Implement RabbitMQ user finalizer management for EDPM nodes

Add dataplane-specific logic to track and manage RabbitMQ user finalizers
for OpenStackDataPlaneNodeSet services, enabling safe credential rotation
across multi-cluster deployments.

Key features:
- Per-nodeset finalizers on shared RabbitMQ users
- Incremental deployment support with proper finalizer timing
- Nova-operator rabbitmq_user_name field integration for simplified tracking
- Automatic cleanup of temporary cleanup-blocked finalizers
- Comprehensive test coverage for rotation and multi-cluster scenarios

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: lmiccini

api/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml

@@ -1973,6 +1973,14 @@ spec:
                 items:
                   type: string
                 type: array
+              finalizerHash:
+                description: |-
+                  FinalizerHash is a short, deterministic hash derived from the nodeset name.
+                  Used to create unique, collision-free finalizer names for RabbitMQ users.
+                  Format: first 8 characters of SHA256(nodeset.metadata.name)
+                  Example: "a3f2b5c8"
+                  This allows easy lookup of which nodeset owns a specific finalizer.
+                type: string
               inventorySecretName:
                 description: InventorySecretName Name of a secret containing the ansible
                   inventory

api/dataplane/v1beta1/openstackdataplanenodeset_types.go

@@ -160,6 +160,13 @@ type OpenStackDataPlaneNodeSetStatus struct {
 
 	//DeployedBmhHash - Hash of BMHs deployed
 	DeployedBmhHash string `json:"deployedBmhHash,omitempty"`
+
+	// FinalizerHash is a short, deterministic hash derived from the nodeset name.
+	// Used to create unique, collision-free finalizer names for RabbitMQ users.
+	// Format: first 8 characters of SHA256(nodeset.metadata.name)
+	// Example: "a3f2b5c8"
+	// This allows easy lookup of which nodeset owns a specific finalizer.
+	FinalizerHash string `json:"finalizerHash,omitempty"`
 }
 
 // +kubebuilder:object:root=true

api/dataplane/v1beta1/openstackdataplanenodeset_webhook.go

@@ -28,6 +28,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 	apimachineryvalidation "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -170,6 +171,27 @@ func (r *OpenStackDataPlaneNodeSet) ValidateUpdate(ctx context.Context, old runt
 		for deployName, deployConditions := range oldNodeSet.Status.DeploymentStatuses {
 			deployCondition := deployConditions.Get(NodeSetDeploymentReadyCondition)
 			if !deployConditions.IsTrue(NodeSetDeploymentReadyCondition) && !condition.IsError(deployCondition) {
+				// Check if the deployment is being deleted - if so, allow the NodeSet update
+				deployment := &OpenStackDataPlaneDeployment{}
+				err := c.Get(ctx, types.NamespacedName{Name: deployName, Namespace: r.Namespace}, deployment)
+				if err != nil {
+					if apierrors.IsNotFound(err) {
+						// Deployment no longer exists, allow the update
+						continue
+					}
+					// If we can't check the deployment, log but don't block
+					openstackdataplanenodesetlog.Info("could not check deployment status during validation",
+						"deployment", deployName, "error", err)
+					continue
+				}
+
+				// If deployment is being deleted, allow the NodeSet update
+				if deployment.DeletionTimestamp != nil {
+					openstackdataplanenodesetlog.Info("allowing NodeSet update because deployment is being deleted",
+						"deployment", deployName)
+					continue
+				}
+
 				return nil, apierrors.NewConflict(
 					schema.GroupResource{Group: "dataplane.openstack.org", Resource: "OpenStackDataPlaneNodeSet"},
 					r.Name,

bindata/crds/crds.yaml

@@ -20543,6 +20543,14 @@ spec:
                 items:
                   type: string
                 type: array
+              finalizerHash:
+                description: |-
+                  FinalizerHash is a short, deterministic hash derived from the nodeset name.
+                  Used to create unique, collision-free finalizer names for RabbitMQ users.
+                  Format: first 8 characters of SHA256(nodeset.metadata.name)
+                  Example: "a3f2b5c8"
+                  This allows easy lookup of which nodeset owns a specific finalizer.
+                type: string
               inventorySecretName:
                 description: InventorySecretName Name of a secret containing the ansible
                   inventory

bindata/rbac/rbac.yaml

@@ -655,6 +655,23 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers/finalizers
+  verbs:
+  - patch
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

config/crd/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml

@@ -1973,6 +1973,14 @@ spec:
                 items:
                   type: string
                 type: array
+              finalizerHash:
+                description: |-
+                  FinalizerHash is a short, deterministic hash derived from the nodeset name.
+                  Used to create unique, collision-free finalizer names for RabbitMQ users.
+                  Format: first 8 characters of SHA256(nodeset.metadata.name)
+                  Example: "a3f2b5c8"
+                  This allows easy lookup of which nodeset owns a specific finalizer.
+                type: string
               inventorySecretName:
                 description: InventorySecretName Name of a secret containing the ansible
                   inventory

config/rbac/role.yaml

@@ -606,6 +606,23 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers/finalizers
+  verbs:
+  - patch
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources: