Add Service Token support

As documented in [1] service tokens are useful to prevent issues
with long running services or with requests that take a long time
to finish where the user token can expire in the middle of an operation.

[1] https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html

Depends-On: I15682c66d252d506e8f1c9b8de818bc19b1af973
Change-Id: Id8df2d4dffab63ed26d25c59bff671e972face5f

charms/nova-k8s/lib/charms/keystone_k8s/v1/identity_service.py

@@ -100,7 +100,7 @@ LIBAPI = 1
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 0
+LIBPATCH = 1
 
 
 logger = logging.getLogger(__name__)
@@ -349,6 +349,11 @@ class IdentityServiceRequires(Object):
         """Return the public_auth_url."""
         return self.get_remote_app_data('public-auth-url')
 
+    @property
+    def admin_role(self) -> str:
+        """Return the admin_role."""
+        return self.get_remote_app_data('admin-role')
+
     def register_services(self, service_endpoints: dict,
                           region: str) -> None:
         """Request access to the IdentityService server."""
@@ -481,7 +486,8 @@ class IdentityServiceProvides(Object):
                                          internal_auth_url: str,
                                          admin_auth_url: str,
                                          public_auth_url: str,
-                                         service_credentials: str):
+                                         service_credentials: str,
+                                         admin_role: str):
         logging.debug("Setting identity_service connection information.")
         _identity_service_rel = None
         for relation in self.framework.model.relations[relation_name]:
@@ -516,3 +522,4 @@ class IdentityServiceProvides(Object):
         app_data["admin-auth-url"] = admin_auth_url
         app_data["public-auth-url"] = public_auth_url
         app_data["service-credentials"] = service_credentials
+        app_data["admin-role"] = admin_role

charms/nova-k8s/src/templates/nova.conf.j2

@@ -36,6 +36,8 @@ region_name = {{ options.region }}
 [placement]
 {% include "parts/section-identity" %}
 
+{% include "parts/section-service-user" %}
+
 [cells]
 enable = False
 

charms/nova-k8s/src/templates/parts/section-identity

@@ -11,6 +11,7 @@ user_domain_name = {{ identity_service.service_domain_name }}
 project_name = {{ identity_service.service_project_name }}
 username = {{ identity_service.service_user_name }}
 password = {{ identity_service.service_password }}
-
 # XXX Region should come from the id relation here
 region_name = {{ options.region }}
+service_token_roles = {{ identity_service.admin_role }}
+service_token_roles_required = True

charms/nova-k8s/src/templates/parts/section-service-user

@@ -0,0 +1,15 @@
+{% if identity_service.service_domain_id -%}
+[service_user]
+{% if identity_service.internal_auth_url -%}
+auth_url = {{ identity_service.internal_auth_url }}
+{% elif identity_service.internal_host -%}
+auth_url = {{ identity_service.internal_protocol }}://{{ identity_service.internal_host }}:{{ identity_service.internal_port }}
+{% endif -%}
+send_service_user_token = true
+auth_type = password
+project_domain_id = {{ identity_service.service_project_id }}
+user_domain_id = {{ identity_service.service_domain_id }}
+project_name = {{ identity_service.service_project_name }}
+username = {{ identity_service.service_user_name }}
+password = {{ identity_service.service_password }}
+{% endif -%}