Adding passwordSelectors and secret to CR generation

Signed-off-by: Veronika Fisarova <[email protected]>

Author: Deydra71

apis/go.mod

@@ -116,4 +116,4 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202408300231
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.9.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20241017142550-a3524acedd49 //allow-merging
 
-replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c

apis/go.sum

@@ -1,5 +1,5 @@
-github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45 h1:c13rfNoKIXAd5R/k1D5wCBWtsR31xylSaiXKmfaAI4w=
-github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c h1:DXnHQg/+AjMsoJqvQEusjkyjOsOPGbKJ8uRVLyTkseQ=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cert-manager/cert-manager v1.14.7 h1:C2L59sMGMdSpd8SPx5qfPAL7ejZaNxJBRd24S7Ws5Ek=
@@ -118,30 +118,30 @@ github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.2025050814
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250508141203-be026d3164f7/go.mod h1:UwHXRIrMSPJD3lFqrA4oKmRXVLFQCRkLAj9x6KLEHiQ=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20250423055245-3cb2ae8df6f0 h1:FAHrScvlj6w17wvcDhJ0ZnmraMrrOX1CxzvqZK595hA=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20250423055245-3cb2ae8df6f0/go.mod h1:fesgTbs2j30Fhw2hebXkPgbeAIqG0Yk2oaeOklAInZg=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250419062702-0acec6a591c8 h1:oLY6iMNPe3/L5S8EvNcjvfWd1tbCNgfQ+iSnv3UCB0U=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250419062702-0acec6a591c8/go.mod h1:5+v92XC/PRATIiBrhNLEpJ+T4R9JpxBCgRP6QvbfwgE=
-github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20250401095833-93bc034c64a9 h1:xQI2xgWLETETgm3bC9d5hrJygNTnDI6sGL+lgL2ucR8=
-github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20250401095833-93bc034c64a9/go.mod h1:P4xWHFGuDyLtxW+EIvDS3A37uydYxG6ggVggA9/a5LA=
-github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20250328081634-08026fd530d9 h1:BjuLQisbx6maIP+7pHheci+iW5lQiRMJOKE+1r4Ug6E=
-github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20250328081634-08026fd530d9/go.mod h1:oOyOnJHMTEqy4Idzzm1E9HFl45Y1hVQ+V+AHEhMLzwk=
-github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20250401073502-1e282b4746cd h1:YUrPl8cBWGlEVeGVFh1nGhf+FnjKnX4K6g+1nOe5e98=
-github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20250401073502-1e282b4746cd/go.mod h1:iqNMhLVQY3W9y6qoRPd9orJMCogw8KgD3GjAvCVLO1Q=
-github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20250402053313-b88da4dd7a62 h1:xZkgup6a3svAwNxDQ6tGBpD6EMKZE/JUA6eM6yGlHxk=
-github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20250402053313-b88da4dd7a62/go.mod h1:AufhARPECqf9N0jfzIswTvv89jd7f3YChXsE17rVgio=
-github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20250406092807-8386f9655c0b h1:YnKepfaft8wY/wpOkgGgM56qruzMP2wDj07xWpddxro=
-github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20250406092807-8386f9655c0b/go.mod h1:0z/P1Yhk7h5nnx8bLMz3gSSoqo+dFRwJG1O14qVtsuQ=
-github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20250402113637-b66aeb654907 h1:pNUuydkvSeUFhCinCLC8KKxr/RBPcu8VqXlBDK81mDc=
-github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20250402113637-b66aeb654907/go.mod h1:RZj8UXrq5Sg6a8SP3R4kzpQbHxM1bBCYPc3ecDfuQPQ=
-github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20250418131034-8c1e46e5dd08 h1:bqyBhXpZ77a1daC9mCYuP8uwqTLcVcS8xZcbIhCzzMQ=
-github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20250418131034-8c1e46e5dd08/go.mod h1:wlRoylGCfu6weUrvRARU1yAKl8hza9X6LAENB7XVIkw=
-github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20250420191048-db23ac9a6ff9 h1:zdb3m91+JLLgQMxO/aEL7Tqrtx49uQm05IPS662IVHI=
-github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20250420191048-db23ac9a6ff9/go.mod h1:r2KGHWjHqpF4e3R3JiQTICgHqjcTUbzL7c3Uv/ZEndg=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250508141203-be026d3164f7 h1:N7HNoUrjqrWZWWcQdtaZubrQ1pFeWai1Cbls0RoCjK8=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250508141203-be026d3164f7/go.mod h1:5+v92XC/PRATIiBrhNLEpJ+T4R9JpxBCgRP6QvbfwgE=
+github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20250429110312-bdf0391aca8b h1:uNdpmQF3mORCgZ4D78Dy0FjT8p0YGfsjTW0nPtYNMnU=
+github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20250429110312-bdf0391aca8b/go.mod h1:hoGpPnwLpUBj+xYJIVkXMsk5CKs3rMO3XDkc/z9MplI=
+github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20250429105455-119a21fd879a h1:IHGE1rUzvonx1Vsfk4QgetGfOr6z0CB5idbu3NBUUSA=
+github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20250429105455-119a21fd879a/go.mod h1:ZgHSxZSgpgHg1FhKPnBm/cqxAJbVFbKiBkqQoRohn3Q=
+github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20250508051221-25c4196e4eb6 h1:POLDrWP4IZG6a0VM8gdOp47vwbU/SSB9XWO3ajOJK2E=
+github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20250508051221-25c4196e4eb6/go.mod h1:OWHUfGoYVAEIQ7paLAl4Cz5CrQfMZt8O+YKqbi4Xp4Q=
+github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20250505091323-48288280c311 h1:+7Eb3lvH0dS6LqIL0lgGbXG1MpeRws8qxBjWFz7gcEs=
+github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20250505091323-48288280c311/go.mod h1:NNhtdwoGV4PW+Ca4KwoNM1EaEWFc9Rf4N7T1gz0bNQo=
+github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20250507174955-d28d78d74950 h1:ARB9OsmhoC6Ix6gbLaaYUH80YuHrh0Cc53jwgrsawnE=
+github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20250507174955-d28d78d74950/go.mod h1:w7rPsKhoPDf/l9G+d2BhOrEGAl11+/ZCzn3UX6/+qEQ=
+github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20250429095646-8b102b4956dd h1:1GZyxBISQ7QkDmbrluLNebkATdVoaP7u9ODln5h1jrQ=
+github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20250429095646-8b102b4956dd/go.mod h1:X/4IL9CBeWJWxMsqz9RVHEbDvpNNuHq43mqg2jVaKZg=
+github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20250509053924-33a097e86b88 h1:ssCpLmyH680EEJEIsaMIa5XCTMV+MXt7urhy1k32Ar4=
+github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20250509053924-33a097e86b88/go.mod h1:iLeHkckueEEBrkgOmmbKC8tP8ezIzJngd8buO2gQF40=
+github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20250507105601-d9bf51effcc2 h1:bOudfZtQYSPjUMCBeauMcF+L7p6nc3apZwTd51fBmEo=
+github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20250507105601-d9bf51effcc2/go.mod h1:BPX8qRwZyFVkyS1ttgzQrKFL+p3iXeh6Br+Q5ljL+YE=
 github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20241017142550-a3524acedd49 h1:/7SnnHfGCH/dwuZFNUx54zw4cnwv2w6hjONq16aoowM=
 github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20241017142550-a3524acedd49/go.mod h1:6Mq2N/KtNFW20L+PQC5qkeK8R8UGadmGBXL8HDY6lcg=
-github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20250415061104-ec26f3967b8e h1:W4xVCUt0GL5vjIeodLyHwJnFO/z7ZO/Qr5tzSNcgnao=
-github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20250415061104-ec26f3967b8e/go.mod h1:F6yh/lGjYlSDPVMUKGuKRiSSPq/+se54ciobRz4+nlg=
-github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20250420191048-a2d55f55d5da h1:/Tjdeb1Y3MuLQy6p5ezNvWLNlmyUG+2i8fOCVfRfQkg=
-github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20250420191048-a2d55f55d5da/go.mod h1:meN7CoBND2usExOU7D02sSyplgxS0r2NAGh1IyDPWA4=
+github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20250429071246-b912d22ca9aa h1:F1LC6mmIfCWGcJPwVOFLl1/pUjiVPjupzr1tgp8JGJ4=
+github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20250429071246-b912d22ca9aa/go.mod h1:wwAjceRRL7sWtYgQeN6r0qiCI197q7DsLsdWIoLu3iA=
+github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20250509120424-5d61299fe6f5 h1:K6Oo4fwrkjJfL9NSaeTDUgFCVfeEnKWXW83zWp0qqa0=
+github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20250509120424-5d61299fe6f5/go.mod h1:h5/tGFgA8vjotBagBWoOISTvOSOSuBjLZdJqVmnxNfU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

bindata/crds/keystone.openstack.org_applicationcredentials.yaml

@@ -70,6 +70,13 @@ spec:
                   the AC should be rotated
                 minimum: 1
                 type: integer
+              passwordSelector:
+                description: PasswordSelector for extracting the service password
+                type: string
+              secret:
+                default: osp-secret
+                description: Secret containing service user password
+                type: string
               userName:
                 description: UserName - the Keystone user under which this AC is created
                 type: string

go.mod

@@ -128,4 +128,4 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202408300231
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.9.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20241017142550-a3524acedd49 //allow-merging
 
-replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c

go.sum

@@ -1,5 +1,5 @@
-github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45 h1:c13rfNoKIXAd5R/k1D5wCBWtsR31xylSaiXKmfaAI4w=
-github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c h1:DXnHQg/+AjMsoJqvQEusjkyjOsOPGbKJ8uRVLyTkseQ=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cert-manager/cert-manager v1.14.7 h1:C2L59sMGMdSpd8SPx5qfPAL7ejZaNxJBRd24S7Ws5Ek=
@@ -116,8 +116,6 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250512104855-4
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250512104855-47f817ef8ff8/go.mod h1:47iJk3vedZWnBkZyNyYij4ma2HjG4l2VCqKz3f+XDkQ=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20250505201920-2f6d0b9f6aed h1:Osy/pq1qQ0nxwcATpUOo8bz00MngiBYjHv/9Ov5iuxw=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20250505201920-2f6d0b9f6aed/go.mod h1:n8mWh/qZZSieuDEnkTZyhDc5UeVyUHC3YSYMzdVbbVo=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250506083817-ce591b464a0f h1:FR9Wuamrt2h5Dnn3Q1ySXcEZ9OaKDgpSJSA7QBh2jP4=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250506083817-ce591b464a0f/go.mod h1:xmEVdGGDz4pqPyzgR6oAZbeomz00Co68OyvsYNoT3Z0=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250508141203-be026d3164f7 h1:RBYAybZcCzbSeR3XwqahBYRe9u9HeWkwidJcBDVv4bg=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250508141203-be026d3164f7/go.mod h1:0bajRHochTUT6Ecfriw27l3vL0yezVrnUmt3bcIpu4w=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20250508141203-be026d3164f7 h1:0tpgz3x6REAZGwOqnGFVwlTt4Hf5mm/EAdleW2NJbxU=

pkg/openstack/applicationcredential.go

@@ -7,25 +7,20 @@ import (
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
-// mergeAppCred returns a new ApplicationCredentialSection
-// by starting from the global defaults, then overriding
-// only the fields the service user has explicitly set
+// mergeAppCred returns a new ApplicationCredentialSection by overlaying
+// service-specific values on top of the global defaults.
 func mergeAppCred(
 	global corev1beta1.ApplicationCredentialSection,
 	svc *corev1beta1.ServiceAppCredSection,
 ) corev1beta1.ApplicationCredentialSection {
 	out := global
-
 	if svc != nil {
-		// always override Enabled, even if false
 		out.Enabled = svc.Enabled
-
 		// only override expiry/grace if the user actually set them
 		if svc.ExpirationDays != nil {
 			out.ExpirationDays = svc.ExpirationDays
@@ -34,30 +29,23 @@ func mergeAppCred(
 			out.GracePeriodDays = svc.GracePeriodDays
 		}
 	}
-
 	return out
 }
 
-// ReconcileApplicationCredentials ensures that every OpenStack service which
-// has AC enabled (both globally and per-service) has a corresponding
-// keystone.openstack.org/v1beta1 ApplicationCredential CR, with proper
-// ExpirationDays and GracePeriodDays inherited or overridden
+// ReconcileApplicationCredentials ensures an AC CR per enabled service,
+// propagating its secret name, passwordSelector, and serviceUser fields.
 func ReconcileApplicationCredentials(
 	ctx context.Context,
 	instance *corev1beta1.OpenStackControlPlane,
 	_ *corev1beta1.OpenStackVersion,
 	helper *helper.Helper,
 ) (ctrl.Result, error) {
-
 	log := GetLogger(ctx)
 
-	// If global AC is turned off, delete service AC CRs
+	// If global disabled, delete all ACs:
 	if !instance.Spec.ApplicationCredential.Enabled {
-		log.Info("Global .spec.applicationCredential.enabled is false – deleting all per-service AC CRs")
-		for _, svc := range []string{
-			"glance", "nova", "swift", "ceilometer",
-			"barbican", "cinder", "placement", "neutron",
-		} {
+		log.Info("Global AC disabled; deleting per-service AC CRs")
+		for _, svc := range []string{"glance", "nova", "swift", "ceilometer", "barbican", "cinder", "placement", "neutron"} {
 			ac := &keystonev1.ApplicationCredential{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      fmt.Sprintf("ac-%s", svc),
@@ -71,9 +59,25 @@ func ReconcileApplicationCredentials(
 		return ctrl.Result{}, nil
 	}
 
-	// Build list of services to reconcile
+	// Build a lookup with each service’s secret, selector, and service user name field:
+	services := map[string]struct {
+		SecretName       string
+		PasswordSelector string
+		ServiceUser      string
+	}{
+		"glance":     {instance.Spec.Glance.Template.Secret, instance.Spec.Glance.Template.PasswordSelectors.Service, instance.Spec.Glance.Template.ServiceUser},
+		"nova":       {instance.Spec.Nova.Template.Secret, instance.Spec.Nova.Template.PasswordSelectors.Service, instance.Spec.Nova.Template.ServiceUser},
+		"swift":      {instance.Spec.Swift.Template.SwiftProxy.Secret, instance.Spec.Swift.Template.SwiftProxy.PasswordSelectors.Service, instance.Spec.Swift.Template.SwiftProxy.ServiceUser},
+		"ceilometer": {instance.Spec.Telemetry.Template.Ceilometer.Secret, instance.Spec.Telemetry.Template.Ceilometer.PasswordSelectors.CeilometerService, instance.Spec.Telemetry.Template.Ceilometer.ServiceUser},
+		"barbican":   {instance.Spec.Barbican.Template.Secret, instance.Spec.Barbican.Template.PasswordSelectors.Service, instance.Spec.Barbican.Template.ServiceUser},
+		"cinder":     {instance.Spec.Cinder.Template.Secret, instance.Spec.Cinder.Template.PasswordSelectors.Service, instance.Spec.Cinder.Template.ServiceUser},
+		"placement":  {instance.Spec.Placement.Template.Secret, instance.Spec.Placement.Template.PasswordSelectors.Service, instance.Spec.Placement.Template.ServiceUser},
+		"neutron":    {instance.Spec.Neutron.Template.Secret, instance.Spec.Neutron.Template.PasswordSelectors.Service, instance.Spec.Neutron.Template.ServiceUser},
+	}
+
+	// Collect each service’s enabled flag and AC section:
 	type svcAC struct {
-		Name      string
+		Key       string
 		Enabled   bool
 		ACSection *corev1beta1.ServiceAppCredSection
 	}
@@ -87,33 +91,35 @@ func ReconcileApplicationCredentials(
 		{"placement", instance.Spec.Placement.Enabled, instance.Spec.Placement.ApplicationCredential},
 		{"neutron", instance.Spec.Neutron.Enabled, instance.Spec.Neutron.ApplicationCredential},
 	}
-
 	global := instance.Spec.ApplicationCredential
 
+	// Loop, CreateOrPatch or delete each AC CR:
 	for _, svc := range svcs {
-		acName := fmt.Sprintf("ac-%s", svc.Name)
+		acName := fmt.Sprintf("ac-%s", svc.Key)
 		acObj := &keystonev1.ApplicationCredential{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      acName,
 				Namespace: instance.Namespace,
 			},
 		}
 
+		// merge flags
 		effective := mergeAppCred(global, svc.ACSection)
-		// if either the service itself is disabled, or the merged AC.Enabled is false,
-		// then ensure that CR is deleted
 		if !(svc.Enabled && effective.Enabled) {
 			if res, err := EnsureDeleted(ctx, helper, acObj); err != nil {
 				return res, err
 			}
 			continue
 		}
 
-		// otherwise create or patch it to have exactly the merged values
+		// create/patch
 		op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), acObj, func() error {
-			acObj.Spec.UserName = svc.Name
+			acObj.Spec.UserName = services[svc.Key].ServiceUser
 			acObj.Spec.ExpirationDays = *effective.ExpirationDays
 			acObj.Spec.GracePeriodDays = *effective.GracePeriodDays
+			acObj.Spec.Secret = services[svc.Key].SecretName
+			acObj.Spec.PasswordSelector = services[svc.Key].PasswordSelector
+
 			return controllerutil.SetControllerReference(
 				helper.GetBeforeObject(), acObj, helper.GetScheme(),
 			)
@@ -122,7 +128,7 @@ func ReconcileApplicationCredentials(
 			return ctrl.Result{}, err
 		}
 		if op != controllerutil.OperationResultNone {
-			log.Info("Reconciled ApplicationCredential", "service", svc.Name, "operation", op)
+			log.Info("Reconciled ApplicationCredential", "service", svc.Key, "operation", op)
 		}
 	}