diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index 2cbdf834ed..1181cf4297 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -364,6 +364,14 @@ ironic_ks_users: password: "{{ ironic_inspector_keystone_password }}" role: "admin" +ironic_ks_user_roles: + - project: "service" + user: "{{ ironic_keystone_user }}" + role: "service" + - project: "service" + user: "{{ ironic_inspector_keystone_user }}" + role: "service" + #################### # TLS #################### diff --git a/ansible/roles/ironic/tasks/register.yml b/ansible/roles/ironic/tasks/register.yml index 5d19d89b99..c101c8d731 100644 --- a/ansible/roles/ironic/tasks/register.yml +++ b/ansible/roles/ironic/tasks/register.yml @@ -5,3 +5,4 @@ service_ks_register_auth: "{{ openstack_ironic_auth }}" service_ks_register_services: "{{ ironic_ks_services }}" service_ks_register_users: "{{ ironic_ks_users }}" + service_ks_register_user_roles: "{{ ironic_ks_user_roles }}" diff --git a/ansible/roles/ironic/tasks/upgrade.yml b/ansible/roles/ironic/tasks/upgrade.yml index 0e020b9df0..8d8094b323 100644 --- a/ansible/roles/ironic/tasks/upgrade.yml +++ b/ansible/roles/ironic/tasks/upgrade.yml @@ -32,3 +32,10 @@ - include_tasks: legacy_upgrade.yml when: not ironic_enable_rolling_upgrade | bool + +# TODO(bbezak): Remove this task in the Dalmatian cycle. +- import_role: + name: service-ks-register + vars: + service_ks_register_auth: "{{ openstack_ironic_auth }}" + service_ks_register_user_roles: "{{ ironic_ks_user_roles }}" diff --git a/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml b/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml new file mode 100644 index 0000000000..dbf894f019 --- /dev/null +++ b/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add the service role to ironic service users. Ironic recently enforced + new policy validation and added service role support.