the
nodes redeploy would break running workloads. This commit adds a
second protection layer: an edpm-ac-consumer finalizer on the AC secret
that blocks keystone-operator revocation until EDPM nodes have
fully redeployed with the new credential.

Implementation uses two annotations on the KeystoneApplicationCredential
CR to track EDPM state:
- openstack.org/edpm-deployed-secret: the AC secret name currently
  deployed to EDPM nodes.
- openstack.org/edpm-synced-config-hash: a combined hash of the EDPM
  config secrets at the time nodes were last confirmed in sync.

A two-phase check (reconcileEDPMSync) runs each reconcile cycle:
  Phase 1 - detects that the service operator has re-rendered the EDPM
  config with the new credential (combined config hash changed).
  Phase 2 - verifies all OpenStackDataPlaneNodeSet SecretHashes match
  the live config, confirming nodes have been redeployed.

When both phases pass, the edpm-ac-consumer finalizer is removed from
the old secret and tracking annotations are updated. Keystone-operator
then sees no remaining consumer finalizers and proceeds with revocation
(Keystone API call + K8s Secret deletion).

Note: Currently and previous AC Secret is always protected by ac-protection
finalizer.

The EDPM sync check (HasPendingEDPMSync) runs at the end of the main
OpenstackControlPlane reconcile loop, after all services have been
processed. This ensures all EDPM services update their configs in a
single reconcile cycle, so a single EDPM deployment is sufficient to
sync all services simultaneously.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

Author: Deydra71

bindata/crds/barbican.openstack.org_barbicans.yaml

@@ -840,6 +840,13 @@ spec:
           status:
             description: BarbicanStatus defines the observed state of Barbican
             properties:
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret barbican is currently
+                  consuming and protecting with the openstack.org/barbican-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               barbicanAPIReadyCount:
                 description: ReadyCount of Barbican API instances
                 format: int32

bindata/crds/cinder.openstack.org_cinders.yaml

@@ -2144,6 +2144,10 @@ spec:
                   type: object
                 description: API endpoints
                 type: object
+              applicationCredentialSecret:
+                description: ApplicationCredentialSecret - the AC secret cinder is
+                  currently consuming
+                type: string
               cinderAPIReadyCount:
                 default: 0
                 description: ReadyCount of Cinder API instance

bindata/crds/designate.openstack.org_designateapis.yaml

@@ -442,6 +442,13 @@ spec:
                   type: object
                 description: API endpoints
                 type: object
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret DesignateAPI is currently
+                  consuming and protecting with the openstack.org/designateapi-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items:

bindata/crds/glance.openstack.org_glanceapis.yaml

@@ -1603,6 +1603,10 @@ spec:
                   type: string
                 description: API endpoint
                 type: object
+              applicationCredentialSecret:
+                description: ApplicationCredentialSecret - Secret that GlanceAPI is
+                  actively consuming (AC consumer finalizer present)
+                type: string
               conditions:
                 description: Conditions
                 items:

bindata/crds/heat.openstack.org_heats.yaml

@@ -2093,6 +2093,13 @@ spec:
           status:
             description: HeatStatus defines the observed state of Heat
             properties:
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret Heat is currently
+                  consuming and protecting with the openstack.org/heat-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items:

bindata/crds/ironic.openstack.org_ironics.yaml

@@ -1292,6 +1292,13 @@ spec:
                   type: object
                 description: API endpoint
                 type: object
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret ironic is currently
+                  consuming and protecting with the openstack.org/ironic-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items:
@@ -1342,6 +1349,12 @@ spec:
                   type: string
                 description: Map of hashes to track e.g. job status
                 type: object
+              inspectorApplicationCredentialSecret:
+                description: |-
+                  InspectorApplicationCredentialSecret - the AC secret ironic-inspector is
+                  currently consuming and protecting with the
+                  openstack.org/ironic-inspector-ac-consumer finalizer.
+                type: string
               ironicAPIReadyCount:
                 description: ReadyCount of Ironic API instance
                 format: int32

bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml

@@ -209,6 +209,10 @@ spec:
                   for this ApplicationCredential.
                 format: int64
                 type: integer
+              previousSecretName:
+                description: PreviousSecretName - name of the previous AC secret.
+                  Only current and previous are protected by finalizer.
+                type: string
               rotationEligibleAt:
                 description: |-
                   RotationEligibleAt indicates when rotation becomes eligible (start of grace period window).

bindata/crds/manila.openstack.org_manilas.yaml

@@ -1901,6 +1901,10 @@ spec:
           status:
             description: ManilaStatus defines the observed state of Manila
             properties:
+              applicationCredentialSecret:
+                description: ApplicationCredentialSecret - Secret that Manila is actively
+                  consuming (AC consumer finalizer present)
+                type: string
               conditions:
                 description: Conditions
                 items:

bindata/crds/neutron.openstack.org_neutronapis.yaml

@@ -1607,6 +1607,13 @@ spec:
           status:
             description: NeutronAPIStatus defines the observed state of NeutronAPI
             properties:
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret NeutronAPI is currently
+                  consuming and protecting with the openstack.org/neutronapi-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items:

bindata/crds/nova.openstack.org_nova.yaml

@@ -1914,6 +1914,13 @@ spec:
                   from nova-api
                 format: int32
                 type: integer
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret nova is currently
+                  consuming and protecting with the openstack.org/nova-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items: