Application Credential support

[Deydra71]

Jira: OSPRH-20521

Adds the end-to-end support for consuming Keystone ApplicationCredentials (AC) in the ironic-operator, enabling IronicAPI,Conductor, Inspector NeutronAGent pods to use AC-based authentication when available.

API changes:

Adds an optional authentication field to the Ironic CRs:

spec.auth.applicationCredentialSecret — name of the Secret that contains the Keystone Application Credential ID and Secret (AC_ID and AC_SECRET).

Reconcile behavior:

Reads spec.auth.applicationCredentialSecret
Attempts to load AC_ID / AC_SECRET from the referenced Secret (via the Keystone helper).
If the secret is missing or incomplete, it falls back to password authentication (the AppCred auth is optional, not an error).

• Once the AC Secret is ready with valid AC_ID and AC_SECRET fields, templates AC credentials into the respective service configuration (ironic.conf, 01-api.conf, 01-inspector.conf, or 01-ironic_neutron_agent.conf)
• Computes hash of Secret contents and stores in configMapVars to trigger rolling updates when credentials rotate
• Separate AppCreds are used for 'ironic' user (IronicAPI, IronicConductor, IronicNeutronAgent, parent Ironic) and 'ironic-inspector' user (IronicInspector)

Depends-On: openstack-k8s-operators/keystone-operator#567

[softwarefactory-project-zuul]

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/ironic-operator for 656,6b592f6a3f430ea960129d5b540ec9dc59773612

[apevec]

@Deydra71 depends-on has been merged, and now PR needs rebase afaict
@juliakreger @hjensas what else do we need in order to review this PR?

[Deydra71]

@apevec the dependency is merged, but not bumped yet. The conflicts appeared after the SKMO changes #670

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/626a8b4aaf0f49eab14a0b93913f6540

❌ openstack-k8s-operators-content-provider FAILURE in 17m 18s
⚠️ podified-multinode-ironic-deployment SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[juliakreger]

@Deydra71 So when you update the vendoring/replacement, are you going to rebase this change?

[Deydra71]

@juliakreger yes, but even the keystone-operator patch is merged now, the version bump with the app cred change didn't happen yet

[juliakreger]

@Deydra71 When you have a chance, If you can let @apevec know so we can set expectations when we'll be able to appropriately re-review and hopefully merge this change, that would be helpful. Thanks!

[hjensas]

Thanks, for addressing the review comments. A couple comments on the update.

[softwarefactory-project-zuul]

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/ironic-operator for 656,bbb32d526b13fd04370ba89827e23a351624954d

[hjensas]

FYI, I did a rebase and go mod tidy to fix the conflicts in api/go.mod and api/go.sum only.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/f7ba2fd4bc724e24831bb39c34a65f43

❌ openstack-k8s-operators-content-provider FAILURE in 17m 39s
⚠️ podified-multinode-ironic-deployment SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[softwarefactory-project-zuul]

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/ironic-operator for 656,a52b93fbfbffa30f40f43239b05105cb790617fb

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/d63e811e6a7b4c5592f22a7a9ad543f3

❌ openstack-k8s-operators-content-provider FAILURE in 14m 38s
⚠️ podified-multinode-ironic-deployment SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/32601923be06457790c9e307db51d4c0

❌ openstack-k8s-operators-content-provider FAILURE in 12m 32s
⚠️ podified-multinode-ironic-deployment SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[hjensas]

/lgtm

[juliakreger]

/lgtm

[mumesan]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, hjensas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [hjensas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment