Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Iaed7f2b4a724aed0f4165e32f3d40aac9d74edd7

defaults/main.yml

@@ -114,7 +114,12 @@ gnocchi_keystone_auth_plugin: "{{ gnocchi_keystone_auth_type }}"
 gnocchi_keystone_auth_type: password
 gnocchi_service_region: "{{ service_region | default('RegionOne') }}"
 gnocchi_service_user_name: gnocchi
-gnocchi_role_name: admin
+gnocchi_service_role_names:
+  - admin
+  - service
+gnocchi_service_token_roles:
+  - service
+gnocchi_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 gnocchi_service_project_name: service
 gnocchi_service_project_domain_id: default
 gnocchi_service_user_domain_id: default

tasks/main.yml

@@ -124,7 +124,7 @@
     _service_users:
       - name: "{{ gnocchi_service_user_name }}"
         password: "{{ gnocchi_service_password }}"
-        role: "{{ gnocchi_role_name }}"
+        role: "{{ gnocchi_service_role_names }}"
     _service_endpoints:
       - service: "{{ gnocchi_service_name }}"
         interface: "public"

templates/gnocchi.conf.j2

@@ -33,6 +33,10 @@ project_name = {{ gnocchi_service_project_name }}
 username = {{ gnocchi_service_user_name }}
 password = {{ gnocchi_service_password }}
 
+service_token_roles_required = {{ gnocchi_service_token_roles_required | bool }}
+service_token_roles = {{ gnocchi_service_token_roles | join(',') }}
+service_type = {{ gnocchi_service_type }}
+
 memcached_servers = {{ gnocchi_memcached_servers }}
 token_cache_time = 300