From 600e912400ab8b52ca422f007f63da9d4fcc0a69 Mon Sep 17 00:00:00 2001
From: Bartosz Bezak <bartosz@stackhpc.com>
Date: Fri, 9 Feb 2024 15:00:24 +0100
Subject: [PATCH] Add service role to ironic service users

Add the service role to ironic service users. Ironic recently enforced
new policy validation as part of the RBAC efforts. [1][2]
Service user support was also added to Ironic. [3]
Admin role needs to stay as not all services added service role support. [4][5]

[1] https://review.opendev.org/c/openstack/ironic/+/902009
[2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2
[3] https://review.opendev.org/c/openstack/ironic/+/907148
[4] https://review.opendev.org/q/topic:bp%252Fpolicy-service-role-default
[5] https://review.opendev.org/q/topic:%22New-Location-Apis%22

Related-Bug: #2051837
Change-Id: I048402c2247188cf57f35437f557f84ac25d4ff2
---
 ansible/roles/ironic/defaults/main.yml                    | 8 ++++++++
 ansible/roles/ironic/tasks/register.yml                   | 1 +
 ansible/roles/ironic/tasks/upgrade.yml                    | 7 +++++++
 .../notes/ironic-service-role-7901cc0686e8e2ba.yaml       | 5 +++++
 4 files changed, 21 insertions(+)
 create mode 100644 releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml

diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
index 2cbdf834ed..1181cf4297 100644
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -364,6 +364,14 @@ ironic_ks_users:
     password: "{{ ironic_inspector_keystone_password }}"
     role: "admin"
 
+ironic_ks_user_roles:
+  - project: "service"
+    user: "{{ ironic_keystone_user }}"
+    role: "service"
+  - project: "service"
+    user: "{{ ironic_inspector_keystone_user }}"
+    role: "service"
+
 ####################
 # TLS
 ####################
diff --git a/ansible/roles/ironic/tasks/register.yml b/ansible/roles/ironic/tasks/register.yml
index 5d19d89b99..c101c8d731 100644
--- a/ansible/roles/ironic/tasks/register.yml
+++ b/ansible/roles/ironic/tasks/register.yml
@@ -5,3 +5,4 @@
     service_ks_register_auth: "{{ openstack_ironic_auth }}"
     service_ks_register_services: "{{ ironic_ks_services }}"
     service_ks_register_users: "{{ ironic_ks_users }}"
+    service_ks_register_user_roles: "{{ ironic_ks_user_roles }}"
diff --git a/ansible/roles/ironic/tasks/upgrade.yml b/ansible/roles/ironic/tasks/upgrade.yml
index 0e020b9df0..8d8094b323 100644
--- a/ansible/roles/ironic/tasks/upgrade.yml
+++ b/ansible/roles/ironic/tasks/upgrade.yml
@@ -32,3 +32,10 @@
 
 - include_tasks: legacy_upgrade.yml
   when: not ironic_enable_rolling_upgrade | bool
+
+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_ironic_auth }}"
+    service_ks_register_user_roles: "{{ ironic_ks_user_roles }}"
diff --git a/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml b/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml
new file mode 100644
index 0000000000..dbf894f019
--- /dev/null
+++ b/releasenotes/notes/ironic-service-role-7901cc0686e8e2ba.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add the service role to ironic service users. Ironic recently enforced
+    new policy validation and added service role support.