apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 creationTimestamp: "2026-04-02T13:56:58Z" generation: 1 name: keystoneapplicationcredentials.keystone.openstack.org resourceVersion: "37021" uid: 4be674c7-0538-4e05-b627-7aa530986e34 spec: conversion: strategy: None group: keystone.openstack.org names: kind: KeystoneApplicationCredential listKind: KeystoneApplicationCredentialList plural: keystoneapplicationcredentials shortNames: - appcred singular: keystoneapplicationcredential scope: Namespaced versions: - additionalPrinterColumns: - description: Keystone ApplicationCredential ID jsonPath: .status.acID name: ACID type: string - description: Secret holding ApplicationCredential secret jsonPath: .status.secretName name: SecretName type: string - description: Last rotation time format: date-time jsonPath: .status.lastRotated name: LastRotated type: string - description: When rotation becomes eligible format: date-time jsonPath: .status.rotationEligibleAt name: RotationEligible type: string - description: Status jsonPath: .status.conditions[0].status name: Status type: string - description: Message jsonPath: .status.conditions[0].message name: Message type: string name: v1beta1 schema: openAPIV3Schema: description: KeystoneApplicationCredential is the Schema for the applicationcredentials API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: KeystoneApplicationCredentialSpec defines what the user can set properties: accessRules: description: AccessRules defines which services the ApplicationCredential is permitted to access items: description: ACRule defines an access rule for an ApplicationCredential properties: method: description: Method is the HTTP verb to allow enum: - GET - HEAD - POST - PUT - PATCH - DELETE type: string path: description: Path is the API path to allow minLength: 1 type: string service: description: Service is the OpenStack service type minLength: 1 type: string required: - method - path - service type: object type: array expirationDays: default: 365 description: ExpirationDays sets the lifetime in days for the ApplicationCredential minimum: 2 type: integer gracePeriodDays: default: 182 description: GracePeriodDays sets how many days before expiration the ApplicationCredential should be rotated minimum: 1 type: integer passwordSelector: description: PasswordSelector for extracting the service password minLength: 1 type: string roles: description: Roles to assign to the ApplicationCredential items: type: string minItems: 1 type: array secret: description: Secret containing service user password minLength: 1 type: string unrestricted: default: false description: Unrestricted indicates whether the ApplicationCredential may be used to create or destroy other credentials or trusts type: boolean userName: description: UserName - the Keystone user under which this ApplicationCredential is created type: string required: - passwordSelector - roles - secret - userName type: object x-kubernetes-validations: - message: gracePeriodDays must be smaller than expirationDays rule: self.gracePeriodDays < self.expirationDays status: description: KeystoneApplicationCredentialStatus defines the observed state properties: acID: description: ACID - the ID in Keystone for this ApplicationCredential type: string conditions: description: Conditions items: description: Condition defines an observation of a API resource operational state. properties: lastTransitionTime: description: |- Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: A human readable message indicating details about the transition. type: string reason: description: The reason for the condition's last transition in CamelCase. type: string severity: description: |- Severity provides a classification of Reason code, so the current situation is immediately understandable and could act accordingly. It is meant for situations where Status=False and it should be indicated if it is just informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue and no actions to automatically resolve the issue can/should be done). For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: description: Type of condition in CamelCase. type: string required: - lastTransitionTime - status - type type: object type: array createdAt: description: CreatedAt - timestap of creation format: date-time type: string expiresAt: description: ExpiresAt - time of validity expiration format: date-time type: string lastRotated: description: LastRotated - timestamp when credentials were last rotated format: date-time type: string observedGeneration: description: ObservedGeneration - the most recent generation observed for this ApplicationCredential. format: int64 type: integer rotationEligibleAt: description: |- RotationEligibleAt indicates when rotation becomes eligible (start of grace period window). Computed as ExpiresAt - GracePeriodDays. The AC can be rotated after this timestamp. format: date-time type: string secretName: description: SecretName - name of the k8s Secret storing the ApplicationCredential secret type: string securityHash: description: |- SecurityHash tracks the hash of security-critical spec fields (roles, accessRules, unrestricted). Used to detect when these fields change and trigger immediate rotation. type: string type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: KeystoneApplicationCredential listKind: KeystoneApplicationCredentialList plural: keystoneapplicationcredentials shortNames: - appcred singular: keystoneapplicationcredential conditions: - lastTransitionTime: "2026-04-02T13:56:58Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-04-02T13:56:58Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1beta1