Application Credential Support

Co-authored-by: Cursor <[email protected]>

Author: 2 people

OWNERS_ALIASES

@@ -15,5 +15,4 @@ aliases:
   openstack-approvers:
   - abays
   - dprince
-  - olliewalsh
   - stuggi

api/bases/watcher.openstack.org_watchers.yaml

@@ -460,6 +460,15 @@ spec:
                         type: string
                     type: object
                 type: object
+              auth:
+                description: Auth - Parameters related to authentication (shared by
+                  all Watcher components)
+                properties:
+                  applicationCredentialSecret:
+                    description: ApplicationCredentialSecret - Secret containing Application
+                      Credential ID and Secret
+                    type: string
+                type: object
               customServiceConfig:
                 description: |-
                   CustomServiceConfig - customize the service config using this parameter to change service defaults,

api/v1beta1/common_types.go

@@ -129,6 +129,11 @@ type WatcherSpecCore struct {
 	// APITimeout for Route and Apache
 	APITimeout *int `json:"apiTimeout"`
 
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Auth - Parameters related to authentication (shared by all Watcher components)
+	Auth AuthSpec `json:"auth,omitempty"`
+
 	// +kubebuilder:validation:Optional
 	// NotificationsBusInstance is the name of the RabbitMqCluster CR to select
 	// the Message Bus Service instance used by the Watcher service to publish and consume notifications
@@ -139,6 +144,14 @@ type WatcherSpecCore struct {
 	NotificationsBusInstance *string `json:"notificationsBusInstance,omitempty"`
 }
 
+// AuthSpec defines authentication parameters
+type AuthSpec struct {
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// ApplicationCredentialSecret - Secret containing Application Credential ID and Secret
+	ApplicationCredentialSecret string `json:"applicationCredentialSecret,omitempty"`
+}
+
 // PasswordSelector to identify the DB and AdminUser password from the Secret
 type PasswordSelector struct {
 	// +kubebuilder:validation:Optional

api/v1beta1/conditions.go

@@ -38,6 +38,8 @@ const (
 	WatcherAPIReadyErrorMessage = "WatcherAPI error occured %s"
 	// WatcherPrometheusSecretErrorMessage -
 	WatcherPrometheusSecretErrorMessage = "Error with prometheus config secret"
+	// WatcherApplicationCredentialSecretErrorMessage -
+	WatcherApplicationCredentialSecretErrorMessage = "Error with application credential secret"
 	// WatcherApplierReadyInitMessage -
 	WatcherApplierReadyInitMessage = "WatcherApplier creation not started"
 	// WatcherApplierReadyRunningMessage -

api/v1beta1/zz_generated.deepcopy.go

@@ -460,6 +460,15 @@ spec:
                         type: string
                     type: object
                 type: object
+              auth:
+                description: Auth - Parameters related to authentication (shared by
+                  all Watcher components)
+                properties:
+                  applicationCredentialSecret:
+                    description: ApplicationCredentialSecret - Secret containing Application
+                      Credential ID and Secret
+                    type: string
+                type: object
               customServiceConfig:
                 description: |-
                   CustomServiceConfig - customize the service config using this parameter to change service defaults,

config/crd/bases/watcher.openstack.org_watchers.yaml

@@ -57,6 +57,14 @@ spec:
       - description: TLS - Parameters related to the TLS
         displayName: TLS
         path: apiServiceTemplate.tls
+      - description: Auth - Parameters related to authentication (shared by all Watcher
+          components)
+        displayName: Auth
+        path: auth
+      - description: ApplicationCredentialSecret - Secret containing Application Credential
+          ID and Secret
+        displayName: Application Credential Secret
+        path: auth.applicationCredentialSecret
       version: v1beta1
   description: The Watcher Operator project
   displayName: Watcher Operator

config/manifests/bases/watcher-operator.clusterserviceversion.yaml

@@ -9,7 +9,7 @@ require (
 	github.com/onsi/gomega v1.39.0
 	github.com/openshift/api v3.9.0+incompatible
 	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109
-	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260116230254-f54dd51650ac
+	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20251230215914-6ba873b49a35
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260105160121-f7a8ef85ce8d

go.mod

@@ -120,8 +120,8 @@ github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyU
 github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109 h1:S+A67nntHZrL1lIL3qr91CpJj+A67M/G4t1cTKzeGdo=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109/go.mod h1:ZXwFlspJCdZEUjMbmaf61t5AMB4u2vMyAMMoe/vJroE=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260116230254-f54dd51650ac h1:DZ/Cw3l4fQXTu2O78HAPIEhSYYZ7cR+QZv893Z+gvNU=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260116230254-f54dd51650ac/go.mod h1:xqvebn9DqLavxp2z8Rz/7i1S6M9MJhxmZVHC+S1uHX0=
+github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba h1:4VaDkZFawGCkzwvfijnFLz0Gduxh17buj9fIwk0WULo=
+github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba/go.mod h1:xqvebn9DqLavxp2z8Rz/7i1S6M9MJhxmZVHC+S1uHX0=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35 h1:pF3mJ3nwq6r4qwom+rEWZNquZpcQW/iftHlJ1KPIDsk=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:kycZyoe7OZdW1HUghr2nI3N7wSJtNahXf6b/ypD14f4=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251230215914-6ba873b49a35 h1:IdcI8DFvW8rXtchONSzbDmhhRp1YyO2YaBJDBXr44Gk=

go.sum

@@ -36,6 +36,7 @@ const (
 	tlsAPIPublicField       = ".spec.tls.api.public.secretName"
 	topologyField           = ".spec.topologyRef.Name"
 	memcachedInstanceField  = ".spec.memcachedInstance"
+	authAppCredSecretField  = ".spec.auth.applicationCredentialSecret" //nolint:gosec // G101: Not actual credentials, just field path
 	// service label for cinder endpoint
 	endpointCinder = "cinder"
 )
@@ -60,6 +61,7 @@ var (
 	watcherWatchFields = []string{
 		passwordSecretField,
 		prometheusSecretField,
+		authAppCredSecretField,
 	}
 	decisionEngineWatchFields = []string{
 		passwordSecretField,