From e0c095fd7dc3467a487888809690405f131e6f8b Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Fri, 8 Nov 2024 09:53:47 +0000
Subject: [PATCH] Give ironic-inspector system scope ``all``

The ``ironic-inspector`` service user is now assigned the system scope
``all``. This allows it to create baremetal ports during node inspection
again.

Default project and domain vars are removed as you cannot combine these
with system scope.

Closes-Bug: #2064655
Change-Id: I5e3c29faae4c2531b269c37874ade368c1aab39f
---
 ansible/roles/ironic/defaults/main.yml               |  3 +++
 .../roles/ironic/templates/ironic-inspector.conf.j2  |  3 +--
 ...ector-user-system-scope-all-5fe5cb7f9a03ee7b.yaml | 12 ++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/give-ironic-inspector-user-system-scope-all-5fe5cb7f9a03ee7b.yaml

diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
index fdc1966618..44871a2fec 100644
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -371,6 +371,9 @@ ironic_ks_user_roles:
   - project: "service"
     user: "{{ ironic_inspector_keystone_user }}"
     role: "service"
+  - system: "all"
+    user: "{{ ironic_inspector_keystone_user }}"
+    role: "service"
 
 ####################
 # TLS
diff --git a/ansible/roles/ironic/templates/ironic-inspector.conf.j2 b/ansible/roles/ironic/templates/ironic-inspector.conf.j2
index 115381c45b..caa69e37bd 100644
--- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.conf.j2
@@ -29,14 +29,13 @@ rabbit_quorum_queue = true
 {% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
-project_domain_id = {{ default_project_domain_id }}
 user_domain_id = {{ default_user_domain_id }}
-project_name = service
 username = {{ ironic_inspector_keystone_user }}
 password = {{ ironic_inspector_keystone_password }}
 valid_interfaces = internal
 cafile = {{ openstack_cacert }}
 region_name = {{ openstack_region_name }}
+system_scope = all
 {% else %}
 auth_type = none
 endpoint_override = {{ ironic_internal_endpoint }}
diff --git a/releasenotes/notes/give-ironic-inspector-user-system-scope-all-5fe5cb7f9a03ee7b.yaml b/releasenotes/notes/give-ironic-inspector-user-system-scope-all-5fe5cb7f9a03ee7b.yaml
new file mode 100644
index 0000000000..1ace600946
--- /dev/null
+++ b/releasenotes/notes/give-ironic-inspector-user-system-scope-all-5fe5cb7f9a03ee7b.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The ``ironic-inspector`` service user is now assigned the system scope
+    ``all``. If you have overridden the default list of role assignments, you
+    should make this change too.
+fixes:
+  - |
+    The ``ironic-inspector`` service user is now assigned the system scope
+    ``all``. This allows it to create baremetal ports during node inspection
+    again.
+    `LP#2064655 <https://bugs.launchpad.net/kolla-ansible/+bug/2064655>`__