Support service tokens

Implement support for service_tokens. For that we convert role_name to be a list along with renaming corresponding variable. Additionally service_type is defined now for keystone_authtoken which enables to validate tokens with restricted access rules Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690 Change-Id: I7eafa6b989a2fd726369b3959b5e6ba024b82274
2022-06-15 18:19:27 +02:00 · 2022-06-15 18:19:27 +02:00 · 50ee7fe8a9
parent 79b0b8e1ee
commit 50ee7fe8a9
3 changed files with 11 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -103,9 +103,6 @@ designate_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('
 # TODO(ansmith): Change structure when more backends will be supported
 designate_oslomsg_amqp1_enabled: "{{ designate_oslomsg_rpc_transport == 'amqp' }}"

-# Designate services info
-designate_role_name: admin
-
 ## DNS Backend Configuration
 #  Configuration for the DNS backend that Designate will talk to, Designate
 #  supports lots of backends, bind9, powerdns, nsd, djb, dyn, akamai, etc.
@ -166,7 +163,12 @@ designate_service_user_domain_id: default
 designate_service_user_name: designate
 designate_keystone_auth_type: password
 designate_service_project_name: service
-
+designate_service_role_names:
+  - admin
+  - service
+designate_service_token_roles:
+  - service
+designate_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 designate_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(designate_service_proto) }}"
 designate_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(designate_service_proto) }}"
 designate_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(designate_service_proto) }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -144,7 +144,7 @@
    _service_users:
      - name: "{{ designate_service_user_name }}"
        password: "{{ designate_service_password }}"
-        role: "{{ designate_role_name }}"
+        role: "{{ designate_service_role_names }}"
    _service_endpoints:
      - service: "{{ designate_service_name }}"
        interface: "public"
--- a/templates/designate.conf.j2
+++ b/templates/designate.conf.j2
@ -144,6 +144,10 @@ project_name = {{ designate_service_project_name }}
 username = {{ designate_service_user_name }}
 password = {{ designate_service_password }}

+service_token_roles_required = {{ designate_service_token_roles_required | bool }}
+service_token_roles = {{ designate_service_token_roles | join(',') }}
+service_type = {{ designate_service_type }}
+
 memcached_servers = {{ designate_memcached_servers }}

 #-----------------------