Split appcred finalizer management

[Deydra71]

Following the discussion in watcher-operator the AC finalizer management is now split into two phases:

• Early phase: adds consumer finalizer to the new AC secret immediately (protects it from premature revocation)
• Late phase: removes consumer finalizer from the old AC secret only after AllSubConditionIsTrue()

This prevents a race condition where rapid AC rotations could revoke credentials still in use by running pods. The same pattern is implemented in all service operators with application credential support.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Deydra71
Once this PR has been reviewed and has the lgtm label, please assign stuggi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[centosinfra-prod-github-app]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/4d8736f75a2c4451a66c6a307b3de6e9

❌ openstack-k8s-operators-content-provider FAILURE in 5m 21s
❌ telemetry-operator-multinode-cloudkitty FAILURE in 1h 51m 23s
✔️ telemetry-openstack-meta-content-provider-master SUCCESS in 2h 11m 20s
⚠️ telemetry-operator-multinode-default-telemetry SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ telemetry-operator-multinode-audit-logging SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
❌ functional-tests-osp18 FAILURE in 1h 55m 28s

[Deydra71]

recheck

Looks like dataplane deployment timed out