From e6859a726cc23f5d1118c2cea9ec333ece6e6ba4 Mon Sep 17 00:00:00 2001 From: Milana Levy Date: Thu, 19 Feb 2026 20:11:10 +0200 Subject: [PATCH] Fix Octavia ApplicationCredentialSecret set on wrong spec path The ApplicationCredentialSecret was being set on OctaviaAPI.Auth (sub-spec level) instead of Auth (top-level OctaviaSpecBase). The octavia-operator reads the secret from spec.auth, which is populated from OctaviaSpecBase via DeepCopyInto, not from the OctaviaAPI sub-spec. This caused Octavia to silently fall back to password auth when ZDPR (application credentials) was enabled, because the secret name never reached the Octavia CR's spec.auth field. Verified manually by patching the controlplane CR to set spec.octavia.template.auth.applicationCredentialSecret, which confirmed Octavia correctly switches to v3applicationcredential auth_type when the secret is at the correct spec level. Co-authored-by: AI Assistant (Cursor/Claude) JIRA: OSPRH-26817 --- internal/openstack/octavia.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/openstack/octavia.go b/internal/openstack/octavia.go index 5765b0152..cb1a1ffed 100644 --- a/internal/openstack/octavia.go +++ b/internal/openstack/octavia.go @@ -169,7 +169,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro // Only call if AC enabled or currently configured if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Octavia.ApplicationCredential) || - instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret != "" { + instance.Spec.Octavia.Template.Auth.ApplicationCredentialSecret != "" { acSecretName, acResult, err := EnsureApplicationCredentialForService( ctx, @@ -194,7 +194,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro // Set ApplicationCredentialSecret based on what the helper returned: // - If AC disabled: returns "" // - If AC enabled and ready: returns the AC secret name - instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret = acSecretName + instance.Spec.Octavia.Template.Auth.ApplicationCredentialSecret = acSecretName } svcs, err := service.GetServicesListWithLabel(