(placement) Add application credential finalizer management by Deydra71 · Pull Request #1120 · openstack-k8s-operators/nova-operator

Deydra71 · 2026-05-19T08:09:57Z

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

Tracks the active AC secret name in Status.ApplicationCredentialSecret
Add openstack.org/placementapi-ac-consumer finalizer to the AC secret after service config is rendered
On AC rotation, move the finalizer from the old secret to the new one
On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Placement is still consuming it.

2026-04-28T11:58:50Z	INFO	Controllers.PlacementAPI	Added consumer finalizer	{"controller": "placementapi", "controllerGroup": "placement.openstack.org", "controllerKind": "PlacementAPI", "PlacementAPI": {"name":"placement","namespace":"openstack"}, "namespace": "openstack", "name": "placement", "reconcileID": "74813a11-99ba-4418-be48-594d27216bb5", "object": "ac-placement-323aa-secret", "finalizer": "openstack.org/placementapi-ac-consumer"}
2026-04-28T11:58:50Z	INFO	Controllers.PlacementAPI	Removed consumer finalizer	{"controller": "placementapi", "controllerGroup": "placement.openstack.org", "controllerKind": "PlacementAPI", "PlacementAPI": {"name":"placement","namespace":"openstack"}, "namespace": "openstack", "name": "placement", "reconcileID": "74813a11-99ba-4418-be48-594d27216bb5", "object": "ac-placement-6433f-secret", "finalizer": "openstack.org/placementapi-ac-consumer"}

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

NOTE: This is the exact change taken from openstack-k8s-operators/placement-operator#413 that has been merged to nova-op

centosinfra-prod-github-app · 2026-05-19T11:47:19Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/54644e0a60a9410f817cfc60e1e44f57

✔️ openstack-meta-content-provider SUCCESS in 3h 12m 35s
❌ nova-operator-kuttl POST_FAILURE in 1h 10m 23s
✔️ nova-operator-tempest-multinode SUCCESS in 2h 24m 56s
✔️ nova-operator-tempest-multinode-ceph SUCCESS in 2h 51m 49s

centosinfra-prod-github-app · 2026-05-20T11:34:44Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/4408b66249d14ac2b170184031610ddc

❌ openstack-meta-content-provider FAILURE in 5m 48s
⚠️ nova-operator-kuttl SKIPPED Skipped due to failed job openstack-meta-content-provider
⚠️ nova-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-meta-content-provider
⚠️ nova-operator-tempest-multinode-ceph SKIPPED Skipped due to failed job openstack-meta-content-provider

Deydra71 · 2026-05-21T09:34:41Z

recheck

centosinfra-prod-github-app · 2026-05-21T12:55:30Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/019e4c4165c5417a8531e70adb923c45

✔️ openstack-meta-content-provider SUCCESS in 3h 08m 58s
❌ nova-operator-kuttl FAILURE in 1h 06m 41s
❌ nova-operator-tempest-multinode FAILURE in 32m 10s
✔️ nova-operator-tempest-multinode-ceph SUCCESS in 2h 40m 57s

Deydra71 · 2026-05-25T11:29:34Z

Following the discussion in watcher-operator the AC finalizer management is now split into two phases:

Early phase: adds consumer finalizer to the new AC secret immediately (protects it from premature revocation)
Late phase: removes consumer finalizer from the old AC secret only after AllSubConditionIsTrue() (all sub-services deployed with new credentials)

This prevents a race condition where rapid AC rotations could revoke credentials still in use by running pods.

centosinfra-prod-github-app · 2026-05-25T14:31:59Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/517e5071644b43998ad60608812ff352

✔️ openstack-meta-content-provider SUCCESS in 3h 01m 21s
❌ nova-operator-kuttl FAILURE in 1h 05m 35s
✔️ nova-operator-tempest-multinode SUCCESS in 2h 20m 13s
✔️ nova-operator-tempest-multinode-ceph SUCCESS in 2h 38m 45s

Deydra71 · 2026-05-25T16:44:39Z

Cherry-picked the dependency bump on top of the appcred changes to unblock the CI, same as done in watcher-op

centosinfra-prod-github-app · 2026-05-25T19:38:21Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/8c262382688b4b2fa5d4cc2bf8da1917

✔️ openstack-meta-content-provider SUCCESS in 2h 54m 44s
❌ nova-operator-kuttl FAILURE in 1h 03m 06s
✔️ nova-operator-tempest-multinode SUCCESS in 2h 16m 37s
✔️ nova-operator-tempest-multinode-ceph SUCCESS in 2h 37m 31s

Deydra71 · 2026-05-26T06:10:56Z

@amartyasinha FYI the appcred kuttl will be failing until nova-operator PR is merged. The kuttl is looking for hardcoded AC test secret, but after the keystone-operator change it creates immutable AC secret with dynamic names.

I think the best solution here is to wait for #1108 to merge, then I will rebase, and kuttl should pass, and also will remove the manual dependency bump commit.

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

centosinfra-prod-github-app · 2026-05-29T09:53:05Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/bf4b95944ab4484e87efd2f07ac2a43c

✔️ openstack-meta-content-provider SUCCESS in 3h 27m 30s
✔️ nova-operator-kuttl SUCCESS in 53m 29s
❌ nova-operator-tempest-multinode FAILURE in 2h 35m 20s
✔️ nova-operator-tempest-multinode-ceph SUCCESS in 3h 10m 45s

mrkisaolamb

lgtm

openshift-ci · 2026-05-29T10:14:49Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, mrkisaolamb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [mrkisaolamb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

amartyasinha · 2026-05-29T10:50:06Z

recheck

Deydra71 requested a review from amartyasinha May 19, 2026 08:09

Deydra71 added the do-not-merge/hold label May 19, 2026

openshift-ci Bot requested review from auniyal61 and stuggi May 19, 2026 08:10

Deydra71 mentioned this pull request May 19, 2026

Add application credential finalizer management openstack-k8s-operators/placement-operator#413

Closed

Deydra71 changed the title ~~Add application credential finalizer management~~ (placement) Add application credential finalizer management May 19, 2026

Deydra71 force-pushed the appcred-finalizer-placement branch from f059a34 to 39c78a2 Compare May 20, 2026 11:17

Deydra71 removed the do-not-merge/hold label May 20, 2026

Deydra71 force-pushed the appcred-finalizer-placement branch from 39c78a2 to ec1d15f Compare May 25, 2026 11:29

Add application credential finalizer management

f6ee71a

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

Deydra71 force-pushed the appcred-finalizer-placement branch from 4d625b5 to f6ee71a Compare May 29, 2026 06:23

amartyasinha requested a review from mrkisaolamb May 29, 2026 09:27

mrkisaolamb approved these changes May 29, 2026

View reviewed changes

openshift-ci Bot assigned mrkisaolamb May 29, 2026

openshift-ci Bot added the lgtm label May 29, 2026

openshift-ci Bot added the approved label May 29, 2026

openshift-merge-bot Bot merged commit 444a265 into openstack-k8s-operators:main May 29, 2026
7 checks passed

Conversation

Deydra71 commented May 19, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 19, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 20, 2026

Uh oh!

Deydra71 commented May 21, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 21, 2026

Uh oh!

Deydra71 commented May 25, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 25, 2026

Uh oh!

Deydra71 commented May 25, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 25, 2026

Uh oh!

Deydra71 commented May 26, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 29, 2026

Uh oh!

mrkisaolamb left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci Bot commented May 29, 2026

Uh oh!

amartyasinha commented May 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants