From 9cd4e6c4ff3edfc7d38995a2ba9f1fc54cb17ded Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Sat, 18 Jan 2020 21:12:59 +0900
Subject: [PATCH] Assign service role for ironic user

We expect service role is assigned to a user who use service
user token feature.

Currently ironic uses it to communicate with glance, so we
should assign the role to ironic user in keystone identity.

Change-Id: Ib6836a7593d165466be34c63a20463a3b7b817a8
---
 deployment/ironic/ironic-api-container-puppet.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml
index 20df207e05..5ddd1d04e4 100644
--- a/deployment/ironic/ironic-api-container-puppet.yaml
+++ b/deployment/ironic/ironic-api-container-puppet.yaml
@@ -113,6 +113,9 @@ outputs:
             admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
           users:
             ironic:
+              roles:
+               - admin
+               - service
               password: {get_param: IronicPassword}
           region: {get_param: KeystoneRegion}
           service: 'baremetal'