Add cluster-user-trust config option

Clusters created with the option cloud_provider_enabled or
registry_enabled set to true, or volumer_driver set to 'cinder' need
this flag set to True as well to instruct Magnum to assign trust to the
cluster user.

This option defaults to False due to security concerns (see
https://bugs.launchpad.net/bugs/cve/2016-7404 )

[0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

Closes-Bug: #1996237
Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3

src/config.yaml

@@ -50,6 +50,16 @@ options:
     type: string
     default: magnum_domain_admin
     description: Domain admin for the trustee-domain
+  cluster-user-trust:
+    type: boolean
+    default: False
+    description: |
+      Controls whether to assign a trust to the cluster user or not. You will
+      need to set it to True for clusters with volume_driver=cinder or
+      registry_enabled=true in the underlying cluster template to work. This is
+      a potential security risk since the trust gives instances OpenStack API
+      access to the cluster's project. Note that this setting does not affect
+      per-cluster trusts assigned to the Magnum service user.
   cert-manager-type:
     type: string
     default: barbican

src/templates/ussuri/magnum.conf

@@ -84,5 +84,6 @@ driver = messaging
 trustee_domain_name = {{ options.trustee_domain }}
 trustee_domain_admin_name = {{ options.trustee_admin }}
 trustee_domain_admin_password = {{ options.magnum_password }}
+cluster_user_trust = {{ options.cluster_user_trust }}
 
 [x509]