Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I8cd6c47c64601089173671652a463ecc291d8ca1

defaults/main.yml

@@ -125,7 +125,12 @@ octavia_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"
 octavia_service_region: "{{ service_region | default('RegionOne') }}"
 octavia_service_project_name: "service"
 octavia_service_user_name: "octavia"
-octavia_service_role_name: admin
+octavia_service_role_names:
+  - admin
+  - service
+octavia_service_token_roles:
+  - service
+octavia_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 octavia_service_project_domain_id: default
 octavia_service_user_domain_id: default
 octavia_keystone_auth_plugin: "{{ octavia_keystone_auth_type }}"

tasks/main.yml

@@ -186,7 +186,7 @@
     _service_users:
       - name: "{{ octavia_service_user_name }}"
         password: "{{ octavia_service_password }}"
-        role: "{{ octavia_service_role_name }}"
+        role: "{{ octavia_service_role_names }}"
       - role: load-balancer_observer
       - role: load-balancer_global_observer
       - role: load-balancer_member

templates/octavia.conf.j2

@@ -58,8 +58,9 @@ auth_type = password
 endpoint_type = {{ octavia_clients_endpoint }}
 memcached_servers = {{ octavia_memcached_servers }}
 token_cache_time = 300
-service_token_roles = "{{ octavia_service_role_name }}"
-service_token_roles_required = True
+service_token_roles = "{{ octavia_service_token_roles | join(',') }}"
+service_token_roles_required = {{ octavia_service_token_roles_required | bool }}
+service_type = {{ octavia_service_type }}
 
 # if your memcached server is shared, use these settings to avoid cache poisoning
 memcache_security_strategy = ENCRYPT