Use service token in nova's requests

This patch makes Nova send service tokens to other OpenStack services and tells Cinder to expect and validate them. This is necessary because in the recent CVE fix it has become mandatory for Nova to send service tokens to Cinder to be able to detach volumes. Related-Bug: #2004555 Change-Id: Ib39ec8738f56b381d9fe22f41c54b14e796a66c3 (cherry picked from commit b78f3fc900) (cherry picked from commit e3254f12b7)
2023-05-19 11:12:37 +02:00
parent e178750035
commit eda5657133
2 changed files with 15 additions and 6 deletions
--- a/manifests/cinder.pp
+++ b/manifests/cinder.pp
@@ -88,12 +88,13 @@ class openstack_integration::cinder (
    amqp_sasl_mechanisms       => 'PLAIN',
  }
  class { 'cinder::keystone::authtoken':
-    password             => 'a_big_secret',
-    user_domain_name     => 'Default',
-    project_domain_name  => 'Default',
-    auth_url             => $::openstack_integration::config::keystone_admin_uri,
-    www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri,
-    memcached_servers    => $::openstack_integration::config::memcached_servers,
+    password                     => 'a_big_secret',
+    user_domain_name             => 'Default',
+    project_domain_name          => 'Default',
+    auth_url                     => $::openstack_integration::config::keystone_admin_uri,
+    www_authenticate_uri         => $::openstack_integration::config::keystone_auth_uri,
+    memcached_servers            => $::openstack_integration::config::memcached_servers,
+    service_token_roles_required => true,
  }
  class { 'cinder::api':
    default_volume_type => 'BACKEND_1',
--- a/manifests/nova.pp
+++ b/manifests/nova.pp
@@ -88,6 +88,7 @@ class openstack_integration::nova (
    public_url   => "${::openstack_integration::config::base_url}:8774/v2.1",
    internal_url => "${::openstack_integration::config::base_url}:8774/v2.1",
    admin_url    => "${::openstack_integration::config::base_url}:8774/v2.1",
+    roles        => ['admin', 'service'],
    password     => 'a_big_secret',
  }
  class { 'nova::keystone::authtoken':
@@ -98,6 +99,13 @@ class openstack_integration::nova (
    www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri,
    memcached_servers    => $::openstack_integration::config::memcached_servers,
  }
+  class { 'nova::keystone::service_user':
+    send_service_user_token => true,
+    password                => 'a_big_secret',
+    user_domain_name        => 'Default',
+    project_domain_name     => 'Default',
+    auth_url                => $::openstack_integration::config::keystone_admin_uri,
+  }
  class { 'nova::logging':
    debug => true,
  }