From 1ef765f69044abae1b838b261481f420a4007121 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Thu, 8 Feb 2024 12:01:20 +0100
Subject: [PATCH] cinder: Stop using admin service token

In order to do this - we need to add service role to Nova and Cinder.

Closes-Bug: #2049762

Change-Id: Ic121bf9f90c9865cd4d08890c80247570ef310ae
---
 ansible/roles/cinder/defaults/main.yml        | 5 +++++
 ansible/roles/cinder/tasks/register.yml       | 1 +
 ansible/roles/cinder/tasks/upgrade.yml        | 7 +++++++
 ansible/roles/cinder/templates/cinder.conf.j2 | 1 -
 ansible/roles/nova/defaults/main.yml          | 5 +++++
 ansible/roles/nova/tasks/register.yml         | 1 +
 ansible/roles/nova/tasks/upgrade.yml          | 7 +++++++
 7 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml
index 361d3961f2..dbeb27389c 100644
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@@ -346,6 +346,11 @@ cinder_ks_users:
     password: "{{ cinder_keystone_password }}"
     role: "admin"
 
+cinder_ks_user_roles:
+  - project: "service"
+    user: "{{ cinder_keystone_user }}"
+    role: "service"
+
 ####################
 # TLS
 ####################
diff --git a/ansible/roles/cinder/tasks/register.yml b/ansible/roles/cinder/tasks/register.yml
index 86511bc411..d090b30d8e 100644
--- a/ansible/roles/cinder/tasks/register.yml
+++ b/ansible/roles/cinder/tasks/register.yml
@@ -5,3 +5,4 @@
     service_ks_register_auth: "{{ openstack_cinder_auth }}"
     service_ks_register_services: "{{ cinder_ks_services }}"
     service_ks_register_users: "{{ cinder_ks_users }}"
+    service_ks_register_user_roles: "{{ cinder_ks_user_roles }}"
diff --git a/ansible/roles/cinder/tasks/upgrade.yml b/ansible/roles/cinder/tasks/upgrade.yml
index a402d547c1..e12f771598 100644
--- a/ansible/roles/cinder/tasks/upgrade.yml
+++ b/ansible/roles/cinder/tasks/upgrade.yml
@@ -10,6 +10,13 @@
 
 - import_tasks: check-containers.yml
 
+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_cinder_auth }}"
+    service_ks_register_user_roles: "{{ cinder_ks_user_roles }}"
+
 - name: Flush handlers
   meta: flush_handlers
 
diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index 69cde541a3..9f074d1baf 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -116,7 +116,6 @@ service_type = volume
 # see: https://security.openstack.org/ossa/OSSA-2023-003.html
 # and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting
 service_token_roles_required = true
-service_token_roles = admin
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml
index e8cfcb5b07..444603ddee 100644
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@@ -247,6 +247,11 @@ nova_ks_users:
     password: "{{ nova_keystone_password }}"
     role: "admin"
 
+nova_ks_user_roles:
+  - project: "service"
+    user: "{{ nova_keystone_user }}"
+    role: "service"
+
 ####################
 # Notification
 ####################
diff --git a/ansible/roles/nova/tasks/register.yml b/ansible/roles/nova/tasks/register.yml
index a9c7cfaf61..c902fec305 100644
--- a/ansible/roles/nova/tasks/register.yml
+++ b/ansible/roles/nova/tasks/register.yml
@@ -5,3 +5,4 @@
     service_ks_register_auth: "{{ openstack_nova_auth }}"
     service_ks_register_services: "{{ nova_ks_services }}"
     service_ks_register_users: "{{ nova_ks_users }}"
+    service_ks_register_user_roles: "{{ nova_ks_user_roles }}"
diff --git a/ansible/roles/nova/tasks/upgrade.yml b/ansible/roles/nova/tasks/upgrade.yml
index 88fdb63c5e..f60489f4a0 100644
--- a/ansible/roles/nova/tasks/upgrade.yml
+++ b/ansible/roles/nova/tasks/upgrade.yml
@@ -1,4 +1,11 @@
 ---
+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_nova_auth }}"
+    service_ks_register_user_roles: "{{ nova_ks_user_roles }}"
+
 - name: Run Nova upgrade checks
   become: true
   vars: