AppCred fixes

Deydra71 · millevy · Deydra71 · commit deeaca0a790c · 2026-02-24T12:19:07.000+01:00
Fix propagation of ApplicatioNCredentialSecret into correct OCtavia  Auth spec field. Fix reconcile on AC config changes (such as roles, expiry...). Fix deleting AC CRs when app creds are disabled (globally and for the service). Enhance kuttl test scenario to check the AC CR deletion.

Signed-off-by: Veronika Fisarova &lt;vfisarov@redhat.com&gt;
Co-authored-by: Milana Levy &lt;millevy@redhat.com&gt;
diff --git a/internal/openstack/applicationcredential.go b/internal/openstack/applicationcredential.go
@@ -125,6 +125,11 @@ func EnsureApplicationCredentialForService(
 
 	// Check if AC CR exists and is ready
 	if acExists {
+		// We want to run reconcileApplicationCredential to update the AC CR if it exists and is ready and AC config fields changed
+		err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged)
+		if err != nil {
+			return "", ctrl.Result{}, err
+		}
 		if acCR.IsReady() {
 			Log.Info("Application Credential is ready", "service", serviceName, "acName", acName, "secretName", acCR.Status.SecretName)
 			return acCR.Status.SecretName, ctrl.Result{}, nil
diff --git a/internal/openstack/barbican.go b/internal/openstack/barbican.go
@@ -73,8 +73,8 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr
 		barbicanSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Barbican.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Barbican.ApplicationCredential != nil ||
 		instance.Spec.Barbican.Template.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/cinder.go b/internal/openstack/cinder.go
@@ -96,8 +96,8 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl
 		cinderSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Cinder.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Cinder.ApplicationCredential != nil ||
 		instance.Spec.Cinder.Template.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/designate.go b/internal/openstack/designate.go
@@ -85,8 +85,8 @@ func ReconcileDesignate(ctx context.Context, instance *corev1beta1.OpenStackCont
 		designateSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Designate.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Designate.ApplicationCredential != nil ||
 		instance.Spec.Designate.Template.DesignateAPI.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/glance.go b/internal/openstack/glance.go
@@ -128,9 +128,8 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl
 		}
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Glance.ApplicationCredential) || hasACConfigured {
-
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Glance.ApplicationCredential != nil || hasACConfigured {
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
 			ctx,
 			helper,
diff --git a/internal/openstack/heat.go b/internal/openstack/heat.go
@@ -120,8 +120,8 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 		heatSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Heat.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Heat.ApplicationCredential != nil ||
 		instance.Spec.Heat.Template.Auth.ApplicationCredentialSecret != "" {
 
 		heatACSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/ironic.go b/internal/openstack/ironic.go
@@ -124,8 +124,8 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 		ironicSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Ironic.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Ironic.ApplicationCredential != nil ||
 		instance.Spec.Ironic.Template.Auth.ApplicationCredentialSecret != "" ||
 		instance.Spec.Ironic.Template.IronicInspector.Auth.ApplicationCredentialSecret != "" {
 
@@ -145,7 +145,6 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			return ctrl.Result{}, err
 		}
 
-		// If AC is not ready, return immediately without updating the service CR
 		if (acResult != ctrl.Result{}) {
 			return acResult, nil
 		}
@@ -162,7 +161,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance,
 			"ironic-inspector",
 			ironicReady,
-			ironicSecret, // Inspector shares the same secret as ironic
+			ironicSecret,
 			instance.Spec.Ironic.Template.IronicInspector.PasswordSelectors.Service,
 			instance.Spec.Ironic.Template.IronicInspector.ServiceUser,
 			instance.Spec.Ironic.ApplicationCredential,
@@ -171,7 +170,6 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			return ctrl.Result{}, err
 		}
 
-		// If AC is not ready, return immediately without updating the service CR
 		if (inspectorACResult != ctrl.Result{}) {
 			return inspectorACResult, nil
 		}
diff --git a/internal/openstack/manila.go b/internal/openstack/manila.go
@@ -75,8 +75,8 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl
 		manilaSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Manila.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Manila.ApplicationCredential != nil ||
 		instance.Spec.Manila.Template.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/neutron.go b/internal/openstack/neutron.go
@@ -119,8 +119,8 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 		neutronSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Neutron.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Neutron.ApplicationCredential != nil ||
 		instance.Spec.Neutron.Template.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/nova.go b/internal/openstack/nova.go
@@ -191,8 +191,8 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 		novaSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Nova.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Nova.ApplicationCredential != nil ||
 		instance.Spec.Nova.Template.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/octavia.go b/internal/openstack/octavia.go
@@ -167,9 +167,9 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 		octaviaSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Octavia.ApplicationCredential) ||
-		instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret != "" {
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Octavia.ApplicationCredential != nil ||
+		instance.Spec.Octavia.Template.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
 			ctx,
@@ -194,7 +194,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 		// Set ApplicationCredentialSecret based on what the helper returned:
 		// - If AC disabled: returns ""
 		// - If AC enabled and ready: returns the AC secret name
-		instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret = acSecretName
+		instance.Spec.Octavia.Template.Auth.ApplicationCredentialSecret = acSecretName
 	}
 
 	svcs, err := service.GetServicesListWithLabel(
diff --git a/internal/openstack/placement.go b/internal/openstack/placement.go
@@ -79,8 +79,8 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 		placementSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Placement.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Placement.ApplicationCredential != nil ||
 		instance.Spec.Placement.Template.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/swift.go b/internal/openstack/swift.go
@@ -109,8 +109,8 @@ func ReconcileSwift(ctx context.Context, instance *corev1beta1.OpenStackControlP
 		swiftSecret = instance.Spec.Secret
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Swift.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Swift.ApplicationCredential != nil ||
 		instance.Spec.Swift.Template.SwiftProxy.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/internal/openstack/telemetry.go b/internal/openstack/telemetry.go
@@ -127,8 +127,8 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 
 	// AC for Aodh (if service enabled)
 	if instance.Spec.Telemetry.Template.Autoscaling.Enabled != nil && *instance.Spec.Telemetry.Template.Autoscaling.Enabled {
-		// Only call if AC enabled or currently configured
-		if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialAodh) ||
+		// Reconcile AC if configured (enabled or disabled) or secret previously set
+		if instance.Spec.Telemetry.ApplicationCredentialAodh != nil ||
 			instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret != "" {
 
 			// Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC
@@ -162,15 +162,12 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 			// - If AC enabled and ready: returns the AC secret name
 			instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret = aodhACSecretName
 		}
-	} else {
-		// Aodh service disabled, clear the field
-		instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret = ""
 	}
 
 	// AC for Ceilometer (if service enabled)
 	if instance.Spec.Telemetry.Template.Ceilometer.Enabled != nil && *instance.Spec.Telemetry.Template.Ceilometer.Enabled {
-		// Only call if AC enabled or currently configured
-		if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialCeilometer) ||
+		// Reconcile AC if configured (enabled or disabled) or secret previously set
+		if instance.Spec.Telemetry.ApplicationCredentialCeilometer != nil ||
 			instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret != "" {
 
 			// Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC
@@ -204,15 +201,11 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 			// - If AC enabled and ready: returns the AC secret name
 			instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret = ceilometerACSecretName
 		}
-	} else {
-		// Ceilometer service disabled, clear the field
-		instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret = ""
 	}
-
 	// AC for CloudKitty (if service enabled)
 	if instance.Spec.Telemetry.Template.CloudKitty.Enabled != nil && *instance.Spec.Telemetry.Template.CloudKitty.Enabled {
-		// Only call if AC enabled or currently configured
-		if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialCloudKitty) ||
+		// Reconcile AC if configured (enabled or disabled) or secret previously set
+		if instance.Spec.Telemetry.ApplicationCredentialCloudKitty != nil ||
 			instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret != "" {
 
 			// Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC
@@ -246,9 +239,6 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 			// - If AC enabled and ready: returns the AC secret name
 			instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret = cloudkittyACSecretName
 		}
-	} else {
-		// CloudKitty service disabled, clear the field
-		instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret = ""
 	}
 
 	// preserve any previously set TLS certs, set CA cert
diff --git a/internal/openstack/watcher.go b/internal/openstack/watcher.go
@@ -88,8 +88,8 @@ func ReconcileWatcher(ctx context.Context, instance *corev1beta1.OpenStackContro
 		return ""
 	}
 
-	// Only call if AC enabled or currently configured
-	if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Watcher.ApplicationCredential) ||
+	// Reconcile AC if configured (enabled or disabled) or secret previously set
+	if instance.Spec.Watcher.ApplicationCredential != nil ||
 		instance.Spec.Watcher.Template.Auth.ApplicationCredentialSecret != "" {
 
 		acSecretName, acResult, err := EnsureApplicationCredentialForService(
diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-assert-appcred-cleanup.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-assert-appcred-cleanup.yaml
@@ -0,0 +1,51 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+  - script: |-
+      set -euo pipefail
+      NS="${NAMESPACE}"
+
+      SERVICES=(barbican cinder glance swift neutron placement nova ceilometer)
+
+      wait_deleted() {
+        local kind=$1 name=$2 timeout=${3:-180}
+        echo "Waiting for $kind/$name to be deleted..."
+        local end=$((SECONDS + timeout))
+        while [ $SECONDS -lt $end ]; do
+          if ! oc get "$kind" "$name" -n "$NS" &>/dev/null; then
+            echo "✓ $kind/$name deleted"
+            return 0
+          fi
+          sleep 5
+        done
+        echo "ERROR: $kind/$name still exists after ${timeout}s"
+        exit 1
+      }
+
+      echo "========================================="
+      echo "Testing Application Credential Cleanup"
+      echo "========================================="
+      echo
+
+      echo "=== Verifying global ApplicationCredential is disabled ==="
+      global_enabled=$(oc get openstackcontrolplane openstack -n "$NS" -o jsonpath='{.spec.applicationCredential.enabled}')
+      if [ "$global_enabled" != "false" ]; then
+        echo "ERROR: OpenStackControlPlane.spec.applicationCredential.enabled expected 'false', got '$global_enabled'"
+        exit 1
+      fi
+      echo "✓ OpenStackControlPlane.spec.applicationCredential.enabled = false"
+      echo
+
+      echo "=== Verifying AC CRs are deleted ==="
+      for svc in "${SERVICES[@]}"; do
+        wait_deleted appcred "ac-$svc" 180
+      done
+      echo
+
+      echo "=== Verifying AC Secrets are cleaned up ==="
+      for svc in "${SERVICES[@]}"; do
+        wait_deleted secret "ac-$svc-secret" 120
+      done
+      echo
+
+      echo "All ApplicationCredential CRs and Secrets cleaned up successfully"
diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-disable-appcred-config.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-disable-appcred-config.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      oc patch openstackcontrolplane openstack -n $NAMESPACE --type merge -p '{"spec":{"applicationCredential":{"enabled":false}}}'
diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/04-cleanup.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/04-cleanup.yaml
diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/04-errors-cleanup.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/04-errors-cleanup.yaml

Original file line number	Diff line number	Diff line change
`@@ -73,8 +73,8 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr`
`73`	`73`	`barbicanSecret = instance.Spec.Secret`
`74`	`74`	`}`
`75`	`75`
`76`		`- // Only call if AC enabled or currently configured`
`77`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Barbican.ApplicationCredential) \|\|`
	`76`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`77`	`+ if instance.Spec.Barbican.ApplicationCredential != nil \|\|`
`78`	`78`	`instance.Spec.Barbican.Template.Auth.ApplicationCredentialSecret != "" {`
`79`	`79`
`80`	`80`	`acSecretName, acResult, err := EnsureApplicationCredentialForService(`
Original file line number	Diff line number	Diff line change
`@@ -96,8 +96,8 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl`
`96`	`96`	`cinderSecret = instance.Spec.Secret`
`97`	`97`	`}`
`98`	`98`
`99`		`- // Only call if AC enabled or currently configured`
`100`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Cinder.ApplicationCredential) \|\|`
	`99`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`100`	`+ if instance.Spec.Cinder.ApplicationCredential != nil \|\|`
`101`	`101`	`instance.Spec.Cinder.Template.Auth.ApplicationCredentialSecret != "" {`
`102`	`102`
`103`	`103`	`acSecretName, acResult, err := EnsureApplicationCredentialForService(`
Original file line number	Diff line number	Diff line change
`@@ -85,8 +85,8 @@ func ReconcileDesignate(ctx context.Context, instance *corev1beta1.OpenStackCont`
`85`	`85`	`designateSecret = instance.Spec.Secret`
`86`	`86`	`}`
`87`	`87`
`88`		`- // Only call if AC enabled or currently configured`
`89`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Designate.ApplicationCredential) \|\|`
	`88`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`89`	`+ if instance.Spec.Designate.ApplicationCredential != nil \|\|`
`90`	`90`	`instance.Spec.Designate.Template.DesignateAPI.Auth.ApplicationCredentialSecret != "" {`
`91`	`91`
`92`	`92`	`acSecretName, acResult, err := EnsureApplicationCredentialForService(`
Original file line number	Diff line number	Diff line change
`@@ -128,9 +128,8 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl`
`128`	`128`	`}`
`129`	`129`	`}`
`130`	`130`
`131`		`- // Only call if AC enabled or currently configured`
`132`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Glance.ApplicationCredential) \|\| hasACConfigured {`
`133`		`-`
	`131`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`132`	`+ if instance.Spec.Glance.ApplicationCredential != nil \|\| hasACConfigured {`
`134`	`133`	`acSecretName, acResult, err := EnsureApplicationCredentialForService(`
`135`	`134`	`ctx,`
`136`	`135`	`helper,`
Original file line number	Diff line number	Diff line change
`@@ -120,8 +120,8 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl`
`120`	`120`	`heatSecret = instance.Spec.Secret`
`121`	`121`	`}`
`122`	`122`
`123`		`- // Only call if AC enabled or currently configured`
`124`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Heat.ApplicationCredential) \|\|`
	`123`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`124`	`+ if instance.Spec.Heat.ApplicationCredential != nil \|\|`
`125`	`125`	`instance.Spec.Heat.Template.Auth.ApplicationCredentialSecret != "" {`
`126`	`126`
`127`	`127`	`heatACSecretName, acResult, err := EnsureApplicationCredentialForService(`
Original file line number	Diff line number	Diff line change
`@@ -124,8 +124,8 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl`
`124`	`124`	`ironicSecret = instance.Spec.Secret`
`125`	`125`	`}`
`126`	`126`
`127`		`- // Only call if AC enabled or currently configured`
`128`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Ironic.ApplicationCredential) \|\|`
	`127`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`128`	`+ if instance.Spec.Ironic.ApplicationCredential != nil \|\|`
`129`	`129`	`instance.Spec.Ironic.Template.Auth.ApplicationCredentialSecret != "" \|\|`
`130`	`130`	`instance.Spec.Ironic.Template.IronicInspector.Auth.ApplicationCredentialSecret != "" {`
`131`	`131`
`@@ -145,7 +145,6 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl`
`145`	`145`	`return ctrl.Result{}, err`
`146`	`146`	`}`
`147`	`147`
`148`		`- // If AC is not ready, return immediately without updating the service CR`
`149`	`148`	`if (acResult != ctrl.Result{}) {`
`150`	`149`	`return acResult, nil`
`151`	`150`	`}`
`@@ -162,7 +161,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl`
`162`	`161`	`instance,`
`163`	`162`	`"ironic-inspector",`
`164`	`163`	`ironicReady,`
`165`		`- ironicSecret, // Inspector shares the same secret as ironic`
	`164`	`+ ironicSecret,`
`166`	`165`	`instance.Spec.Ironic.Template.IronicInspector.PasswordSelectors.Service,`
`167`	`166`	`instance.Spec.Ironic.Template.IronicInspector.ServiceUser,`
`168`	`167`	`instance.Spec.Ironic.ApplicationCredential,`
`@@ -171,7 +170,6 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl`
`171`	`170`	`return ctrl.Result{}, err`
`172`	`171`	`}`
`173`	`172`
`174`		`- // If AC is not ready, return immediately without updating the service CR`
`175`	`173`	`if (inspectorACResult != ctrl.Result{}) {`
`176`	`174`	`return inspectorACResult, nil`
`177`	`175`	`}`
Original file line number	Diff line number	Diff line change
`@@ -75,8 +75,8 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl`
`75`	`75`	`manilaSecret = instance.Spec.Secret`
`76`	`76`	`}`
`77`	`77`
`78`		`- // Only call if AC enabled or currently configured`
`79`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Manila.ApplicationCredential) \|\|`
	`78`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`79`	`+ if instance.Spec.Manila.ApplicationCredential != nil \|\|`
`80`	`80`	`instance.Spec.Manila.Template.Auth.ApplicationCredentialSecret != "" {`
`81`	`81`
`82`	`82`	`acSecretName, acResult, err := EnsureApplicationCredentialForService(`
Original file line number	Diff line number	Diff line change
`@@ -119,8 +119,8 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro`
`119`	`119`	`neutronSecret = instance.Spec.Secret`
`120`	`120`	`}`
`121`	`121`
`122`		`- // Only call if AC enabled or currently configured`
`123`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Neutron.ApplicationCredential) \|\|`
	`122`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`123`	`+ if instance.Spec.Neutron.ApplicationCredential != nil \|\|`
`124`	`124`	`instance.Spec.Neutron.Template.Auth.ApplicationCredentialSecret != "" {`
`125`	`125`
`126`	`126`	`acSecretName, acResult, err := EnsureApplicationCredentialForService(`
Original file line number	Diff line number	Diff line change
`@@ -191,8 +191,8 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl`
`191`	`191`	`novaSecret = instance.Spec.Secret`
`192`	`192`	`}`
`193`	`193`
`194`		`- // Only call if AC enabled or currently configured`
`195`		`- if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Nova.ApplicationCredential) \|\|`
	`194`	`+ // Reconcile AC if configured (enabled or disabled) or secret previously set`
	`195`	`+ if instance.Spec.Nova.ApplicationCredential != nil \|\|`
`196`	`196`	`instance.Spec.Nova.Template.Auth.ApplicationCredentialSecret != "" {`
`197`	`197`
`198`	`198`	`acSecretName, acResult, err := EnsureApplicationCredentialForService(`