Skip to content

Add application credential finalizer management#618

Open
Deydra71 wants to merge 1 commit into
openstack-k8s-operators:mainfrom
Deydra71:appcred-finalizer
Open

Add application credential finalizer management#618
Deydra71 wants to merge 1 commit into
openstack-k8s-operators:mainfrom
Deydra71:appcred-finalizer

Conversation

@Deydra71
Copy link
Copy Markdown
Contributor

@Deydra71 Deydra71 commented Apr 23, 2026
edited
Loading

Jira: OSPRH-29269

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

  • Tracks the active AC secret name in Status.ApplicationCredentialSecret
  • Add openstack.org/neutronapi-ac-consumer finalizer to the AC secret after service config is rendered
  • On AC rotation, move the finalizer from the old secret to the new one
  • On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Neutron is still consuming it.

2026-04-28T11:54:58.578Z	INFO	Controllers.NeutronAPI	Added consumer finalizer	{"controller": "neutronapi", "controllerGroup": "neutron.openstack.org", "controllerKind": "NeutronAPI", "NeutronAPI": {"name":"neutron","namespace":"openstack"}, "namespace": "openstack", "name": "neutron", "reconcileID": "c8bf38d1-2f9c-4fe9-88ba-1f6f2a701983", "object": "ac-neutron-0dc46-secret", "finalizer": "openstack.org/neutronapi-ac-consumer"}
2026-04-28T11:54:58.589Z	INFO	Controllers.NeutronAPI	Removed consumer finalizer	{"controller": "neutronapi", "controllerGroup": "neutron.openstack.org", "controllerKind": "NeutronAPI", "NeutronAPI": {"name":"neutron","namespace":"openstack"}, "namespace": "openstack", "name": "neutron", "reconcileID": "c8bf38d1-2f9c-4fe9-88ba-1f6f2a701983", "object": "ac-neutron-86ca8-secret", "finalizer": "openstack.org/neutronapi-ac-consumer"}

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

@openshift-ci openshift-ci Bot requested review from karelyatin and slawqo April 23, 2026 14:06
@softwarefactory-project-zuul
Copy link
Copy Markdown

softwarefactory-project-zuul Bot commented Apr 23, 2026

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/neutron-operator for 618,67833c8a7a98b29abef2ace6c6d5aed56e50093c

@Deydra71 Deydra71 changed the title Add AC finalizer management Add application credential finalizer management Apr 23, 2026
@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from 67833c8 to 05c20c1 Compare April 24, 2026 10:48
@softwarefactory-project-zuul
Copy link
Copy Markdown

softwarefactory-project-zuul Bot commented Apr 24, 2026

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/neutron-operator for 618,05c20c1d6ccd5dd2ba8fccaef23fcbb68a9883b7

@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from 05c20c1 to b9aa759 Compare April 24, 2026 10:59
@softwarefactory-project-zuul
Copy link
Copy Markdown

softwarefactory-project-zuul Bot commented Apr 24, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/37b8d376ac0d49d4bd3759b88db8053b

openstack-k8s-operators-content-provider FAILURE in 10m 37s
⚠️ neutron-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from b9aa759 to 2300304 Compare April 27, 2026 08:20
@softwarefactory-project-zuul
Copy link
Copy Markdown

softwarefactory-project-zuul Bot commented Apr 27, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/63ec2a4ca5d048f9add5f9999ff5af7c

openstack-k8s-operators-content-provider FAILURE in 10m 53s
⚠️ neutron-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from 2300304 to 28fe0a6 Compare May 12, 2026 09:11
@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from 28fe0a6 to c57aa7a Compare May 20, 2026 11:03
@centosinfra-prod-github-app
Copy link
Copy Markdown

centosinfra-prod-github-app Bot commented May 20, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/b2418d6612b04aed86f54ae10cac6b5c

openstack-k8s-operators-content-provider FAILURE in 4m 03s
⚠️ neutron-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

@Deydra71
Copy link
Copy Markdown
Contributor Author

Deydra71 commented May 21, 2026

recheck

@Deydra71
Add AC finalizer management
7b63bb8 
Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>
@Deydra71 Deydra71 force-pushed the appcred-finalizer branch from c57aa7a to 7b63bb8 Compare May 25, 2026 10:52
@Deydra71
Copy link
Copy Markdown
Contributor Author

Deydra71 commented May 25, 2026

Following the discussion in watcher-operator the AC finalizer management is now split into two phases:

  • Early phase: adds consumer finalizer to the new AC secret immediately (protects it from premature revocation)
  • Late phase: removes consumer finalizer from the old AC secret only after AllSubConditionIsTrue() (all sub-services deployed with new credentials)

This prevents a race condition where rapid AC rotations could revoke credentials still in use by running pods.

@Deydra71
Copy link
Copy Markdown
Contributor Author

Deydra71 commented May 25, 2026

/test neutron-operator-build-deploy-kuttl

Looks like an env/timing hiccup

@Deydra71 Deydra71 requested a review from fmount May 27, 2026 05:18
fmount
fmount approved these changes May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@fmount fmount left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label May 27, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 27, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Deydra71, fmount
Once this PR has been reviewed and has the lgtm label, please assign slawqo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fmount
Copy link
Copy Markdown
Contributor

fmount commented May 27, 2026

the implementation is in line with all the other (merged) patches. @slawqo @karelyatin to check and push a final approve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fmount fmount fmount approved these changes

@karelyatin karelyatin Awaiting requested review from karelyatin

@slawqo slawqo Awaiting requested review from slawqo

Assignees

@fmount fmount

Labels

lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Deydra71 @fmount