Add support for using service tokens

This patch configures ironic-api to send a service token along with the received user token on requests to other services. This allow those other services to accept the request even if the user token has been invalidated since received by Ironic. Also with this patch Ironic will accept request from other services with invalid user tokens but valid service tokens. Update src/build.lock to get backported patches into charm-helpers@stable/yoga Closes-Bug: #1992840 Change-Id: Ic84e4706b93c38916e89b91dfc30bf32396e5213 (cherry picked from commit 02b7180a6b)
2023-05-24 12:28:36 -04:00 · 2023-05-24 12:28:36 -04:00 · fca3372744
parent 8cb57f07ac
commit fca3372744
3 changed files with 6 additions and 2 deletions
--- a/src/build.lock
+++ b/src/build.lock
@ -225,7 +225,7 @@
      "package": "charmhelpers",
      "url": "git+https://github.com/juju/charm-helpers.git",
      "branch": "refs/heads/stable/yoga",
-      "version": "971ac5117c96bd1cb4a6a520787e4509564da582",
+      "version": "32772ff502e179027f46daaa04729a2f5d49f5e5",
      "vcs": "git"
    },
    {
@ -235,4 +235,4 @@
      "version": "2.0.1"
    }
  ]
-}
+}
--- a/src/templates/parts/keystone-authtoken
+++ b/src/templates/parts/keystone-authtoken
@ -32,4 +32,6 @@ signing_dir = {{ identity_service.signing_dir }}
 {% if options.use_memcache == true -%}
 memcached_servers = {{ options.memcache_url }}
 {% endif -%}
+service_token_roles = {{ identity_service.admin_role }}
+service_token_roles_required = True
 {% endif -%}
--- a/src/templates/train/ironic.conf
+++ b/src/templates/train/ironic.conf
@ -8,6 +8,8 @@ transport_url = {{ amqp.transport_url }}

 {% include "parts/keystone-authtoken" %}

+{% include "section-service-user" %}
+
 [api]
 port = {{ options.service_listen_info.ironic_api.port }}