Extracted from THREESCALE-11509:

The current ApplicationAuth CR implementation is a one time operator only and operator does not ever re-reconcile the correctness of the values in 3scale (sync).
We should consider making the secret watched by 3scale operator and react to changes updating the 3scale user_key. If this is meant to be 1 time only operation, we should provide a "DeleteNow" functionality to the CR like in proxyPromote CRs.

In my opinion, the CR should not be a one time only and should allow customers to edit the user_key in the secret which then, should be updated in 3scale. Additionally, the CR and secret should be reconciled as part of normal reconciliation loop, like in terms of tenant, product, backend etc.