Merge "Add service role to ironic service users"

2024-02-19 12:40:03 +00:00 · 2024-02-19 12:40:03 +00:00 · 33129b7554
parent a6fa564499 600e912400
commit 33129b7554
4 changed files with 21 additions and 0 deletions
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@ -364,6 +364,14 @@ ironic_ks_users:
    password: "{{ ironic_inspector_keystone_password }}"
    role: "admin"

+ironic_ks_user_roles:
+  - project: "service"
+    user: "{{ ironic_keystone_user }}"
+    role: "service"
+  - project: "service"
+    user: "{{ ironic_inspector_keystone_user }}"
+    role: "service"
+
 ####################
 # TLS
 ####################
--- a/ansible/roles/ironic/tasks/register.yml
+++ b/ansible/roles/ironic/tasks/register.yml
@ -5,3 +5,4 @@
    service_ks_register_auth: "{{ openstack_ironic_auth }}"
    service_ks_register_services: "{{ ironic_ks_services }}"
    service_ks_register_users: "{{ ironic_ks_users }}"
+    service_ks_register_user_roles: "{{ ironic_ks_user_roles }}"
--- a/ansible/roles/ironic/tasks/upgrade.yml
+++ b/ansible/roles/ironic/tasks/upgrade.yml
@ -32,3 +32,10 @@

 - include_tasks: legacy_upgrade.yml
  when: not ironic_enable_rolling_upgrade | bool
+
+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_ironic_auth }}"
+    service_ks_register_user_roles: "{{ ironic_ks_user_roles }}"
--- a/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml
+++ b/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add the service role to ironic service users. Ironic recently enforced
+    new policy validation and added service role support.