Add support to define application credentials

[NotTheEvilOne]

What this PR does / why we need it:
This change implements support to enter application credentials for OpenStack as an alternative for the use of a technical user with password.

Which issue(s) this PR fixes:
Closes #1049

Special notes for your reviewer:
Error messages should reflect required inputs taking precedence of the underlying gardener-extension-provider-openstack implementation.

Added support to enter application credentials for OpenStack as an alternative for the use of a technical user with password

[gardener-robot]

@NotTheEvilOne Thank you for your contribution.

[gardener-robot-ci-3]

Thank you @NotTheEvilOne for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[gardener-robot]

@grolu, @holgerkoser You have pull request review open invite, please check

[grolu]

@NotTheEvilOne Thank you for your contribution.
It looks good at first glance, however I think the error handling needs to be improved:

• Currently both - username / password as well as application credentials - can be defined at the same time. Does this make sense / is this a valid scenario?
• If a password and no username but instead credential id / name are given, the validation succeeds but gardener returns an error: admission webhook "validation.openstack.provider.extensions.gardener.cloud" denied the request: 'username' is required if 'password' is given in garden-lukas/my-openstack-secret4
• In this PR add support for application credentials gardener-extension-provider-openstack#300 @kayrus mentioned that "when you're specifying application credentials, especially by id and a password, there is no need to request domain/project/username. application credentials are project scoped by default" this is currently also not reflected in the implementation

Let's discuss the open questions here. After that you can improve your implementation or I can take care of it if you want.

[NotTheEvilOne]

Thanks for your review.

@NotTheEvilOne Thank you for your contribution. It looks good at first glance, however I think the error handling needs to be improved:

* Currently both - username / password as well as application credentials - can be defined at the same time. Does this make sense / is this a valid scenario?

I don't think so.

* If a password and no username but instead credential id / name are given, the validation succeeds but gardener returns an error: `admission webhook "validation.openstack.provider.extensions.gardener.cloud" denied the request: 'username' is required if 'password' is given in garden-lukas/my-openstack-secret4`

Looks like I read the code here wrong.

* In this PR [add support for application credentials gardener-extension-provider-openstack#300](https://github.com/gardener/gardener-extension-provider-openstack/pull/300) @kayrus mentioned that _"when you're specifying application credentials, especially by id and a password, there is no need to request domain/project/username. application credentials are project scoped by default"_ this is currently also not reflected in the implementation

Here I'm not sure and need to check again. As far as I can see, domain and tenant are always required code wise. Could be that they are prefilled automatically somewhere else.

Let's discuss the open questions here. After that you can improve your implementation or I can take care of it if you want.

[grolu]

• In this PR add support for application credentials gardener-extension-provider-openstack#300 @kayrus mentioned that "when you're specifying application credentials, especially by id and a password, there is no need to request domain/project/username. application credentials are project scoped by default" this is currently also not reflected in the implementation

Here I'm not sure and need to check again. As far as I can see, domain and tenant are always required code wise. Could be that they are prefilled automatically somewhere else.

• Currently both - username / password as well as application credentials - can be defined at the same time. Does this make sense / is this a valid scenario?

@MartinWeindel maybe you can clarify the open questions

[MartinWeindel]

Currently both - username / password as well as application credentials - can be defined at the same time. Does this make sense / is this a valid scenario?

No, this makes no sense and it is also not allowed to provide both password and applicationCredentialSecret. Either you provide username/password or application credentials

Here` I'm not sure and need to check again. As far as I can see, domain and tenant are always required code wise. Could be that they are prefilled automatically somewhere else.

With the current implementation, domain and tenant name need to be provided always. There are too much combinations which may be valid, but are not tested.

[grolu]

@NotTheEvilOne I will incorporate the required changes and make a new PR based on this one if this is ok for you

[NotTheEvilOne]

I've changed the PR based on the feedback given. If you find any further mistakes please go ahead as you suggested.

[grolu]

/lgtm

There is still a minor glitch but most of the PR is fine . As I want to do some validation logic cleanup anyway. Let's merge it now. I will add a separate PR later