Application Credential support

[afaranha]

Jira: OSPRH-20520

This PR adds end-to-end support for consuming Keystone ApplicationCredentials (AC) in the Heat operator, enabling Heat API pods to use AC-based authentication when available.

Reconcile:

On each reconcile, the Heat API controller checks for an AC Secret (ac-{service}-secret) using the GetApplicationCredentialFromSecret() helper from keystone-operator API:

• If the secret is missing or incomplete, continues using password authentication
• Once the AC Secret is ready with valid AC_ID and AC_SECRET fields, templates AC credentials into Heat configuration
• Computes hash of Secret contents and stores in configVars to trigger rolling updates when credentials rotate

Depends-On: openstack-k8s-operators/keystone-operator#567

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: afaranha
Once this PR has been reviewed and has the lgtm label, please assign olliewalsh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/6d759bd17e2643e0a01d3f999ac8ac11

❌ openstack-k8s-operators-content-provider FAILURE in 12m 31s
⚠️ heat-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/04a276bec69648989673e8406f8d934d

❌ openstack-k8s-operators-content-provider FAILURE in 7m 26s
⚠️ heat-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/9336569ea9d34faaa3923e684efa5618

❌ openstack-k8s-operators-content-provider FAILURE in 7m 10s
⚠️ heat-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/5f00846a401047888141e2404ec6113d

❌ openstack-k8s-operators-content-provider FAILURE in 7m 12s
⚠️ heat-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[Deydra71]

The acSecretFn watcher is only added to HeatAPI, not to HeatCfnAPI or HeatEngine.
This is sufficient because the parent Heat controller generates the shared config
(heat-config-data) consumed by all three children. When HeatAPI detects the AppCred
secret change and reconciles, it triggers the parent to regenerate the shared config,
which automatically propagates to all children via config hash changes. This pattern
matches eg barbican and cinder operators.

[Deydra71]

//allow-merging should not be used here, it makes the pre-commit checks to not warn us about using them. We use the replace directive here only until the PR in keystone-operator gets merged and bumped.