openstack-k8s-operators · openshift-merge-bot · Jan 20, 2026 · Mar 20, 2025
diff --git a/api/bases/keystone.openstack.org_keystoneapplicationcredentials.yaml b/api/bases/keystone.openstack.org_keystoneapplicationcredentials.yaml
@@ -0,0 +1,232 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: keystoneapplicationcredentials.keystone.openstack.org
+spec:
+  group: keystone.openstack.org
+  names:
+    kind: KeystoneApplicationCredential
+    listKind: KeystoneApplicationCredentialList
+    plural: keystoneapplicationcredentials
+    shortNames:
+    - appcred
+    singular: keystoneapplicationcredential
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Keystone ApplicationCredential ID
+      jsonPath: .status.acID
+      name: ACID
+      type: string
+    - description: Secret holding ApplicationCredential secret
+      jsonPath: .status.secretName
+      name: SecretName
+      type: string
+    - description: Last rotation time
+      format: date-time
+      jsonPath: .status.lastRotated
+      name: LastRotated
+      type: string
+    - description: When rotation becomes eligible
+      format: date-time
+      jsonPath: .status.rotationEligibleAt
+      name: RotationEligible
+      type: string
+    - description: Status
+      jsonPath: .status.conditions[0].status
+      name: Status
+      type: string
+    - description: Message
+      jsonPath: .status.conditions[0].message
+      name: Message
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KeystoneApplicationCredential is the Schema for the applicationcredentials
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeystoneApplicationCredentialSpec defines what the user can
+              set
+            properties:
+              accessRules:
+                description: AccessRules defines which services the ApplicationCredential
+                  is permitted to access
+                items:
+                  description: ACRule defines an access rule for an ApplicationCredential
+                  properties:
+                    method:
+                      description: Method is the HTTP verb to allow
+                      enum:
+                      - GET
+                      - HEAD
+                      - POST
+                      - PUT
+                      - PATCH
+                      - DELETE
+                      type: string
+                    path:
+                      description: Path is the API path to allow
+                      minLength: 1
+                      type: string
+                    service:
+                      description: Service is the OpenStack service type
+                      minLength: 1
+                      type: string
+                  required:
+                  - method
+                  - path
+                  - service
+                  type: object
+                type: array
+              expirationDays:
+                default: 365
+                description: ExpirationDays sets the lifetime in days for the ApplicationCredential
+                minimum: 2
+                type: integer
+              gracePeriodDays:
+                default: 182
+                description: GracePeriodDays sets how many days before expiration
+                  the ApplicationCredential should be rotated
+                minimum: 1
+                type: integer
+              passwordSelector:
+                description: PasswordSelector for extracting the service password
+                minLength: 1
+                type: string
+              roles:
+                description: Roles to assign to the ApplicationCredential
+                items:
+                  type: string
+                minItems: 1
+                type: array
+              secret:
+                description: Secret containing service user password
+                minLength: 1
+                type: string
+              unrestricted:
+                default: false
+                description: Unrestricted indicates whether the ApplicationCredential
+                  may be used to create or destroy other credentials or trusts
+                type: boolean
+              userName:
+                description: UserName - the Keystone user under which this ApplicationCredential
+                  is created
+                type: string
+            required:
+            - passwordSelector
+            - roles
+            - secret
+            - userName
+            type: object
+            x-kubernetes-validations:
+            - message: gracePeriodDays must be smaller than expirationDays
+              rule: self.gracePeriodDays < self.expirationDays
+          status:
+            description: KeystoneApplicationCredentialStatus defines the observed
+              state
+            properties:
+              acID:
+                description: ACID - the ID in Keystone for this ApplicationCredential
+                type: string
+              conditions:
+                description: Conditions
+                items:
+                  description: Condition defines an observation of a API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides a classification of Reason code, so the current situation is immediately
+                        understandable and could act accordingly.
+                        It is meant for situations where Status=False and it should be indicated if it is just
+                        informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue
+                        and no actions to automatically resolve the issue can/should be done).
+                        For conditions where Status=Unknown or Status=True the Severity should be SeverityNone.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              createdAt:
+                description: CreatedAt - timestap of creation
+                format: date-time
+                type: string
+              expiresAt:
+                description: ExpiresAt - time of validity expiration
+                format: date-time
+                type: string
+              lastRotated:
+                description: LastRotated - timestamp when credentials were last rotated
+                format: date-time
+                type: string
+              observedGeneration:
+                description: ObservedGeneration - the most recent generation observed
+                  for this ApplicationCredential.
+                format: int64
+                type: integer
+              rotationEligibleAt:
+                description: |-
+                  RotationEligibleAt indicates when rotation becomes eligible (start of grace period window).
+                  Computed as ExpiresAt - GracePeriodDays. The AC can be rotated after this timestamp.
+                format: date-time
+                type: string
+              secretName:
+                description: SecretName - name of the k8s Secret storing the ApplicationCredential
+                  secret
+                type: string
+              securityHash:
+                description: |-
+                  SecurityHash tracks the hash of security-critical spec fields (roles, accessRules, unrestricted).
+                  Used to detect when these fields change and trigger immediate rotation.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/api/v1beta1/conditions.go b/api/v1beta1/conditions.go
@@ -35,6 +35,9 @@ const (
 
 	// KeystoneServiceOSUserReadyCondition Status=True condition which indicates if the service user got created in the keystone instance is ready/was successful
 	KeystoneServiceOSUserReadyCondition condition.Type = "KeystoneServiceOSUserReady"
+
+	// KeystoneApplicationCredentialReadyCondition Status=True condition which indicates if the ApplicationCredential has been created and is ready
+	KeystoneApplicationCredentialReadyCondition condition.Type = "KeystoneApplicationCredentialReady"
 )
 
 // Common Messages used by API objects.
@@ -112,4 +115,18 @@ const (
 	// KeystoneServiceOSUserReadyErrorMessage
 	KeystoneServiceOSUserReadyErrorMessage = "Keystone Service user error occured %s"
 
+	//
+	// KeystoneApplicationCredentialReady condition messages
+	//
+	// KeystoneApplicationCredentialReadyInitMessage
+	KeystoneApplicationCredentialReadyInitMessage = "ApplicationCredential not yet created"
+
+	// KeystoneApplicationCredentialReadyMessage
+	KeystoneApplicationCredentialReadyMessage = "ApplicationCredential ready"
+
+	// KeystoneApplicationCredentialWaitingMessage
+	KeystoneApplicationCredentialWaitingMessage = "ApplicationCredential waiting for secret %s to be available"
+
+	// KeystoneApplicationCredentialReadyErrorMessage
+	KeystoneApplicationCredentialReadyErrorMessage = "ApplicationCredential error occurred: %s"
 )