Add service role to ironic service users

Add the service role to ironic service users. Ironic recently enforced new policy validation as part of the RBAC efforts. [1][2] Service user support was also added to Ironic. [3] Admin role needs to stay as not all services added service role support. [4][5] [1] https://review.opendev.org/c/openstack/ironic/+/902009 [2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2 [3] https://review.opendev.org/c/openstack/ironic/+/907148 [4] https://review.opendev.org/q/topic:bp%252Fpolicy-service-role-default [5] https://review.opendev.org/q/topic:%22New-Location-Apis%22 Related-Bug: #2051837 Change-Id: I048402c2247188cf57f35437f557f84ac25d4ff2

Add service role to ironic service users
600e9124 · Bartosz Bezak · 121aa3d2 · 600e9124 · 600e9124 · 600e9124
Commit 600e9124 authored 1 year ago by Bartosz Bezak
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -364,6 +364,14 @@ ironic_ks_users:
    password: "{{ ironic_inspector_keystone_password }}"
    role: "admin"

+ironic_ks_user_roles:
+  - project: "service"
+    user: "{{ ironic_keystone_user }}"
+    role: "service"
+  - project: "service"
+    user: "{{ ironic_inspector_keystone_user }}"
+    role: "service"
+
 ####################
 # TLS
 ####################

--- a/ansible/roles/ironic/tasks/register.yml
+++ b/ansible/roles/ironic/tasks/register.yml
@@ -5,3 +5,4 @@
    service_ks_register_auth: "{{ openstack_ironic_auth }}"
    service_ks_register_services: "{{ ironic_ks_services }}"
    service_ks_register_users: "{{ ironic_ks_users }}"
+    service_ks_register_user_roles: "{{ ironic_ks_user_roles }}"
--- a/ansible/roles/ironic/tasks/upgrade.yml
+++ b/ansible/roles/ironic/tasks/upgrade.yml
@@ -32,3 +32,10 @@

 - include_tasks: legacy_upgrade.yml
  when: not ironic_enable_rolling_upgrade | bool
+
+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_ironic_auth }}"
+    service_ks_register_user_roles: "{{ ironic_ks_user_roles }}"
--- a/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml
+++ b/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml
+---
+features:
+  - |
+    Add the service role to ironic service users. Ironic recently enforced
+    new policy validation and added service role support.