Add cluster-user-trust config option

Clusters created with the option cloud_provider_enabled or
registry_enabled set to true, or volumer_driver set to 'cinder' need
this flag set to True as well to instruct Magnum to assign trust to the
cluster user.

This option defaults to False due to security concerns (see
https://bugs.launchpad.net/bugs/cve/2016-7404 )

[0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

Related-Bug: #1996237
Change-Id: Ia3eea4f2a9565cf9ffd48889b9fc14e83c551644

charms/magnum-k8s/config.yaml

@@ -1,4 +1,14 @@
 options:
+  cluster-user-trust:
+    type: boolean
+    default: False
+    description: |
+      Controls whether to assign a trust to the cluster user or not. You will
+      need to set it to True for clusters with volume_driver=cinder or
+      registry_enabled=true in the underlying cluster template to work. This is
+      a potential security risk since the trust gives instances OpenStack API
+      access to the cluster's project. Note that this setting does not affect
+      per-cluster trusts assigned to the Magnum service user.
   debug:
     default: False
     description: Enable debug logging.

charms/magnum-k8s/src/templates/parts/section-trust

@@ -3,3 +3,4 @@ trustee_domain_name = {{ magnum.domain_name }}
 trustee_domain_admin_name = {{ magnum.domain_admin_user }}
 trustee_domain_admin_password = {{ magnum.domain_admin_password }}
 trustee_keystone_interface = admin
+cluster_user_trust = {{ options.cluster_user_trust }}