cinder: Stop using admin service token

In order to do this - we need to add service role to Nova and Cinder. Closes-Bug: #2049762 Change-Id: Ic121bf9f90c9865cd4d08890c80247570ef310ae
2024-02-08 12:01:20 +01:00 · 2024-02-08 12:01:20 +01:00 · 1ef765f690
commit 1ef765f690
parent 63cf525af5
7 changed files with 26 additions and 1 deletions
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@ -346,6 +346,11 @@ cinder_ks_users:
    password: "{{ cinder_keystone_password }}"
    role: "admin"

+cinder_ks_user_roles:
+  - project: "service"
+    user: "{{ cinder_keystone_user }}"
+    role: "service"
+
 ####################
 # TLS
 ####################
--- a/ansible/roles/cinder/tasks/register.yml
+++ b/ansible/roles/cinder/tasks/register.yml
@ -5,3 +5,4 @@
    service_ks_register_auth: "{{ openstack_cinder_auth }}"
    service_ks_register_services: "{{ cinder_ks_services }}"
    service_ks_register_users: "{{ cinder_ks_users }}"
+    service_ks_register_user_roles: "{{ cinder_ks_user_roles }}"
--- a/ansible/roles/cinder/tasks/upgrade.yml
+++ b/ansible/roles/cinder/tasks/upgrade.yml
@ -10,6 +10,13 @@

 - import_tasks: check-containers.yml

+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_cinder_auth }}"
+    service_ks_register_user_roles: "{{ cinder_ks_user_roles }}"
+
 - name: Flush handlers
  meta: flush_handlers

--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@ -116,7 +116,6 @@ service_type = volume
 # see: https://security.openstack.org/ossa/OSSA-2023-003.html
 # and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting
 service_token_roles_required = true
-service_token_roles = admin
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@ -247,6 +247,11 @@ nova_ks_users:
    password: "{{ nova_keystone_password }}"
    role: "admin"

+nova_ks_user_roles:
+  - project: "service"
+    user: "{{ nova_keystone_user }}"
+    role: "service"
+
 ####################
 # Notification
 ####################
--- a/ansible/roles/nova/tasks/register.yml
+++ b/ansible/roles/nova/tasks/register.yml
@ -5,3 +5,4 @@
    service_ks_register_auth: "{{ openstack_nova_auth }}"
    service_ks_register_services: "{{ nova_ks_services }}"
    service_ks_register_users: "{{ nova_ks_users }}"
+    service_ks_register_user_roles: "{{ nova_ks_user_roles }}"
--- a/ansible/roles/nova/tasks/upgrade.yml
+++ b/ansible/roles/nova/tasks/upgrade.yml
@ -1,4 +1,11 @@
 ---
+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_nova_auth }}"
+    service_ks_register_user_roles: "{{ nova_ks_user_roles }}"
+
 - name: Run Nova upgrade checks
  become: true
  vars: