Add support for using service tokens

This patch configures ironic-conductor to send a service token along with the received user token on requests to other services. This allow those other services to accept the request even if the user token has been invalidated since received by Ironic. Also with this patch Ironic will accept request from other services with invalid user tokens but valid service tokens. Update src/build.lock to get backported patches into charm-helpers@stable/zed Closes-Bug: #1992840 Change-Id: Ie94b5ce9ba9d015a31a78bb71ce7ca786377d6d9 (cherry picked from commit c7dda3f3a8)
2023-06-07 15:19:56 -04:00 · 2023-06-07 15:19:56 -04:00 · aa73b57b9c
parent e19cc9410d
commit aa73b57b9c
3 changed files with 5 additions and 1 deletions
--- a/src/build.lock
+++ b/src/build.lock
@ -417,7 +417,7 @@
      "package": "charmhelpers",
      "url": "git+https://github.com/juju/charm-helpers.git",
      "branch": "stable/zed",
-      "version": "4f884fa39609e55a04348a44baa6b0ac3336bd08",
+      "version": "ab5dfd7973375500da59122b14fabab376a705c6",
      "vcs": "git"
    },
    {
--- a/src/templates/parts/keystone-authtoken
+++ b/src/templates/parts/keystone-authtoken
@ -33,4 +33,6 @@ signing_dir = {{ identity_credentials.signing_dir }}
 {% if options.use_memcache == true -%}
 memcached_servers = {{ options.memcache_url }}
 {% endif -%}
+service_token_roles = {{ identity_credentials.admin_role }}
+service_token_roles_required = True
 {% endif -%}
--- a/src/templates/train/ironic.conf
+++ b/src/templates/train/ironic.conf
@ -28,6 +28,8 @@ transport_url = {{ amqp.transport_url }}

 {% include "parts/keystone-authtoken" %}

+{% include "section-service-user" %}
+
 [database]
 {% include "parts/database" %}