Add application credential finalizer management by Deydra71 · Pull Request #554 · openstack-k8s-operators/manila-operator

Deydra71 · 2026-04-08T07:14:03Z

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

Tracks the active AC secret name in Status.ApplicationCredentialSecret
Add openstack.org/manila-ac-consumer finalizer to the AC secret after service config is rendered
On AC rotation, move the finalizer from the old secret to the new one
On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Manila is still consuming it.

2026-04-28T11:51:03Z	INFO	Controllers.Manila	Added consumer finalizer	{"controller": "manila", "controllerGroup": "manila.openstack.org", "controllerKind": "Manila", "Manila": {"name":"manila","namespace":"openstack"}, "namespace": "openstack", "name": "manila", "reconcileID": "27831dbb-a329-4b79-a904-1ca4942cae16", "object": "ac-manila-8ef07-secret", "finalizer": "openstack.org/manila-ac-consumer"}
2026-04-28T11:51:03Z	INFO	Controllers.Manila	Removed consumer finalizer	{"controller": "manila", "controllerGroup": "manila.openstack.org", "controllerKind": "Manila", "Manila": {"name":"manila","namespace":"openstack"}, "namespace": "openstack", "name": "manila", "reconcileID": "27831dbb-a329-4b79-a904-1ca4942cae16", "object": "ac-manila-dc64e-secret", "finalizer": "openstack.org/manila-ac-consumer"}

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

softwarefactory-project-zuul · 2026-04-08T07:33:18Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/31842d3dda954b798bb28247d9d73489

❌ openstack-k8s-operators-content-provider FAILURE in 18m 06s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ manila-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

softwarefactory-project-zuul · 2026-04-24T12:22:34Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/fbde6923310e4f94b1dd04ee341a9eba

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 29m 02s
✔️ manila-operator-kuttl SUCCESS in 41m 48s
❌ manila-operator-tempest FAILURE in 36m 15s

centosinfra-prod-github-app · 2026-05-20T11:01:28Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/be2232121c6c48e2aef5162512c10fb4

❌ openstack-k8s-operators-content-provider FAILURE in 4m 09s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ manila-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

Deydra71 · 2026-05-21T09:33:18Z

recheck

Deydra71 · 2026-05-25T09:57:59Z

Following the discussion in watcher-operator the AC finalizer management is now split into two phases:

Early phase: adds consumer finalizer to the new AC secret immediately (protects it from premature revocation)
Late phase: removes consumer finalizer from the old AC secret only after AllSubConditionIsTrue() (all sub-services deployed with new credentials)

This prevents a race condition where rapid AC rotations could revoke credentials still in use by running pods.

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

fmount

/lgtm

openshift-ci · 2026-05-26T15:38:43Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, fmount

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [fmount]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Deydra71 added the do-not-merge/hold label Apr 8, 2026

openshift-ci Bot requested review from gouthampacha and silvacarloss April 8, 2026 07:14

openshift-ci Bot added the needs-rebase label Apr 16, 2026

Deydra71 force-pushed the appcred-finalizer branch from 32d5f89 to c91273f Compare April 23, 2026 06:23

openshift-ci Bot removed the needs-rebase label Apr 23, 2026

Deydra71 force-pushed the appcred-finalizer branch from c91273f to 73dec6e Compare April 24, 2026 10:42

openshift-ci Bot added the needs-rebase label Apr 25, 2026

Deydra71 force-pushed the appcred-finalizer branch from 73dec6e to 1a34868 Compare April 27, 2026 08:18

openshift-ci Bot removed the needs-rebase label Apr 27, 2026

openshift-ci Bot added the needs-rebase label May 4, 2026

Deydra71 force-pushed the appcred-finalizer branch from 1a34868 to 01e4498 Compare May 20, 2026 10:49

openshift-ci Bot removed the needs-rebase label May 20, 2026

fmount self-requested a review May 21, 2026 14:44

openshift-ci Bot added the needs-rebase label May 24, 2026

Deydra71 force-pushed the appcred-finalizer branch from 01e4498 to 771853a Compare May 25, 2026 09:57

openshift-ci Bot removed the needs-rebase label May 25, 2026

Add AC finalizer management

ee231b4

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

Deydra71 force-pushed the appcred-finalizer branch from 771853a to ee231b4 Compare May 26, 2026 15:21

fmount approved these changes May 26, 2026

View reviewed changes

openshift-ci Bot assigned fmount May 26, 2026

openshift-ci Bot added the lgtm label May 26, 2026

openshift-ci Bot added the approved label May 26, 2026

fmount removed the do-not-merge/hold label May 26, 2026

openshift-merge-bot Bot merged commit b7b97c3 into openstack-k8s-operators:main May 26, 2026
7 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add application credential finalizer management#554

Add application credential finalizer management#554
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:mainfrom
Deydra71:appcred-finalizer

Deydra71 commented Apr 8, 2026 •

edited

Loading

Uh oh!

softwarefactory-project-zuul Bot commented Apr 8, 2026

Uh oh!

softwarefactory-project-zuul Bot commented Apr 24, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 20, 2026

Uh oh!

Deydra71 commented May 21, 2026

Uh oh!

Deydra71 commented May 25, 2026

Uh oh!

fmount left a comment

Uh oh!

openshift-ci Bot commented May 26, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Deydra71 commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

softwarefactory-project-zuul Bot commented Apr 8, 2026

Uh oh!

softwarefactory-project-zuul Bot commented Apr 24, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 20, 2026

Uh oh!

Deydra71 commented May 21, 2026

Uh oh!

Deydra71 commented May 25, 2026

Uh oh!

fmount left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci Bot commented May 26, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Deydra71 commented Apr 8, 2026 •

edited

Loading