Add application credential finalizer management

[Deydra71]

Jira: OSPRH-29269

Application Credential dev-doc: https://github.com/openstack-k8s-operators/dev-docs/blob/main/application_credentials.md

• Tracks the active AC secret name in Status.ApplicationCredentialSecret
• Add openstack.org/watcher-ac-consumer finalizer to the AC secret after service config is rendered
• On AC rotation, move the finalizer from the old secret to the new one
• On CR deletion, remove the consumer finalizer from the AC secret before cleaning up the CR

This ensures that the keystone-operator cannot revoke a rotated AC secret while Watcher is still consuming it.

2026-04-28T12:04:45Z	INFO	Controllers.Watcher	Added consumer finalizer	{"controller": "watcher", "controllerGroup": "watcher.openstack.org", "controllerKind": "Watcher", "Watcher": {"name":"watcher","namespace":"openstack"}, "namespace": "openstack", "name": "watcher", "reconcileID": "ac040495-e159-4291-bdd4-bb370a316368", "object": "ac-watcher-16b84-secret", "finalizer": "openstack.org/watcher-ac-consumer"}
2026-04-28T12:04:45Z	INFO	Controllers.Watcher	Removed consumer finalizer	{"controller": "watcher", "controllerGroup": "watcher.openstack.org", "controllerKind": "Watcher", "Watcher": {"name":"watcher","namespace":"openstack"}, "namespace": "openstack", "name": "watcher", "reconcileID": "ac040495-e159-4291-bdd4-bb370a316368", "object": "ac-watcher-b7b42-secret", "finalizer": "openstack.org/watcher-ac-consumer"}

Depends-On: openstack-k8s-operators/keystone-operator#685

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign amoralej for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/1c533ab5c6e44e719416fe0284f555ae

✔️ openstack-meta-content-provider-master SUCCESS in 3h 57m 23s
✔️ watcher-operator-validation-master SUCCESS in 2h 14m 00s
✔️ openstack-meta-content-provider-epoxy SUCCESS in 3h 41m 26s
✔️ watcher-operator-validation-epoxy SUCCESS in 1h 57m 54s
✔️ watcher-operator-validation-epoxy-ocp4-16 SUCCESS in 1h 54m 38s
✔️ noop SUCCESS in 0s
❌ watcher-operator-kuttl FAILURE in 1h 10m 00s