Add application credential finalizer management by Deydra71 · Pull Request #356 · openstack-k8s-operators/barbican-operator

Deydra71 · 2026-04-01T07:17:47Z

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

Tracks the active AC secret name in Status.ApplicationCredentialSecret
Add openstack.org/barbican-ac-consumer finalizer to the AC secret after service config is rendered
On AC rotation, move the finalizer from the old secret to the new one
On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Barbican is still consuming it.

2026-04-28T11:47:49Z	INFO	Controllers.Barbican	Added consumer finalizer	{"controller": "barbican", "controllerGroup": "barbican.openstack.org", "controllerKind": "Barbican", "Barbican": {"name":"barbican","namespace":"openstack"}, "namespace": "openstack", "name": "barbican", "reconcileID": "f36c0bd9-d99c-4c90-8337-7e5017c93a55", "object": "ac-barbican-37683-secret", "finalizer": "openstack.org/barbican-ac-consumer"}
2026-04-28T11:47:49Z	INFO	Controllers.Barbican	Removed consumer finalizer	{"controller": "barbican", "controllerGroup": "barbican.openstack.org", "controllerKind": "Barbican", "Barbican": {"name":"barbican","namespace":"openstack"}, "namespace": "openstack", "name": "barbican", "reconcileID": "f36c0bd9-d99c-4c90-8337-7e5017c93a55", "object": "ac-barbican-d6d05-secret", "finalizer": "openstack.org/barbican-ac-consumer"}

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

softwarefactory-project-zuul · 2026-04-01T07:17:54Z

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/barbican-operator for 356,4d15dc1e663ccd9e65873abe3307f575303f8b8d

mauricioharley · 2026-04-01T10:39:05Z

+		secret := &corev1.Secret{}
+		key := types.NamespacedName{Name: newSecretName, Namespace: instance.Namespace}
+		if err := h.GetClient().Get(ctx, key, secret); err != nil {
+			return fmt.Errorf("failed to get new AC secret %s: %w", newSecretName, err)


This wraps every error the same way, including NotFound. In practice, if the openstack-operator points Spec.Auth.ApplicationCredentialSecret to a new secret before the keystone-operator has actually created it, you'll get a stream of errors in the logs for something that's perfectly normal and resolves on its own.

What about treating NotFound as a softer case?

if k8s_errors.IsNotFound(err) { Log.Info("AC secret not yet available, will retry", "secret", newSecretName) return nil } return fmt.Errorf("failed to get new AC secret %s: %w", newSecretName, err)

That way the logs stay clean during the normal window where keystone hasn't caught up yet.

I'm trying to think about a scenario when this situation would actually happen...

In keystone-operator - k8s Secret is created first, then Status.SecretName is set, then the AC CR is marked Ready all in the same reconcile + deferred status.

openstack-operator reads the secretn ame from Status.SecretName only after AC is marked as Ready, then it is written to the service CR https://github.com/openstack-k8s-operators/openstack-operator/blob/main/internal/openstack/barbican.go#L107 from where the service reads it. openstack-operator never propagates a secret name that doesn't already exist, because it gates on acCR.IsReady()

mauricioharley · 2026-04-01T10:39:15Z

+				g.Expect(b.Status.ApplicationCredentialSecret).To(Equal(newACSecretName))
+			}, timeout, interval).Should(Succeed())
+		})
+	})


Nice set of tests here - covers the add, the status tracking, and the rotation move. One thing I'm missing though: what happens when the Barbican CR itself gets deleted? The reconcileDelete logic removes the consumer finalizer from the AC secret, but there's no test exercising that path.

Something along the lines of:

It("should remove the consumer finalizer from AC secret on Barbican CR deletion", func() { // Wait for the consumer finalizer to appear on the AC secret // ... // Delete the Barbican CR // ... // Verify the AC secret no longer carries the barbican-ac-consumer finalizer // ... })

Would be good to have that covered so regressions don't sneak in.

mauricioharley

Please check the inline comments.

softwarefactory-project-zuul · 2026-04-08T06:41:43Z

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/barbican-operator for 356,0f410be1cf2a4e1dd51b36516b2b5e76498bd208

softwarefactory-project-zuul · 2026-04-08T07:04:18Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/1bbbb520d40b4187b469ebbbbf9135a7

❌ openstack-k8s-operators-content-provider FAILURE in 17m 48s
⚠️ barbican-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ barbican-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

centosinfra-prod-github-app · 2026-05-20T10:37:38Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/05ba9254b8874e49a720e88168f9b466

❌ openstack-k8s-operators-content-provider FAILURE in 3m 54s
⚠️ barbican-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ barbican-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

Deydra71 · 2026-05-20T12:43:53Z

recheck

vakwetu

looks good in general. Just a couple points that claude picked up on.

fmount · 2026-05-27T12:09:02Z

/retest

fmount · 2026-05-27T12:10:20Z

Seems in line with all other operators that we just merged. @Deydra71 I assume we can land this one, it looks good, but let me know if we want to wait the green light from other reviewers.

vakwetu

LGTM

Deydra71 · 2026-06-02T06:07:24Z

/retest

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

Deydra71 · 2026-06-02T06:29:36Z

Had to rebase

fmount

/lgtm

openshift-ci · 2026-06-02T07:39:47Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, fmount, vakwetu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [Deydra71,vakwetu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Author asked me to dismiss the review.

Deydra71 requested review from stuggi and xek April 1, 2026 07:17

Deydra71 added the do-not-merge/hold label Apr 1, 2026

openshift-ci Bot requested review from afaranha and mauricioharley April 1, 2026 07:17

openshift-ci Bot added the needs-rebase label Apr 1, 2026

Deydra71 mentioned this pull request Apr 1, 2026

Add finalizer management and EDPM-aware cleanup for immutable AC secrets openstack-k8s-operators/keystone-operator#685

Merged

Deydra71 force-pushed the appcred-finalizer branch from 4d15dc1 to 9047d5b Compare April 1, 2026 07:27

openshift-ci Bot removed the needs-rebase label Apr 1, 2026

mauricioharley reviewed Apr 1, 2026

View reviewed changes

mauricioharley previously requested changes Apr 1, 2026

View reviewed changes

openshift-ci Bot assigned mauricioharley Apr 1, 2026

Deydra71 force-pushed the appcred-finalizer branch 2 times, most recently from 1c93fae to 0f410be Compare April 8, 2026 06:41

openshift-ci Bot added the needs-rebase label Apr 8, 2026

Deydra71 force-pushed the appcred-finalizer branch from 0f410be to f8e88fd Compare April 8, 2026 06:45

openshift-ci Bot removed the needs-rebase label Apr 8, 2026

openshift-ci Bot added the needs-rebase label Apr 20, 2026

Deydra71 force-pushed the appcred-finalizer branch from f8e88fd to 1a83ee4 Compare April 23, 2026 06:06

openshift-ci Bot added approved and removed needs-rebase labels Apr 23, 2026

Deydra71 force-pushed the appcred-finalizer branch from 1a83ee4 to 802f926 Compare April 24, 2026 10:37

openshift-ci Bot added the needs-rebase label Apr 26, 2026

Deydra71 force-pushed the appcred-finalizer branch from 802f926 to af69e45 Compare April 27, 2026 08:16

openshift-ci Bot added needs-rebase and removed needs-rebase labels Apr 27, 2026

Deydra71 force-pushed the appcred-finalizer branch from af69e45 to 777ec81 Compare May 20, 2026 10:32

openshift-ci Bot removed the needs-rebase label May 20, 2026

Deydra71 removed the do-not-merge/hold label May 20, 2026

vakwetu reviewed May 21, 2026

View reviewed changes

Comment thread internal/controller/barbican_controller.go Outdated

vakwetu reviewed May 21, 2026

View reviewed changes

Comment thread test/functional/barbican_controller_test.go Outdated

vakwetu reviewed May 21, 2026

View reviewed changes

Comment thread go.mod Outdated

vakwetu requested changes May 21, 2026

View reviewed changes

openshift-ci Bot assigned vakwetu May 21, 2026

Deydra71 force-pushed the appcred-finalizer branch from 777ec81 to 45b421b Compare May 25, 2026 06:57

fmount requested review from mauricioharley and vakwetu May 27, 2026 12:08

vakwetu approved these changes Jun 1, 2026

View reviewed changes

openshift-ci Bot added the lgtm label Jun 1, 2026

Add AC finalizer management

bd43c90

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

Deydra71 force-pushed the appcred-finalizer branch from 45b421b to bd43c90 Compare June 2, 2026 06:29

openshift-ci Bot removed the lgtm label Jun 2, 2026

fmount approved these changes Jun 2, 2026

View reviewed changes

openshift-ci Bot assigned fmount Jun 2, 2026

openshift-ci Bot added the lgtm label Jun 2, 2026

openshift-merge-bot Bot merged commit 199a63d into openstack-k8s-operators:main Jun 2, 2026
7 checks passed

Conversation

Deydra71 commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

softwarefactory-project-zuul Bot commented Apr 1, 2026

Uh oh!

mauricioharley Apr 1, 2026

Choose a reason for hiding this comment

Uh oh!

Deydra71 Apr 1, 2026

Choose a reason for hiding this comment

Uh oh!

mauricioharley Apr 1, 2026

Choose a reason for hiding this comment

Uh oh!

mauricioharley left a comment

Choose a reason for hiding this comment

Uh oh!

softwarefactory-project-zuul Bot commented Apr 8, 2026

Uh oh!

softwarefactory-project-zuul Bot commented Apr 8, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 20, 2026

Uh oh!

Deydra71 commented May 20, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

vakwetu left a comment

Choose a reason for hiding this comment

Uh oh!

fmount commented May 27, 2026

Uh oh!

fmount commented May 27, 2026

Uh oh!

vakwetu left a comment

Choose a reason for hiding this comment

Uh oh!

Deydra71 commented Jun 2, 2026

Uh oh!

Deydra71 commented Jun 2, 2026

Uh oh!

fmount left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci Bot commented Jun 2, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Deydra71 commented Apr 1, 2026 •

edited

Loading