Add new RBAC parameters which are necessary from 2024.1

See https://review.opendev.org/c/openstack/ironic/+/907148

Ironic enables oslo policy RBAC changes from 2024.1 by default.
Once enabled, in theory system scoped tokens are required for
various actions, but in practice this doesn't necessarily work
when interacting with other services.

New Ironic variables provide the means to continue with a
relatively standard deployment without having to make
far-reaching policy changes.

Change-Id: I2cb53414cce3a899a0db5f74e56798de95c6c4b1
(cherry picked from commit aa2e8c319a9acf7f17f979cc43fecc8d01a5ce19)

defaults/main.yml

@@ -122,6 +122,11 @@ ironic_service_token_roles:
 ironic_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 ironic_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
 
+# Enable interaction with Nova and Neutron from 2024.1 with default policy
+# If more than one service project name is necessary, then you may need to
+# override Ironic 'service_role' policy.
+ironic_service_role_elevated_access: True
+
 # The name of the entry in container_networks for the bmaas network
 # This is the default provisioning / inspection / cleaning network for this role
 ironic_container_network_name: "bmaas_address"

templates/ironic.conf.j2

@@ -26,6 +26,10 @@ enabled_power_interfaces = {{ filtered_ironic_drivers | json_query('[*].power')
 enabled_console_interfaces = {{ filtered_ironic_drivers | json_query('[*].console') | unique | join(',') }}
 enabled_raid_interfaces = {{ filtered_ironic_drivers | json_query('[*].raid') | unique | join(',') }}
 
+# rbac
+rbac_service_role_elevated_access = {{ ironic_service_role_elevated_access }}
+rbac_service_project_name = {{ ironic_service_project_name }}
+
 [agent]
 
 [amt]