Add cluster-user-trust config option

Clusters created with the option cloud_provider_enabled or
registry_enabled set to true, or volumer_driver set to 'cinder' need
this flag set to True as well to instruct Magnum to assign trust to the
cluster user.

This option defaults to False due to security concerns (see
https://bugs.launchpad.net/bugs/cve/2016-7404 )

[0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

Closes-Bug: #1996237
Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
(cherry picked from commit 29260ddf8a)

src/config.yaml

@@ -50,6 +50,16 @@ options:
     type: string
     default: magnum_domain_admin
     description: Domain admin for the trustee-domain
+  cluster-user-trust:
+    type: boolean
+    default: False
+    description: |
+      Controls whether to assign a trust to the cluster user or not. You will
+      need to set it to True for clusters with volume_driver=cinder or
+      registry_enabled=true in the underlying cluster template to work. This is
+      a potential security risk since the trust gives instances OpenStack API
+      access to the cluster's project. Note that this setting does not affect
+      per-cluster trusts assigned to the Magnum service user.
   cert-manager-type:
     type: string
     default: barbican

src/templates/ussuri/magnum.conf

@@ -84,5 +84,6 @@ driver = messaging
 trustee_domain_name = {{ options.trustee_domain }}
 trustee_domain_admin_name = {{ options.trustee_admin }}
 trustee_domain_admin_password = {{ options.magnum_password }}
+cluster_user_trust = {{ options.cluster_user_trust }}
 
 [x509]