Add support for using service tokens

This patch configures ironic-conductor to send a service token along
with the received user token on requests to other services. This allow
those other services to accept the request even if the user token has
been invalidated since received by Ironic. Also with this patch Ironic
will accept request from other services with invalid user tokens but
valid service tokens.

Closes-Bug: #1992840
Change-Id: Ie94b5ce9ba9d015a31a78bb71ce7ca786377d6d9
(cherry picked from commit c7dda3f3a8)

src/templates/parts/keystone-authtoken

@@ -33,4 +33,6 @@ signing_dir = {{ identity_credentials.signing_dir }}
 {% if options.use_memcache == true -%}
 memcached_servers = {{ options.memcache_url }}
 {% endif -%}
+service_token_roles = {{ identity_credentials.admin_role }}
+service_token_roles_required = True
 {% endif -%}

src/templates/train/ironic.conf

@@ -28,6 +28,8 @@ transport_url = {{ amqp.transport_url }}
 
 {% include "parts/keystone-authtoken" %}
 
+{% include "section-service-user" %}
+
 [database]
 {% include "parts/database" %}