From 573a8e56c238071f5fd06f3fc602055ad8c657de Mon Sep 17 00:00:00 2001
From: Guillaume Boutry <guillaume.boutry@canonical.com>
Date: Tue, 4 Jun 2024 20:52:52 +0200
Subject: [PATCH] [keystone-k8s] create service account with service role

New role `service` has been introduced in 2023.2. New policy rules make
us of this role[1], create any service account with this role by
default.

1: https://review.opendev.org/c/openstack/neutron/+/884613

Closes-Bug: #2068037
Change-Id: I455140c6c0e71a864539532d28119c0c2f8ae50a
---
 charms/keystone-k8s/src/utils/manager.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/charms/keystone-k8s/src/utils/manager.py b/charms/keystone-k8s/src/utils/manager.py
index 992ad76c..5fee497b 100644
--- a/charms/keystone-k8s/src/utils/manager.py
+++ b/charms/keystone-k8s/src/utils/manager.py
@@ -470,6 +470,8 @@ class KeystoneManager(framework.Object):
             password=password,
             domain=domain,
         )
+        # NOTE(gboutry): Remove admin role when services support working with
+        # service role only.
         self.ksclient.grant_role(
             role=self.charm.admin_role,
             project=project,
@@ -477,6 +479,14 @@ class KeystoneManager(framework.Object):
             project_domain="service_domain",
             user_domain="service_domain",
         )
+        # Service role introduced in 2023.2
+        self.ksclient.grant_role(
+            role="service",
+            project=project,
+            user=service_user.get("name"),
+            project_domain="service_domain",
+            user_domain="service_domain",
+        )
         return service_user
 
     def update_service_catalog_for_keystone(self):