Improve handling of application credentials

[fkr]

The compliance monitor uses application credentials to check clouds for their compliance.
Quite a few of the currently configured environments have application credentials that expire after a period of time (for a lot of them after years). Right now couple of people know the process and the handling.

Ideally we would document the process and either provide a self-service way for updating the application credentials by the corresponding CSPs or we find other means of handling this.

This issue will likely need to be extended and/or refined - but wanted to make sure, we have a starting point.

[mbuechse]

At present, CSPs do have the possibility to change the application credential themselves. The process is very similar to the one that we describe in our docs for adding the credential for the first time:

• docs (see item 4)

So this is what they have to do, and I would be totally fine with application credentials that don't expire. They can be revoked any time.

So... case closed?

[fkr]

Thanks @mbuechse for clarifying. If the CSPs have the chance to manage this themselves, I would suggest that we escalate the expiring credentials to them and make sure they update them and with that the case is closed.

[depressiveRobot]

I also welcome the approach with credentials that don't expire. While being on the subject, I noticed two more things regarding the docs:

1. The zuul-client command referenced in step 4 throws deprecation warnings:

zuul-client --zuul-url https://zuul.sovereignit.cloud/ encrypt --tenant scs --project SovereignCloudStack/standards
/Users/Marvin/Code/SCS/standards/Tests/.venv/lib/python3.13/site-packages/zuulclient/version.py:18: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
FooBar
writing RSA key
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.

Should we tackle this?

2. Would it be useful to extend the docs and say that the credentials should not expire?

[mbuechse]

@depressiveRobot

1. I don't know if we can do anything about this. This is up to the zuul people to do, and I am very hesitant to contribute to upstream here because I fear it's rather complicated a process to say the least.
2. Ultimately, it's up to the CSPs. It's entirely their problem. When they use expiring credentials, they have to rotate them themselves. Maybe that's what we should write.