From eda56571332e77443bc1b89fa89a1db1cb7f8ee6 Mon Sep 17 00:00:00 2001
From: Gorka Eguileor <geguileo@redhat.com>
Date: Fri, 19 May 2023 11:12:37 +0200
Subject: [PATCH] Use service token in nova's requests

This patch makes Nova send service tokens to other OpenStack services
and tells Cinder to expect and validate them.

This is necessary because in the recent CVE fix it has become mandatory
for Nova to send service tokens to Cinder to be able to detach volumes.

Related-Bug: #2004555
Change-Id: Ib39ec8738f56b381d9fe22f41c54b14e796a66c3
(cherry picked from commit b78f3fc90012d4efb8d20c368db0517ba4834160)
(cherry picked from commit e3254f12b7525b7224c2d403a1235a80a5b1e6d5)
---
 manifests/cinder.pp | 13 +++++++------
 manifests/nova.pp   |  8 ++++++++
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/manifests/cinder.pp b/manifests/cinder.pp
index b8690e2b6..955a2bffa 100644
--- a/manifests/cinder.pp
+++ b/manifests/cinder.pp
@@ -88,12 +88,13 @@ class openstack_integration::cinder (
     amqp_sasl_mechanisms       => 'PLAIN',
   }
   class { 'cinder::keystone::authtoken':
-    password             => 'a_big_secret',
-    user_domain_name     => 'Default',
-    project_domain_name  => 'Default',
-    auth_url             => $::openstack_integration::config::keystone_admin_uri,
-    www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri,
-    memcached_servers    => $::openstack_integration::config::memcached_servers,
+    password                     => 'a_big_secret',
+    user_domain_name             => 'Default',
+    project_domain_name          => 'Default',
+    auth_url                     => $::openstack_integration::config::keystone_admin_uri,
+    www_authenticate_uri         => $::openstack_integration::config::keystone_auth_uri,
+    memcached_servers            => $::openstack_integration::config::memcached_servers,
+    service_token_roles_required => true,
   }
   class { 'cinder::api':
     default_volume_type => 'BACKEND_1',
diff --git a/manifests/nova.pp b/manifests/nova.pp
index f59fc546f..cc57c7ef2 100644
--- a/manifests/nova.pp
+++ b/manifests/nova.pp
@@ -88,6 +88,7 @@ class openstack_integration::nova (
     public_url   => "${::openstack_integration::config::base_url}:8774/v2.1",
     internal_url => "${::openstack_integration::config::base_url}:8774/v2.1",
     admin_url    => "${::openstack_integration::config::base_url}:8774/v2.1",
+    roles        => ['admin', 'service'],
     password     => 'a_big_secret',
   }
   class { 'nova::keystone::authtoken':
@@ -98,6 +99,13 @@ class openstack_integration::nova (
     www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri,
     memcached_servers    => $::openstack_integration::config::memcached_servers,
   }
+  class { 'nova::keystone::service_user':
+    send_service_user_token => true,
+    password                => 'a_big_secret',
+    user_domain_name        => 'Default',
+    project_domain_name     => 'Default',
+    auth_url                => $::openstack_integration::config::keystone_admin_uri,
+  }
   class { 'nova::logging':
     debug => true,
   }