[keystone-k8s] create service account with service role

New role `service` has been introduced in 2023.2. New policy rules make us of this role[1], create any service account with this role by default. 1: https://review.opendev.org/c/openstack/neutron/+/884613 Closes-Bug: #2068037 Change-Id: I455140c6c0e71a864539532d28119c0c2f8ae50a
2024-06-04 20:52:52 +02:00 · 2024-06-04 20:52:52 +02:00 · 573a8e56c2
commit 573a8e56c2
parent 270a99d385
1 changed files with 10 additions and 0 deletions
--- a/charms/keystone-k8s/src/utils/manager.py
+++ b/charms/keystone-k8s/src/utils/manager.py
@ -470,6 +470,8 @@ class KeystoneManager(framework.Object):
            password=password,
            domain=domain,
        )
+        # NOTE(gboutry): Remove admin role when services support working with
+        # service role only.
        self.ksclient.grant_role(
            role=self.charm.admin_role,
            project=project,
@ -477,6 +479,14 @@ class KeystoneManager(framework.Object):
            project_domain="service_domain",
            user_domain="service_domain",
        )
+        # Service role introduced in 2023.2
+        self.ksclient.grant_role(
+            role="service",
+            project=project,
+            user=service_user.get("name"),
+            project_domain="service_domain",
+            user_domain="service_domain",
+        )
        return service_user

    def update_service_catalog_for_keystone(self):