Add Application Credential support

[Deydra71]

Jira: OSPRH-16628

Adds end-to-end support for consuming Keystone Application Credentials (AppCred) in the telemetry-operator, enabling Ceilometer, Aodh, and CloudKitty pods to use AppCred-based authentication when available.

API changes:

Adds an optional auth field to telemetry service CRs:

• spec.auth.applicationCredentialSecret — name of the Secret that contains the Keystone Application Credential ID and Secret (AC_ID and AC_SECRET).

This is added for:

• Ceilometer CRs
• Aodh CRs
• CloudKitty CRs (and the related API/Proc CRs where applicable)

Reconcile behavior:

• Reads spec.auth.applicationCredentialSecret
• Attempts to load AC_ID / AC_SECRET from the referenced Secret (via the Keystone helper)
• If the Secret is missing or incomplete, reconciliation falls back to password authentication (AppCred auth is optional and not treated as an error)

Once the AppCred Secret is ready with valid AC_ID / AC_SECRET:

• Templates AppCred credentials into the generated service configuration (e.g. ceilometer.conf, aodh.conf, cloudkitty.conf)

• The rendered config hash naturally includes AppCred values, triggering rolling updates when credentials rotate

• All controllers use the same service user’s AppCred Secret for their respective service (ceilometer/aodh/cloudkitty)

• Updates Keystone auth sections to support AppCred with a block-based if/else structure:

  • AppCred: auth_type = v3applicationcredential + application_credential_id + application_credential_secret
  • Else: existing password-based auth

Depends-on: openstack-k8s-operators/keystone-operator#567

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Deydra71
Once this PR has been reviewed and has the lgtm label, please assign frenzyfriday for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Deydra71]

Note: kuttl tests are yet to be added

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/9f80e1823add462ea5c60df2672f72d6

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 21m 14s
⚠️ telemetry-operator-multinode-cloudkitty SKIPPED Skipped due to failed job telemetry-openstack-meta-content-provider-master
❌ telemetry-openstack-meta-content-provider-master FAILURE in 8m 49s
❌ telemetry-operator-multinode-default-telemetry FAILURE in 1h 57m 01s
⚠️ functional-tests-osp18 SKIPPED Skipped due to failed job telemetry-openstack-meta-content-provider-master

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/c51230a124434844b7ac185afdb52021

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 53m 25s
⚠️ telemetry-operator-multinode-cloudkitty SKIPPED Skipped due to failed job telemetry-openstack-meta-content-provider-master
❌ telemetry-openstack-meta-content-provider-master FAILURE in 8m 24s
❌ telemetry-operator-multinode-default-telemetry FAILURE in 1h 26m 52s
⚠️ functional-tests-osp18 SKIPPED Skipped due to failed job telemetry-openstack-meta-content-provider-master

[mrunge]

Is this kind of replacement from an official to a non-official package name is intentional here?

[mrunge]

same here, this weird package name looks fishy.

[mrunge]

We should not pull from non openstack-k8s-operators

[Deydra71]

Hi @mrunge ! It's only temporary before the dependency in keystone-oeprator is merged

[Deydra71]

After that, it will be removed before final reviews and merge

[openshift-ci]

@Deydra71: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/telemetry-operator-build-deploy	50542c0	link	false	/test telemetry-operator-build-deploy
ci/prow/telemetry-operator-build-deploy-kuttl	50542c0	link	true	/test telemetry-operator-build-deploy-kuttl

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.