From f2b4c4b6540752e8de1b9f2b8d04c5e2f1b59a98 Mon Sep 17 00:00:00 2001
From: Felipe Reyes <felipe.reyes@canonical.com>
Date: Wed, 7 Jun 2023 15:19:56 -0400
Subject: [PATCH] Add support for using service tokens

This patch configures ironic-conductor to send a service token along
with the received user token on requests to other services. This allow
those other services to accept the request even if the user token has
been invalidated since received by Ironic. Also with this patch Ironic
will accept request from other services with invalid user tokens but
valid service tokens.

Closes-Bug: #1992840
Change-Id: Ie94b5ce9ba9d015a31a78bb71ce7ca786377d6d9
(cherry picked from commit c7dda3f3a8c4b3e5445c727590eb44e4a6482cc3)
---
 src/templates/parts/keystone-authtoken | 2 ++
 src/templates/train/ironic.conf        | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/src/templates/parts/keystone-authtoken b/src/templates/parts/keystone-authtoken
index 18d9f87..216b5fd 100644
--- a/src/templates/parts/keystone-authtoken
+++ b/src/templates/parts/keystone-authtoken
@@ -33,4 +33,6 @@ signing_dir = {{ identity_credentials.signing_dir }}
 {% if options.use_memcache == true -%}
 memcached_servers = {{ options.memcache_url }}
 {% endif -%}
+service_token_roles = {{ identity_credentials.admin_role }}
+service_token_roles_required = True
 {% endif -%}
diff --git a/src/templates/train/ironic.conf b/src/templates/train/ironic.conf
index 9389eb1..fd5d663 100644
--- a/src/templates/train/ironic.conf
+++ b/src/templates/train/ironic.conf
@@ -28,6 +28,8 @@ transport_url = {{ amqp.transport_url }}
 
 {% include "parts/keystone-authtoken" %}
 
+{% include "section-service-user" %}
+
 [database]
 {% include "parts/database" %}