Rabbitmq vhost and user support

Add new messagingBus and notificationsBus interfaces to hold cluster,
user and vhost names for optional usage.
The controller adds these values to the TransportURL create request when present.

Additionally, we migrate RabbitMQ cluster name to RabbitMq config struct
using DefaultRabbitMqConfig from infra-operator to automatically
populate the new Cluster field from legacy RabbitMqClusterName.

Example usage:

  spec:
    messagingBus:
      cluster: rpc-rabbitmq
      user: rpc-user
      vhost: rpc-vhost
    notificationsBus:
      cluster: notifications-rabbitmq
      user: notifications-user
      vhost: notifications-vhost

Finally, we add the rabbitmquser crs to the secret so they can be
stored for dataplane finalizers management and do auto cleanup of orphaned
users after credential rotations.

Jira: https://issues.redhat.com/browse/OSPRH-22697

Author: lmiccini

api/bases/nova.openstack.org_nova.yaml

@@ -540,6 +540,23 @@ spec:
                         MemcachedInstance is the name of the Memcached CR that the services in the cell will use.
                         If defined then this takes precedence over Nova.Spec.MemcachedInstance for this cel
                       type: string
+                    messagingBus:
+                      description: MessagingBus configuration (username, vhost, and
+                        cluster)
+                      properties:
+                        cluster:
+                          description: Name of the cluster
+                          minLength: 1
+                          type: string
+                        user:
+                          description: User - RabbitMQ username
+                          type: string
+                        vhost:
+                          description: Vhost - RabbitMQ vhost name
+                          type: string
+                      required:
+                      - cluster
+                      type: object
                     metadataServiceTemplate:
                       description: |-
                         MetadataServiceTemplate - defines the metadata service dedicated for the
@@ -1340,6 +1357,22 @@ spec:
                 description: MemcachedInstance is the name of the Memcached CR that
                   all nova service will use.
                 type: string
+              messagingBus:
+                description: MessagingBus configuration (username, vhost, and cluster)
+                properties:
+                  cluster:
+                    description: Name of the cluster
+                    minLength: 1
+                    type: string
+                  user:
+                    description: User - RabbitMQ username
+                    type: string
+                  vhost:
+                    description: Vhost - RabbitMQ vhost name
+                    type: string
+                required:
+                - cluster
+                type: object
               metadataContainerImageURL:
                 description: MetadataContainerImageURL
                 type: string
@@ -1648,6 +1681,23 @@ spec:
                   NodeSelector here acts as a default value and can be overridden by service
                   specific NodeSelector Settings.
                 type: object
+              notificationsBus:
+                description: NotificationsBus configuration (username, vhost, and
+                  cluster) for notifications
+                properties:
+                  cluster:
+                    description: Name of the cluster
+                    minLength: 1
+                    type: string
+                  user:
+                    description: User - RabbitMQ username
+                    type: string
+                  vhost:
+                    description: Vhost - RabbitMQ vhost name
+                    type: string
+                required:
+                - cluster
+                type: object
               notificationsBusInstance:
                 description: |-
                   NotificationsBusInstance is the name of the RabbitMqCluster CR to select

api/go.mod

@@ -18,7 +18,6 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
-	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
@@ -45,6 +44,7 @@ require (
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.65.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/rabbitmq/cluster-operator/v2 v2.16.0 // indirect
 	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
@@ -70,6 +70,9 @@ require (
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
+// Use lmiccini's infra-operator branch with status.RabbitmqUserRef support
+replace github.com/openstack-k8s-operators/infra-operator/apis => github.com/lmiccini/infra-operator/apis v0.0.0-20260116071214-b5e11cdcbab3
+
 // mschuppert: map to latest commit from release-4.16 tag
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e //allow-merging

api/go.sum

@@ -1,3 +1,4 @@
+github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -64,6 +65,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lmiccini/infra-operator/apis v0.0.0-20260116071214-b5e11cdcbab3 h1:S1WlXTdXw0PA0yZT1acQ1Jwxf/zLGdF2R9DAxbtpVRw=
+github.com/lmiccini/infra-operator/apis v0.0.0-20260116071214-b5e11cdcbab3/go.mod h1:ZXwFlspJCdZEUjMbmaf61t5AMB4u2vMyAMMoe/vJroE=
 github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -78,10 +81,10 @@ github.com/onsi/ginkgo/v2 v2.27.4 h1:fcEcQW/A++6aZAZQNUmNjvA9PSOzefMJBerHJ4t8v8Y
 github.com/onsi/ginkgo/v2 v2.27.4/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM=
 github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260108154501-11e5091cddf1 h1:zAbZVtpldi1TU/CO9aU2ZByzcsi+N3aIv6snpSjBVLY=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260108154501-11e5091cddf1/go.mod h1:ZXwFlspJCdZEUjMbmaf61t5AMB4u2vMyAMMoe/vJroE=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35 h1:pF3mJ3nwq6r4qwom+rEWZNquZpcQW/iftHlJ1KPIDsk=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:kycZyoe7OZdW1HUghr2nI3N7wSJtNahXf6b/ypD14f4=
+github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc=
+github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec/go.mod h1:Nh2NEePLjovUQof2krTAg4JaAoLacqtPTZQXK6izNfg=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

api/v1beta1/nova_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	rabbitmqv1 "github.com/openstack-k8s-operators/infra-operator/apis/rabbitmq/v1beta1"
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -49,6 +50,10 @@ type NovaSpecCore struct {
 	// communicate.
 	APIMessageBusInstance string `json:"apiMessageBusInstance"`
 
+	// +kubebuilder:validation:Optional
+	// MessagingBus configuration (username, vhost, and cluster)
+	MessagingBus rabbitmqv1.RabbitMqConfig `json:"messagingBus,omitempty"`
+
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default={cell0: {cellDatabaseAccount: nova-cell0, hasAPIAccess: true}, cell1: {cellDatabaseAccount: nova-cell1, cellDatabaseInstance: openstack-cell1, cellMessageBusInstance: rabbitmq-cell1, hasAPIAccess: true}}
 	// Cells is a mapping of cell names to NovaCellTemplate objects defining
@@ -131,6 +136,10 @@ type NovaSpecCore struct {
 	// Avoid colocating it with RabbitMqClusterName, APIMessageBusInstance or CellMessageBusInstance used for RPC.
 	// For particular Nova cells, notifications cannot be disabled, nor configured differently.
 	NotificationsBusInstance *string `json:"notificationsBusInstance,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// NotificationsBus configuration (username, vhost, and cluster) for notifications
+	NotificationsBus *rabbitmqv1.RabbitMqConfig `json:"notificationsBus,omitempty"`
 }
 
 // NovaSpec defines the desired state of Nova

api/v1beta1/nova_webhook.go

@@ -26,6 +26,7 @@ import (
 	"fmt"
 
 	"github.com/google/go-cmp/cmp"
+	rabbitmqv1 "github.com/openstack-k8s-operators/infra-operator/apis/rabbitmq/v1beta1"
 	service "github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/robfig/cron/v3"
 
@@ -88,6 +89,24 @@ func (spec *NovaSpecCore) Default() {
 		spec.APITimeout = novaDefaults.APITimeout
 	}
 
+	// Default MessagingBus.Cluster from APIMessageBusInstance if not already set
+	if spec.MessagingBus.Cluster == "" {
+		spec.MessagingBus.Cluster = spec.APIMessageBusInstance
+	}
+
+	// Default NotificationsBus if NotificationsBusInstance is specified
+	if spec.NotificationsBusInstance != nil && *spec.NotificationsBusInstance != "" {
+		if spec.NotificationsBus == nil {
+			// Initialize empty NotificationsBus - credentials will be created dynamically
+			// to ensure separation from MessagingBus (RPC and notifications should never share credentials)
+			spec.NotificationsBus = &rabbitmqv1.RabbitMqConfig{}
+		}
+		// Default cluster name if not already set
+		if spec.NotificationsBus.Cluster == "" {
+			spec.NotificationsBus.Cluster = *spec.NotificationsBusInstance
+		}
+	}
+
 	for cellName, cellTemplate := range spec.CellTemplates {
 
 		if cellTemplate.MetadataServiceTemplate.Enabled == nil {
@@ -106,6 +125,11 @@ func (spec *NovaSpecCore) Default() {
 			}
 		}
 
+		// Default MessagingBus.Cluster from CellMessageBusInstance if not already set
+		if cellTemplate.MessagingBus.Cluster == "" {
+			cellTemplate.MessagingBus.Cluster = cellTemplate.CellMessageBusInstance
+		}
+
 		// "cellTemplate" is a by-value copy, so we need to re-inject the updated version of it into the map
 		spec.CellTemplates[cellName] = cellTemplate
 	}
@@ -138,18 +162,34 @@ func (spec *NovaSpecCore) ValidateCellTemplates(basePath *field.Path, namespace
 			cell.TopologyRef, *basePath.Child("topologyRef"), namespace)...)
 
 		if name != Cell0Name {
-			if dupName, ok := cellMessageBusNames[cell.CellMessageBusInstance]; ok {
+			// Determine which rabbit cluster this cell is using
+			// Prefer the new MessagingBus.Cluster field, fall back to deprecated CellMessageBusInstance
+			var cellCluster string
+			if cell.MessagingBus.Cluster != "" {
+				cellCluster = cell.MessagingBus.Cluster
+			} else {
+				cellCluster = cell.CellMessageBusInstance
+			}
+
+			// Check if this rabbit cluster is already used by another cell
+			if dupName, ok := cellMessageBusNames[cellCluster]; ok {
+				// Determine which field to report the error on
+				fieldPath := cellPath.Child("messagingBus").Child("cluster")
+				if cell.MessagingBus.Cluster == "" {
+					fieldPath = cellPath.Child("cellMessageBusInstance")
+				}
+
 				errors = append(errors, field.Invalid(
-					cellPath.Child("cellMessageBusInstance"),
-					cell.CellMessageBusInstance,
+					fieldPath,
+					cellCluster,
 					fmt.Sprintf(
 						"RabbitMqCluster CR need to be uniq per cell. It's duplicated with cell: %s",
 						dupName),
 				),
 				)
 			}
 
-			cellMessageBusNames[cell.CellMessageBusInstance] = name
+			cellMessageBusNames[cellCluster] = name
 		}
 		if *cell.MetadataServiceTemplate.Enabled && *spec.MetadataServiceTemplate.Enabled {
 			errors = append(
@@ -315,7 +355,78 @@ func (spec *NovaSpec) ValidateUpdate(old NovaSpec, basePath *field.Path, namespa
 // expected to be called by the validation webhook in the higher level meta
 // operator
 func (spec *NovaSpecCore) ValidateUpdate(old NovaSpecCore, basePath *field.Path, namespace string) field.ErrorList {
-	errors := spec.ValidateCellTemplates(basePath, namespace)
+	var errors field.ErrorList
+
+	// Validate deprecated fields and their new equivalents
+	// Don't allow setting both old and new fields with different values
+	// Users can either set both to the same value, or null out the old field and set the new one
+	if spec.APIMessageBusInstance != "" && spec.MessagingBus.Cluster != "" &&
+		spec.APIMessageBusInstance != spec.MessagingBus.Cluster {
+		errors = append(errors, field.Invalid(
+			basePath.Child("messagingBus").Child("cluster"),
+			spec.MessagingBus.Cluster,
+			fmt.Sprintf("messagingBus.cluster cannot differ from deprecated apiMessageBusInstance (%s). "+
+				"Either use the new messagingBus.cluster field or the deprecated apiMessageBusInstance, but not both with different values",
+				spec.APIMessageBusInstance)))
+	}
+
+	// Reject changes to deprecated field unless nulling it out
+	if spec.APIMessageBusInstance != old.APIMessageBusInstance && spec.APIMessageBusInstance != "" {
+		errors = append(errors, field.Forbidden(
+			basePath.Child("apiMessageBusInstance"),
+			"apiMessageBusInstance is deprecated and cannot be changed. Please use messagingBus.cluster instead"))
+	}
+
+	// Similar validation for NotificationsBusInstance
+	// Don't allow setting both old and new fields with different values
+	if spec.NotificationsBusInstance != nil && *spec.NotificationsBusInstance != "" &&
+		spec.NotificationsBus != nil && spec.NotificationsBus.Cluster != "" &&
+		*spec.NotificationsBusInstance != spec.NotificationsBus.Cluster {
+		errors = append(errors, field.Invalid(
+			basePath.Child("notificationsBus").Child("cluster"),
+			spec.NotificationsBus.Cluster,
+			fmt.Sprintf("notificationsBus.cluster cannot differ from deprecated notificationsBusInstance (%s). "+
+				"Either use the new notificationsBus.cluster field or the deprecated notificationsBusInstance, but not both with different values",
+				*spec.NotificationsBusInstance)))
+	}
+
+	// Reject changes to deprecated field unless nulling it out
+	if spec.NotificationsBusInstance != nil && old.NotificationsBusInstance != nil &&
+		*spec.NotificationsBusInstance != *old.NotificationsBusInstance &&
+		*spec.NotificationsBusInstance != "" {
+		errors = append(errors, field.Forbidden(
+			basePath.Child("notificationsBusInstance"),
+			"notificationsBusInstance is deprecated and cannot be changed. Please use notificationsBus.cluster instead"))
+	}
+
+	// Check cell template changes
+	for cellName, cellTemplate := range spec.CellTemplates {
+		if oldCell, exists := old.CellTemplates[cellName]; exists {
+			cellPath := basePath.Child("cellTemplates").Key(cellName)
+
+			// Don't allow setting both old and new fields with different values
+			// Users can either set both to the same value, or null out the old field and set the new one
+			if cellTemplate.CellMessageBusInstance != "" && cellTemplate.MessagingBus.Cluster != "" &&
+				cellTemplate.CellMessageBusInstance != cellTemplate.MessagingBus.Cluster {
+				errors = append(errors, field.Invalid(
+					cellPath.Child("messagingBus").Child("cluster"),
+					cellTemplate.MessagingBus.Cluster,
+					fmt.Sprintf("messagingBus.cluster cannot differ from deprecated cellMessageBusInstance (%s). "+
+						"Either use the new messagingBus.cluster field or the deprecated cellMessageBusInstance, but not both with different values",
+						cellTemplate.CellMessageBusInstance)))
+			}
+
+			// Reject changes to deprecated field unless nulling it out
+			if cellTemplate.CellMessageBusInstance != oldCell.CellMessageBusInstance &&
+				cellTemplate.CellMessageBusInstance != "" {
+				errors = append(errors, field.Forbidden(
+					cellPath.Child("cellMessageBusInstance"),
+					"cellMessageBusInstance is deprecated and cannot be changed. Please use messagingBus.cluster instead"))
+			}
+		}
+	}
+
+	errors = append(errors, spec.ValidateCellTemplates(basePath, namespace)...)
 	// Validate top-level TopologyRef
 	errors = append(errors, topologyv1.ValidateTopologyRef(
 		spec.TopologyRef, *basePath.Child("topologyRef"), namespace)...)

api/v1beta1/novacell_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	rabbitmqv1 "github.com/openstack-k8s-operators/infra-operator/apis/rabbitmq/v1beta1"
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
@@ -51,6 +52,10 @@ type NovaCellTemplate struct {
 	// communicate in this cell. For cell0 it is unused.
 	CellMessageBusInstance string `json:"cellMessageBusInstance"`
 
+	// +kubebuilder:validation:Optional
+	// MessagingBus configuration (username, vhost, and cluster)
+	MessagingBus rabbitmqv1.RabbitMqConfig `json:"messagingBus,omitempty"`
+
 	// +kubebuilder:validation:Required
 	// HasAPIAccess defines if this Cell is configured to have access to the
 	// API DB and message bus.