Add support for using service tokens

This patch configures ironic-conductor to send a service token along with the received user token on requests to other services. This allow those other services to accept the request even if the user token has been invalidated since received by Ironic. Also with this patch Ironic will accept request from other services with invalid user tokens but valid service tokens. Update src/build.lock to get backported patches into charm-helpers@stable/antelope Closes-Bug: #1992840 Change-Id: Ie94b5ce9ba9d015a31a78bb71ce7ca786377d6d9 (cherry picked from commit c7dda3f3a8)
2023-06-07 15:19:56 -04:00 · 2023-06-07 15:19:56 -04:00 · 2af6acd1a7
parent 0c3b72e911
commit 2af6acd1a7
3 changed files with 6 additions and 2 deletions
--- a/src/build.lock
+++ b/src/build.lock
@ -321,7 +321,7 @@
      "package": "charmhelpers",
      "url": "git+https://github.com/juju/charm-helpers.git",
      "branch": "stable/antelope",
-      "version": "b9444c20fdf3dc938790ed208cd1053b60055590",
+      "version": "837a8b58737d19e114ac7ac66f917101b2c01b04",
      "vcs": "git"
    },
    {
@ -447,4 +447,4 @@
      "version": "6.1.0"
    }
  ]
-}
+}
--- a/src/templates/parts/keystone-authtoken
+++ b/src/templates/parts/keystone-authtoken
@ -33,4 +33,6 @@ signing_dir = {{ identity_credentials.signing_dir }}
 {% if options.use_memcache == true -%}
 memcached_servers = {{ options.memcache_url }}
 {% endif -%}
+service_token_roles = {{ identity_credentials.admin_role }}
+service_token_roles_required = True
 {% endif -%}
--- a/src/templates/train/ironic.conf
+++ b/src/templates/train/ironic.conf
@ -28,6 +28,8 @@ transport_url = {{ amqp.transport_url }}

 {% include "parts/keystone-authtoken" %}

+{% include "section-service-user" %}
+
 [database]
 {% include "parts/database" %}