Require usage of service_token_roles

With Yoga we've added `service` role for each service and set it as `service_token_roles`. For upgrade purposes service_token_roles_required was set to False, as otherwise services won't be able to comunicate until upgrade is finished. Now we remove override and require usage of service_token_roles by default. Change-Id: I6e57c26dcae1e1470280dc5988903b79f9cb9b16
2022-09-08 10:07:13 +02:00 · 2022-09-08 10:07:13 +02:00 · 6c396318ed
commit 6c396318ed
parent 32398bf7a1
2 changed files with 8 additions and 3 deletions
--- a/inventory/group_vars/all/keystone.yml
+++ b/inventory/group_vars/all/keystone.yml
@ -40,6 +40,3 @@ keystone_service_publicuri_insecure: False

 keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_publicurl: "{{ keystone_service_publicuri }}/v3"
-
-# NOTE(noonedeadpunk): Drop variable after Y release. Placed for upgrade purposes only
-openstack_service_token_roles_required: False
--- a/releasenotes/notes/service_token_roles_required-5d0dce2878775b23.yaml
+++ b/releasenotes/notes/service_token_roles_required-5d0dce2878775b23.yaml
@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    Since Yoga release ``service`` role is being assigned to all service users.
+    Though, service_token_roles_required was set to ``False`` for upgrade
+    purposes. Now ``service_token_roles_required`` is set to ``True`` by
+    default. If you still want to preserve old behaviour, you can define
+    ``openstack_service_token_roles_required: False`` in your user_variables.