Drop heat_stack_owner role

this role is not actually required since ~Kilo
I3f1b70b78b91bfac9af5fadb71140679b208c999
plus the heat chart already sets the trusts_delegated_roles option
for Heat to pass all roles to the trust

Change-Id: Icf900f318d3173d63c5967857d96f7d2a7f9aa5b

heat/values.yaml

@@ -572,13 +572,10 @@ bootstrap:
   enabled: true
   ks_user: admin
   script: |
-    #NOTE(portdirect): required for all users who operate heat stacks
-    openstack role create --or-show heat_stack_owner
-
     #NOTE(portdirect): The Orchestration service automatically assigns the
     # 'heat_stack_user' role to users that it creates during stack deployment.
     # By default, this role restricts API operations. To avoid conflicts, do
-    # not add this role to users with the heat_stack_owner role.
+    # not add this role to actual users.
     openstack role create --or-show heat_stack_user
 
 dependencies:
@@ -766,9 +763,7 @@ endpoints:
         user_domain_name: default
         project_domain_name: default
       heat:
-        role:
+        role: admin
-          - admin
-          - heat_stack_owner
         region_name: RegionOne
         username: heat
         password: password

keystone/values.yaml

@@ -64,15 +64,6 @@ bootstrap:
           --project="${OS_PROJECT_NAME}" \
           "member"
 
-    #NOTE(portdirect): required for all users who operate heat stacks
-    openstack role create --or-show heat_stack_owner
-    openstack role add \
-          --user="${OS_USERNAME}" \
-          --user-domain="${OS_USER_DOMAIN_NAME}" \
-          --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
-          --project="${OS_PROJECT_NAME}" \
-          "heat_stack_owner"
-
 network:
   api:
     ingress: