diff --git a/api/go.mod b/api/go.mod
index c1d125cccb..7b1c4dcfb7 100644
--- a/api/go.mod
+++ b/api/go.mod
@@ -13,11 +13,11 @@ require (
 	github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260418071313-4af756ba3dac
 	github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260420052550-a562e0ee16fd
 	github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260418053129-fb096ad89dce
-	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260507103247-9c1255698eac
+	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260508091801-73f228e6af31
 	github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260420052552-1ba026c533d6
 	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260420052838-77f94aef5af2
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260506154724-30a976ba8ef0
-	github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260417092244-81c71b39e981
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260512122920-c197ec23eaf6
+	github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260512122920-c197ec23eaf6
 	github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260420052836-ac1a4d8a769e
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260413152655-564a51226a2a
 	github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260420052839-b9314e4e03a3
@@ -79,7 +79,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/openshift/api v3.9.0+incompatible // indirect
-	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260417092244-81c71b39e981 // indirect
+	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260512122920-c197ec23eaf6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
@@ -135,3 +135,5 @@ replace k8s.io/code-generator => k8s.io/code-generator v0.31.14 //allow-merging
 replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging
 
 replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20260518055715-13a7e6cc2ed4
diff --git a/api/go.sum b/api/go.sum
index 8a77a7cc8e..5dbe3ee567 100644
--- a/api/go.sum
+++ b/api/go.sum
@@ -1,3 +1,5 @@
+github.com/Deydra71/keystone-operator/api v0.0.0-20260518055715-13a7e6cc2ed4 h1:ki7Qqp631ddtVVyxARe9c4MmpuzPvdtWbDd9GCJaUeM=
+github.com/Deydra71/keystone-operator/api v0.0.0-20260518055715-13a7e6cc2ed4/go.mod h1:lOjFxaGpq7QRThk2KRF/u6D1qwRg+CXfll1vcfEBIjE=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -126,18 +128,16 @@ github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260420052550-a56
 github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260420052550-a562e0ee16fd/go.mod h1:aA+YEZ3UJCQvJB2X3qOliGVB7EXdImfJ0qV2jUG/L0E=
 github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260418053129-fb096ad89dce h1:4nqAqtmfoN3VoWtFhHj65iZhi40KNp254/trUuoTD0M=
 github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260418053129-fb096ad89dce/go.mod h1:ZMH+2206hZgGFjEhC+hhPvU+v6haNaeh5FR1mHylfqw=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260507103247-9c1255698eac h1:iALKqINqZR916pWQdjBzi4RtydKcAFAFAMCBXGhnsL0=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260507103247-9c1255698eac/go.mod h1:/S2AN21zV70V1XuL0Of2dCjYWNkKwQSyNI8l/iQVrMs=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260508091801-73f228e6af31 h1:FWa0vNs175LpV1eSZ60YOGFdbJ3LqxQ1fxfprBRg7T4=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260508091801-73f228e6af31/go.mod h1:/S2AN21zV70V1XuL0Of2dCjYWNkKwQSyNI8l/iQVrMs=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260420052552-1ba026c533d6 h1:thGt9sbYC1L9/UvkeYQQbWGxeiNeaXVckB/0QuBkN78=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260420052552-1ba026c533d6/go.mod h1:pnFZOetSrSoCdyMyTOUTfsFTdwtGwNFKtaPNNZtyHuw=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260420052838-77f94aef5af2 h1:h7pTz90cHqX6nTYjYDphuitIfD4UpM9yGnI3AbLdHrY=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260420052838-77f94aef5af2/go.mod h1:SpO4CL7c5/1HG+61fP6kWhL2+3aqR+5SNatdZueKrz8=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260506154724-30a976ba8ef0 h1:vkFvn06Ns9qW4AbzFjFDu8ioosRmhkEZiDrO3DOQhLg=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260506154724-30a976ba8ef0/go.mod h1:aIuG6lx3aS0vnXweRNdR/Q0SlfOsLIo0OzrqKK7C6xs=
-github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260417092244-81c71b39e981 h1:jN3Kvt+RYUTaL9EXeeeIqRXVjqeNF74SuLTDXmi4X2Y=
-github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:7yqbVpg0k0vW+kZks+TMU/cd1ovoejyHfVPWcyGYLHI=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260417092244-81c71b39e981 h1:X3/Gc+i0ZxaROExrpLXonz9EPhftlubFnOK4aSkRLvo=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:3loLaPUDQyvbPekylZd9OCLF+EXH2klRI9IeeQhuMcs=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260512122920-c197ec23eaf6 h1:GEoxMmMmWhm9Oleqj5/qIafzHzaWMh2MjXkXTccuvwk=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260512122920-c197ec23eaf6/go.mod h1:aIuG6lx3aS0vnXweRNdR/Q0SlfOsLIo0OzrqKK7C6xs=
+github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260512122920-c197ec23eaf6 h1:Qw33b8pfYX4eU3FOA77jASZUpfzWeH4e6NZUaPUBEqw=
+github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260512122920-c197ec23eaf6/go.mod h1:7yqbVpg0k0vW+kZks+TMU/cd1ovoejyHfVPWcyGYLHI=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260512122920-c197ec23eaf6 h1:q8NsJybqpBkFwUKClJysaZsFth8fUiBU92kVKnmZG2U=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260512122920-c197ec23eaf6/go.mod h1:tft3oDiN+v6wX3ILPXGUM/gCLJz6QtrPN63hxpJ3E24=
 github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260420052836-ac1a4d8a769e h1:bymDbHC6lMbZUbg3dJi5ajS+i4/z5Q77r2nuz4VpBfc=
 github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260420052836-ac1a4d8a769e/go.mod h1:aKKbe1AraYGWby2tLTT0sBB4iFH5ZnrZ/uzhf7RwzLs=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260413152655-564a51226a2a h1:1VRHhhCE8U0+Q6jPNppxcklIVfK7gZ2Js9VaLpPR7sw=
diff --git a/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml b/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml
index d96ed836ab..86238bf6d2 100644
--- a/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml
+++ b/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml
@@ -209,6 +209,10 @@ spec:
                   for this ApplicationCredential.
                 format: int64
                 type: integer
+              previousSecretName:
+                description: PreviousSecretName - name of the previous AC secret.
+                  Only current and previous are protected by finalizer.
+                type: string
               rotationEligibleAt:
                 description: |-
                   RotationEligibleAt indicates when rotation becomes eligible (start of grace period window).
diff --git a/bindata/rbac/keystone-operator-rbac.yaml b/bindata/rbac/keystone-operator-rbac.yaml
index 4e4d3d68b1..25bc1d624f 100644
--- a/bindata/rbac/keystone-operator-rbac.yaml
+++ b/bindata/rbac/keystone-operator-rbac.yaml
@@ -135,6 +135,14 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - dataplane.openstack.org
+  resources:
+    - openstackdataplanenodesets
+  verbs:
+    - get
+    - list
+    - watch
 - apiGroups:
     - k8s.cni.cncf.io
   resources:
diff --git a/go.mod b/go.mod
index 27b6a48cf1..adca1088b7 100644
--- a/go.mod
+++ b/go.mod
@@ -18,14 +18,14 @@ require (
 	github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260418071313-4af756ba3dac
 	github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260420052550-a562e0ee16fd
 	github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260418053129-fb096ad89dce
-	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260507103247-9c1255698eac
+	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260508091801-73f228e6af31
 	github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260420052552-1ba026c533d6
 	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260420052838-77f94aef5af2
 	github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260417092244-81c71b39e981
 	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260417092244-81c71b39e981
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260506154724-30a976ba8ef0
-	github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260417092244-81c71b39e981
-	github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260417092244-81c71b39e981
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260512122920-c197ec23eaf6
+	github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260512122920-c197ec23eaf6
+	github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260512122920-c197ec23eaf6
 	github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260420052836-ac1a4d8a769e
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260413152655-564a51226a2a
 	github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260420052839-b9314e4e03a3
@@ -94,7 +94,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260417092244-81c71b39e981 // indirect
+	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260512122920-c197ec23eaf6 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
@@ -175,3 +175,5 @@ replace k8s.io/code-generator => k8s.io/code-generator v0.31.14 //allow-merging
 replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging
 
 replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20260518055715-13a7e6cc2ed4
diff --git a/go.sum b/go.sum
index 5a5548bf06..66539341ad 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+github.com/Deydra71/keystone-operator/api v0.0.0-20260518055715-13a7e6cc2ed4 h1:ki7Qqp631ddtVVyxARe9c4MmpuzPvdtWbDd9GCJaUeM=
+github.com/Deydra71/keystone-operator/api v0.0.0-20260518055715-13a7e6cc2ed4/go.mod h1:lOjFxaGpq7QRThk2KRF/u6D1qwRg+CXfll1vcfEBIjE=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
@@ -150,24 +152,22 @@ github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260420052550-a56
 github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260420052550-a562e0ee16fd/go.mod h1:aA+YEZ3UJCQvJB2X3qOliGVB7EXdImfJ0qV2jUG/L0E=
 github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260418053129-fb096ad89dce h1:4nqAqtmfoN3VoWtFhHj65iZhi40KNp254/trUuoTD0M=
 github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260418053129-fb096ad89dce/go.mod h1:ZMH+2206hZgGFjEhC+hhPvU+v6haNaeh5FR1mHylfqw=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260507103247-9c1255698eac h1:iALKqINqZR916pWQdjBzi4RtydKcAFAFAMCBXGhnsL0=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260507103247-9c1255698eac/go.mod h1:/S2AN21zV70V1XuL0Of2dCjYWNkKwQSyNI8l/iQVrMs=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260508091801-73f228e6af31 h1:FWa0vNs175LpV1eSZ60YOGFdbJ3LqxQ1fxfprBRg7T4=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260508091801-73f228e6af31/go.mod h1:/S2AN21zV70V1XuL0Of2dCjYWNkKwQSyNI8l/iQVrMs=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260420052552-1ba026c533d6 h1:thGt9sbYC1L9/UvkeYQQbWGxeiNeaXVckB/0QuBkN78=
 github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260420052552-1ba026c533d6/go.mod h1:pnFZOetSrSoCdyMyTOUTfsFTdwtGwNFKtaPNNZtyHuw=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260420052838-77f94aef5af2 h1:h7pTz90cHqX6nTYjYDphuitIfD4UpM9yGnI3AbLdHrY=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260420052838-77f94aef5af2/go.mod h1:SpO4CL7c5/1HG+61fP6kWhL2+3aqR+5SNatdZueKrz8=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260417092244-81c71b39e981 h1:3aS6IFc8SHDf/tso8FKONOnhampZ3hV0ic0NH2FYmio=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:tXxVkkk8HlATwTmDA5RTP3b+c8apfuMM15mZ2wW5iNs=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260417092244-81c71b39e981 h1:G0YU5B6AhXDy/46urlNjz6tMXmHGDdoslgucTIN3F30=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:GzD7Jc5o98ptJ97DSjhC0CQ6OiTP0PB/2qJqxYGcOH8=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260506154724-30a976ba8ef0 h1:vkFvn06Ns9qW4AbzFjFDu8ioosRmhkEZiDrO3DOQhLg=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260506154724-30a976ba8ef0/go.mod h1:aIuG6lx3aS0vnXweRNdR/Q0SlfOsLIo0OzrqKK7C6xs=
-github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260417092244-81c71b39e981 h1:jN3Kvt+RYUTaL9EXeeeIqRXVjqeNF74SuLTDXmi4X2Y=
-github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:7yqbVpg0k0vW+kZks+TMU/cd1ovoejyHfVPWcyGYLHI=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260417092244-81c71b39e981 h1:X3/Gc+i0ZxaROExrpLXonz9EPhftlubFnOK4aSkRLvo=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:3loLaPUDQyvbPekylZd9OCLF+EXH2klRI9IeeQhuMcs=
-github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260417092244-81c71b39e981 h1:KAQ8T+Ri3JWgsyK1D6QybScMh6fpkYUUA+0ntnOiAl4=
-github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:dEjz8zHRIlP3vnMmWdHytlLeSZ6BHcIiSTPM7xTQxFg=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260512122920-c197ec23eaf6 h1:GEoxMmMmWhm9Oleqj5/qIafzHzaWMh2MjXkXTccuvwk=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260512122920-c197ec23eaf6/go.mod h1:aIuG6lx3aS0vnXweRNdR/Q0SlfOsLIo0OzrqKK7C6xs=
+github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260512122920-c197ec23eaf6 h1:Qw33b8pfYX4eU3FOA77jASZUpfzWeH4e6NZUaPUBEqw=
+github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260512122920-c197ec23eaf6/go.mod h1:7yqbVpg0k0vW+kZks+TMU/cd1ovoejyHfVPWcyGYLHI=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260512122920-c197ec23eaf6 h1:q8NsJybqpBkFwUKClJysaZsFth8fUiBU92kVKnmZG2U=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260512122920-c197ec23eaf6/go.mod h1:tft3oDiN+v6wX3ILPXGUM/gCLJz6QtrPN63hxpJ3E24=
+github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260512122920-c197ec23eaf6 h1:/tA9zEO9YI2k+WRN8qc9WAFQwi96zaAk+EqnW5j0+Fc=
+github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260512122920-c197ec23eaf6/go.mod h1:ZYG9CQe7cOePOKQbenEZFA28kPdkUOe9QKbDRwGhEV0=
 github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260420052836-ac1a4d8a769e h1:bymDbHC6lMbZUbg3dJi5ajS+i4/z5Q77r2nuz4VpBfc=
 github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260420052836-ac1a4d8a769e/go.mod h1:aKKbe1AraYGWby2tLTT0sBB4iFH5ZnrZ/uzhf7RwzLs=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260413152655-564a51226a2a h1:1VRHhhCE8U0+Q6jPNppxcklIVfK7gZ2Js9VaLpPR7sw=
diff --git a/internal/openstack/applicationcredential.go b/internal/openstack/applicationcredential.go
index 3c699df561..9ca73c6986 100644
--- a/internal/openstack/applicationcredential.go
+++ b/internal/openstack/applicationcredential.go
@@ -68,14 +68,15 @@ func CleanupApplicationCredentialForService(
 	instance *corev1beta1.OpenStackControlPlane,
 	serviceName string,
 ) error {
+	Log := GetLogger(ctx)
 	acName := keystonev1.GetACCRName(serviceName)
+
 	acCR := &keystonev1.KeystoneApplicationCredential{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      acName,
 			Namespace: instance.Namespace,
 		},
 	}
-	Log := GetLogger(ctx)
 	err := helper.GetClient().Delete(ctx, acCR)
 	if k8s_errors.IsNotFound(err) {
 		return nil
@@ -106,6 +107,7 @@ func EnsureApplicationCredentialForService(
 	passwordSelector string,
 	serviceUser string,
 	acConfig *corev1beta1.ServiceAppCredSection,
+	edpmService bool,
 ) (acSecretName string, result ctrl.Result, err error) {
 	Log := GetLogger(ctx)
 
@@ -154,7 +156,7 @@ func EnsureApplicationCredentialForService(
 	// Check if AC CR exists and is ready
 	if acExists {
 		// We want to run reconcileApplicationCredential to update the AC CR if it exists and is ready and AC config fields changed
-		err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged)
+		err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged, edpmService)
 		if err != nil {
 			return "", ctrl.Result{}, err
 		}
@@ -177,7 +179,7 @@ func EnsureApplicationCredentialForService(
 	// Service is ready, create Application Credential CR
 	Log.Info("Service is ready, creating Application Credential", "service", serviceName, "acName", acName)
 
-	err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged)
+	err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged, edpmService)
 	if err != nil {
 		return "", ctrl.Result{}, err
 	}
@@ -196,6 +198,7 @@ func reconcileApplicationCredential(
 	secretName string,
 	passwordSelector string,
 	effective corev1beta1.ApplicationCredentialSection,
+	edpmService bool,
 ) error {
 	log := GetLogger(ctx)
 
@@ -215,6 +218,17 @@ func reconcileApplicationCredential(
 		acObj.Spec.Roles = effective.Roles
 		acObj.Spec.Unrestricted = *effective.Unrestricted
 
+		annotations := acObj.GetAnnotations()
+		if annotations == nil {
+			annotations = map[string]string{}
+		}
+		if edpmService {
+			annotations[keystonev1.EDPMServiceAnnotation] = "true"
+		} else {
+			annotations[keystonev1.EDPMServiceAnnotation] = "false"
+		}
+		acObj.SetAnnotations(annotations)
+
 		if len(effective.AccessRules) > 0 {
 			kr := make([]keystonev1.ACRule, 0, len(effective.AccessRules))
 			for _, r := range effective.AccessRules {
diff --git a/internal/openstack/barbican.go b/internal/openstack/barbican.go
index 1c566ed738..50c6a6ce7a 100644
--- a/internal/openstack/barbican.go
+++ b/internal/openstack/barbican.go
@@ -91,6 +91,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr
 			instance.Spec.Barbican.Template.PasswordSelectors.Service,
 			instance.Spec.Barbican.Template.ServiceUser,
 			instance.Spec.Barbican.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/cinder.go b/internal/openstack/cinder.go
index 11c9efbb7d..3c391878c9 100644
--- a/internal/openstack/cinder.go
+++ b/internal/openstack/cinder.go
@@ -115,6 +115,7 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Cinder.Template.PasswordSelectors.Service,
 			instance.Spec.Cinder.Template.ServiceUser,
 			instance.Spec.Cinder.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/designate.go b/internal/openstack/designate.go
index 5ef092b0e0..b6e4269af1 100644
--- a/internal/openstack/designate.go
+++ b/internal/openstack/designate.go
@@ -103,6 +103,7 @@ func ReconcileDesignate(ctx context.Context, instance *corev1beta1.OpenStackCont
 			instance.Spec.Designate.Template.PasswordSelectors.Service,
 			instance.Spec.Designate.Template.ServiceUser,
 			instance.Spec.Designate.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/glance.go b/internal/openstack/glance.go
index 82c908a6ec..34207515d1 100644
--- a/internal/openstack/glance.go
+++ b/internal/openstack/glance.go
@@ -145,6 +145,7 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Glance.Template.PasswordSelectors.Service,
 			instance.Spec.Glance.Template.ServiceUser,
 			instance.Spec.Glance.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/heat.go b/internal/openstack/heat.go
index a9bad1d9b0..24168ea164 100644
--- a/internal/openstack/heat.go
+++ b/internal/openstack/heat.go
@@ -134,6 +134,7 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			instance.Spec.Heat.Template.PasswordSelectors.Service,
 			instance.Spec.Heat.Template.ServiceUser,
 			instance.Spec.Heat.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/ironic.go b/internal/openstack/ironic.go
index 37b3ff4222..dd01a607b0 100644
--- a/internal/openstack/ironic.go
+++ b/internal/openstack/ironic.go
@@ -147,6 +147,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Ironic.Template.PasswordSelectors.Service,
 			instance.Spec.Ironic.Template.ServiceUser,
 			instance.Spec.Ironic.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
@@ -173,6 +174,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Ironic.Template.IronicInspector.PasswordSelectors.Service,
 			instance.Spec.Ironic.Template.IronicInspector.ServiceUser,
 			instance.Spec.Ironic.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/manila.go b/internal/openstack/manila.go
index dcba216762..956e68481a 100644
--- a/internal/openstack/manila.go
+++ b/internal/openstack/manila.go
@@ -93,6 +93,7 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Manila.Template.PasswordSelectors.Service,
 			instance.Spec.Manila.Template.ServiceUser,
 			instance.Spec.Manila.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/neutron.go b/internal/openstack/neutron.go
index 29418e4271..b72b570be2 100644
--- a/internal/openstack/neutron.go
+++ b/internal/openstack/neutron.go
@@ -137,6 +137,7 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Neutron.Template.PasswordSelectors.Service,
 			instance.Spec.Neutron.Template.ServiceUser,
 			instance.Spec.Neutron.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/nova.go b/internal/openstack/nova.go
index 7a5bbf2f3e..c6c6b00624 100644
--- a/internal/openstack/nova.go
+++ b/internal/openstack/nova.go
@@ -209,6 +209,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			instance.Spec.Nova.Template.PasswordSelectors.Service,
 			instance.Spec.Nova.Template.ServiceUser,
 			instance.Spec.Nova.ApplicationCredential,
+			true,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/octavia.go b/internal/openstack/octavia.go
index 9d98b89f88..ed5665f776 100644
--- a/internal/openstack/octavia.go
+++ b/internal/openstack/octavia.go
@@ -185,6 +185,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Octavia.Template.PasswordSelectors.Service,
 			instance.Spec.Octavia.Template.ServiceUser,
 			instance.Spec.Octavia.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/placement.go b/internal/openstack/placement.go
index 96a1d3dab5..0dd842a4db 100644
--- a/internal/openstack/placement.go
+++ b/internal/openstack/placement.go
@@ -97,6 +97,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 			instance.Spec.Placement.Template.PasswordSelectors.Service,
 			instance.Spec.Placement.Template.ServiceUser,
 			instance.Spec.Placement.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/swift.go b/internal/openstack/swift.go
index e7dc468a7f..92ed4082f5 100644
--- a/internal/openstack/swift.go
+++ b/internal/openstack/swift.go
@@ -127,6 +127,7 @@ func ReconcileSwift(ctx context.Context, instance *corev1beta1.OpenStackControlP
 			instance.Spec.Swift.Template.SwiftProxy.PasswordSelectors.Service,
 			instance.Spec.Swift.Template.SwiftProxy.ServiceUser,
 			instance.Spec.Swift.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/internal/openstack/telemetry.go b/internal/openstack/telemetry.go
index 0d302cb4cd..9233e1ccc8 100644
--- a/internal/openstack/telemetry.go
+++ b/internal/openstack/telemetry.go
@@ -153,6 +153,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 				instance.Spec.Telemetry.Template.Autoscaling.Aodh.PasswordSelectors.AodhService,
 				instance.Spec.Telemetry.Template.Autoscaling.Aodh.ServiceUser,
 				instance.Spec.Telemetry.ApplicationCredentialAodh,
+				false,
 			)
 			if err != nil {
 				return ctrl.Result{}, err
@@ -198,6 +199,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 				instance.Spec.Telemetry.Template.Ceilometer.PasswordSelectors.CeilometerService,
 				instance.Spec.Telemetry.Template.Ceilometer.ServiceUser,
 				instance.Spec.Telemetry.ApplicationCredentialCeilometer,
+				true,
 			)
 			if err != nil {
 				return ctrl.Result{}, err
@@ -242,6 +244,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont
 				instance.Spec.Telemetry.Template.CloudKitty.PasswordSelectors.CloudKittyService,
 				instance.Spec.Telemetry.Template.CloudKitty.ServiceUser,
 				instance.Spec.Telemetry.ApplicationCredentialCloudKitty,
+				false,
 			)
 			if err != nil {
 				return ctrl.Result{}, err
diff --git a/internal/openstack/watcher.go b/internal/openstack/watcher.go
index bfed839c50..dace2e5898 100644
--- a/internal/openstack/watcher.go
+++ b/internal/openstack/watcher.go
@@ -106,6 +106,7 @@ func ReconcileWatcher(ctx context.Context, instance *corev1beta1.OpenStackContro
 			getWatcherPasswordSelector(),
 			getWatcherServiceUser(),
 			instance.Spec.Watcher.ApplicationCredential,
+			false,
 		)
 		if err != nil {
 			return ctrl.Result{}, err
diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml
index 7453d5b13a..d4305e11b7 100644
--- a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml
+++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml
@@ -44,6 +44,16 @@ commands:
         echo "✓ ac-$name.roles = [${expected_roles[*]}]"
       }
 
+      check_edpm_annotation() {
+        local name=$1 expected=$2
+        local actual=$(oc get appcred ac-$name -n "$NS" -o jsonpath="{.metadata.annotations.keystone\.openstack\.org/edpm-service}" 2>/dev/null || echo "")
+        if [ "$actual" != "$expected" ]; then
+          echo "ERROR: ac-$name edpm-service annotation: expected '$expected', got '$actual'"
+          exit 1
+        fi
+        echo "✓ ac-$name edpm-service = $expected"
+      }
+
       echo "========================================="
       echo "Testing Application Credential CRs"
       echo "========================================="
@@ -66,6 +76,7 @@ commands:
       check_field barbican gracePeriodDays 364
       check_roles barbican "admin" "service"
       check_field barbican unrestricted "false"
+      check_edpm_annotation barbican "false"
       echo
 
       # ---- ac-cinder ----
@@ -76,6 +87,7 @@ commands:
       check_field cinder gracePeriodDays 5
       check_roles cinder "admin" "service"
       check_field cinder unrestricted "true"
+      check_edpm_annotation cinder "false"
       echo
 
       # ---- ac-glance ----
@@ -86,6 +98,7 @@ commands:
       check_field glance gracePeriodDays 60
       check_roles glance "admin" "service"
       check_field glance unrestricted "false"
+      check_edpm_annotation glance "false"
       echo
 
       # ---- ac-swift ----
@@ -96,6 +109,7 @@ commands:
       check_field swift gracePeriodDays 364
       check_roles swift "service"
       check_field swift unrestricted "false"
+      check_edpm_annotation swift "false"
       echo
 
       # ---- ac-neutron ----
@@ -106,6 +120,7 @@ commands:
       check_field neutron gracePeriodDays 364
       check_roles neutron "admin" "service"
       check_field neutron unrestricted "false"
+      check_edpm_annotation neutron "false"
       echo
 
       # ---- ac-placement ----
@@ -116,26 +131,29 @@ commands:
       check_field placement gracePeriodDays 30
       check_roles placement "admin" "service"
       check_field placement unrestricted "false"
+      check_edpm_annotation placement "false"
       echo
 
       # ---- ac-nova ----
-      # Multiple roles
-      echo "=== Testing ac-nova (multiple roles) ==="
+      # Multiple roles, EDPM service
+      echo "=== Testing ac-nova (multiple roles, EDPM service) ==="
       wait_ready nova
       check_field nova expirationDays 730
       check_field nova gracePeriodDays 364
       check_roles nova "admin" "service" "member"
       check_field nova unrestricted "false"
+      check_edpm_annotation nova "true"
       echo
 
       # ---- ac-ceilometer ----
-      # Telemetry/Ceilometer component (enabled by default in base sample)
-      echo "=== Testing ac-ceilometer (telemetry/ceilometer) ==="
+      # Telemetry/Ceilometer component, EDPM service
+      echo "=== Testing ac-ceilometer (telemetry/ceilometer, EDPM service) ==="
       wait_ready ceilometer
       check_field ceilometer expirationDays 45
       check_field ceilometer gracePeriodDays 20
       check_roles ceilometer "service"
       check_field ceilometer unrestricted "false"
+      check_edpm_annotation ceilometer "true"
       echo
 
       echo "All ApplicationCredential CRs validated successfully"