Support service tokens

Implement support for service_tokens. For that we convert role_name to be a list along with renaming corresponding variable. Additionally service_type is defined now for keystone_authtoken which enables to validate tokens with restricted access rules Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690 Change-Id: Icb1de8c7e0a5196a4df457a5d4a3ca524d4622d0
2022-06-15 17:53:38 +02:00 · 2022-06-15 17:53:38 +02:00 · b6d15a95cb
parent 2d98ac9ec7
commit b6d15a95cb
3 changed files with 14 additions and 12 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -30,8 +30,6 @@ cloudkitty_service_setup_host_python_interpreter: "{{ openstack_service_setup_ho
 cloudkitty_package_state: "{{ package_state | default('latest') }}"
 cloudkitty_pip_package_state: "latest"

-cloudkitty_service_user_name: cloudkitty
-
 ## Oslo Messaging info

 # RPC
@ -79,13 +77,16 @@ cloudkitty_git_constraints:

 cloudkitty_notification_topics: notifications
 cloudkitty_collector: gnocchi
+cloudkitty_service_user_name: cloudkitty
 cloudkitty_service_project_domain_id: default
 cloudkitty_service_project_name: "service"
 cloudkitty_service_user_domain_id: default
 cloudkitty_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
-cloudkitty_service_role_name: "admin"
-cloudkitty_system_service_name: "cloudkitty-api"
-
+cloudkitty_service_role_names:
+  - admin
+  - rating
+  - service
+cloudkitty_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 cloudkitty_keystone_auth_plugin: password
 cloudkitty_output_backend: cloudkitty.backend.file.FileBackend
 cloudkitty_output_pipeline: osrf
@ -114,6 +115,8 @@ cloudkitty_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0
 ## Service Type and Data
 cloudkitty_service_region: "{{ service_region | default('RegionOne') }}"
 cloudkitty_service_name: cloudkitty
+cloudkitty_service_type: rating
+cloudkitty_service_description: "OpenStack Rating Service"
 cloudkitty_service_port: 8089
 cloudkitty_service_proto: http
 cloudkitty_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(cloudkitty_service_proto) }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -140,9 +140,7 @@
    _service_users:
      - name: "{{ cloudkitty_service_user_name }}"
        password: "{{ cloudkitty_service_password }}"
-        role: "rating"
-      - name: "{{ cloudkitty_service_user_name }}"
-        role: "{{ cloudkitty_service_role_name }}"
+        role: "{{ cloudkitty_service_role_names }}"
    _service_endpoints:
      - service: "{{ cloudkitty_service_name }}"
        interface: "public"
@ -155,8 +153,8 @@
        url: "{{ cloudkitty_service_adminurl }}"
    _service_catalog:
      - name: "{{ cloudkitty_service_name }}"
-        type: "rating"
-        description: "OpenStack Rating Service"
+        type: "{{ cloudkitty_service_type }}"
+        description: "{{ cloudkitty_service_description }}"
  when: _cloudkitty_is_first_play_host
  tags:
    - always
--- a/templates/cloudkitty.conf.j2
+++ b/templates/cloudkitty.conf.j2
@ -47,8 +47,9 @@ username = {{ cloudkitty_service_user_name }}
 auth_url = {{ keystone_service_adminurl }}
 auth_type = {{ cloudkitty_keystone_auth_plugin }}
 region_name = {{ cloudkitty_service_region }}
-service_token_roles_required = True
-service_token_roles = {{ cloudkitty_service_role_name }}
+service_token_roles_required = {{ cloudkitty_service_token_roles_required | bool }}
+service_token_roles = {{ cloudkitty_service_role_names | join(',') }}
+service_type = {{ cloudkitty_service_type }}

 [oslo_messaging_amqp]