openstack/sunbeam-charms
Code Issues Proposed changes

[keystone-k8s] create service account with service role

Browse Source 
New role `service` has been introduced in 2023.2. New policy rules make
us of this role[1], create any service account with this role by
default.

1: https://review.opendev.org/c/openstack/neutron/+/884613

Closes-Bug: #2068037
Change-Id: I455140c6c0e71a864539532d28119c0c2f8ae50a
This commit is contained in:
Guillaume Boutry 2024-06-04 20:52:52 +02:00
parent 270a99d385
commit 573a8e56c2
No known key found for this signature in database
GPG Key ID: E95E3326872E55DE
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
charms/keystone-k8s/src/utils/manager.py
View File

@ -470,6 +470,8 @@ class KeystoneManager(framework.Object):
password=password, password=password,
domain=domain, domain=domain,
) )
# NOTE(gboutry): Remove admin role when services support working with
# service role only.
self.ksclient.grant_role( self.ksclient.grant_role(
role=self.charm.admin_role, role=self.charm.admin_role,
project=project, project=project,
@ -477,6 +479,14 @@ class KeystoneManager(framework.Object):
project_domain="service_domain", project_domain="service_domain",
user_domain="service_domain", user_domain="service_domain",
) )
# Service role introduced in 2023.2
self.ksclient.grant_role(
role="service",
project=project,
user=service_user.get("name"),
project_domain="service_domain",
user_domain="service_domain",
)
return service_user return service_user
def update_service_catalog_for_keystone(self): def update_service_catalog_for_keystone(self):