Configure Cinder to require admin service tokens

[hertrste]

Configure Cinder to require admin token for certain actions.

Required for some actions Nova wants to do at Cinder.

Summary by CodeRabbit

• Configuration Updates
  • Enhanced Keystone service token validation requirements for the Cinder block storage API.
  • Updated authentication configuration for NFS storage backends to include additional role-based access controls.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two Cinder NixOS module templates are updated to enforce Keystone service token role validation. Both modules/controller/cinder.nix and modules/storage/cinder-storage-node.nix gain service_token_roles_required = true and service_token_roles = admin in their generated configuration files.

Changes

Keystone Service Token Role Enforcement

Layer / File(s)	Summary
Service token role settings in controller and storage node configs modules/controller/cinder.nix, modules/storage/cinder-storage-node.nix	Adds service_token_roles_required = true and service_token_roles = admin to the generated cinder-api.conf and the NFS-backend cinder.conf template respectively.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hop, hop, through the config maze,
Two little lines earn Keystone's praise.
admin role required, the tokens must say,
No unauthorized service gets through today!
The rabbit stamps the diff and hops away. 🐾

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'Configure Cinder to require admin service tokens' directly and specifically describes the main change across both modified files: adding service token role requirements to Cinder configuration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch storage-migration-productization

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/storage/cinder-storage-node.nix`:
- Around line 107-108: The Keystone service-token enforcement keys
(service_token_roles_required and service_token_roles) are currently only
applied to cinderConfNfs but not to cinderConfLvm, causing inconsistent
authentication behavior depending on which backend is selected. Add the same
service_token_roles_required = true and service_token_roles = admin
configuration to cinderConfLvm to ensure consistent Keystone service-token
enforcement across both the NFS and LVM backend options.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7005d505-b5be-4cb8-8b77-31738af216bc

📥 Commits

Reviewing files that changed from the base of the PR and between 206a688 and 3d19e87.

📒 Files selected for processing (2)

• modules/controller/cinder.nix
• modules/storage/cinder-storage-node.nix

[pkr4711]

LGTM!