Use service tokens in ironic

Change-Id: I738f605182cc7336ca2a363a51f8ae360536d5cc

ironic/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ironic
 name: ironic
-version: 0.2.17
+version: 0.2.18
 home: https://docs.openstack.org/ironic/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Ironic/OpenStack_Project_Ironic_vertical.png
 sources:

ironic/templates/configmap-etc.yaml

@@ -47,6 +47,32 @@ limitations under the License.
 {{- $_ := set .Values.conf.ironic.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
 {{- end -}}
 
+{{- if .Values.conf.ironic.service_user.send_service_user_token -}}
+
+{{- if empty .Values.conf.ironic.service_user.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.ironic.service_user "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.region_name -}}
+{{- $_ := set .Values.conf.ironic.service_user "region_name" .Values.endpoints.identity.auth.ironic.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.project_name -}}
+{{- $_ := set .Values.conf.ironic.service_user "project_name" .Values.endpoints.identity.auth.ironic.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.project_domain_name -}}
+{{- $_ := set .Values.conf.ironic.service_user "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.user_domain_name -}}
+{{- $_ := set .Values.conf.ironic.service_user "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.username -}}
+{{- $_ := set .Values.conf.ironic.service_user "username" .Values.endpoints.identity.auth.ironic.username -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.password -}}
+{{- $_ := set .Values.conf.ironic.service_user "password" .Values.endpoints.identity.auth.ironic.password -}}
+{{- end -}}
+
+{{- end -}}
+
 {{- if empty .Values.conf.ironic.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "ironic" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ironic.database "connection" -}}
 {{- end -}}

ironic/values.yaml

@@ -119,6 +119,8 @@ conf:
     inspector:
       auth_type: password
     keystone_authtoken:
+      service_token_roles: service
+      service_token_roles_required: true
       auth_type: password
       auth_version: v3
     neutron:
@@ -136,6 +138,9 @@ conf:
       ipxe_enabled: true
     service_catalog:
       auth_type: password
+    service_user:
+      auth_type: password
+      send_service_user_token: true
     swift:
       auth_url: null
     oslo_policy:
@@ -471,7 +476,7 @@ endpoints:
         user_domain_name: default
         project_domain_name: default
       glance:
-        role: admin
+        role: admin,service
         region_name: RegionOne
         username: glance
         password: password
@@ -479,7 +484,7 @@ endpoints:
         user_domain_name: service
         project_domain_name: service
       ironic:
-        role: admin
+        role: admin,service
         region_name: RegionOne
         username: ironic
         password: password

releasenotes/notes/ironic.yaml

@@ -21,4 +21,5 @@ ironic:
   - 0.2.15 Allow enabling/disabling of conductor http and pxe containers and overriding their init and runtime scripts
   - 0.2.16 Use quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal by default
   - 0.2.17 Allow overriding of hostNetwork and hostIPC for Ironic conductor
+  - 0.2.18 Use service tokens
 ...