Goal:

Implement a new ApplicationCredential CRD and accompanying controller logic in the keystone-operator. This controller will handle the creation, rotation, and revocation of application credentials in Keystone (optionally), storing the resulting credentials in a dedicated OC secret per AC.

Acceptance Criteria:

• A new ApplicationCredential CRD is defined in keystone-operator with fields for:
  • userName, (meaning the service name in keystone), roles, expirationDays, gracePeriodDays, and any needed advanced fields
• A keystone-operator controller reconciles these CRs, creating and updating application credentials in Keystone
• Rotation logic is included:
  • If the credential is nearing expiration (within gracePeriodDays), the controller generates a new AC and updates the associated secret
  • Once it’s confirmed that the old AC is no longer in use (using finalizers), the AC controller revokes it in Keystone
• Functional and kuttl tests validate:
  • Creation of a new AC from scratch
  • Handling of rotation (old + new AC overlap)
  • Finalizers based cleanup when the CR is deleted or updated

Open questions:

• _