Add application credential finalizer management

[Deydra71]

Jira: OSPRH-27509

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

• Tracks the active AC secret name in Status.ApplicationCredentialSecret
• Add openstack.org/cinder-ac-consumer finalizer to the AC secret after service config is rendered
• On AC rotation, move the finalizer from the old secret to the new one
• On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Cinder is still consuming it.

2026-04-28T11:50:13Z	INFO	Controllers.Cinder	Added consumer finalizer	{"controller": "cinder", "controllerGroup": "cinder.openstack.org", "controllerKind": "Cinder", "Cinder": {"name":"cinder","namespace":"openstack"}, "namespace": "openstack", "name": "cinder", "reconcileID": "7dcaf45c-7fe4-4c3f-ad58-9ffd2efd83fb", "object": "ac-cinder-5f914-secret", "finalizer": "openstack.org/cinder-ac-consumer"}
2026-04-28T11:50:13Z	INFO	Controllers.Cinder	Removed consumer finalizer	{"controller": "cinder", "controllerGroup": "cinder.openstack.org", "controllerKind": "Cinder", "Cinder": {"name":"cinder","namespace":"openstack"}, "namespace": "openstack", "name": "cinder", "reconcileID": "7dcaf45c-7fe4-4c3f-ad58-9ffd2efd83fb", "object": "ac-cinder-7e49e-secret", "finalizer": "openstack.org/cinder-ac-consumer"}

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/4e05c3d52bc5404faa844882720410d5

❌ openstack-k8s-operators-content-provider FAILURE in 18m 19s
⚠️ cinder-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cinder-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[centosinfra-prod-github-app]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/209f814415dd4bd8ba926ba2679542fa

❌ openstack-k8s-operators-content-provider FAILURE in 4m 03s
⚠️ cinder-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cinder-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[Deydra71]

recheck

[Deydra71]

Following the discussion in watcher-operator the AC finalizer management is now split into two phases:

• Early phase: adds consumer finalizer to the new AC secret immediately (protects it from premature revocation)
• Late phase: removes consumer finalizer from the old AC secret only after AllSubConditionIsTrue() (all sub-services deployed with new credentials)

This prevents a race condition where rapid AC rotations could revoke credentials still in use by running pods.

[fmount]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, fmount

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [fmount]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment