octavia: Ensure service auth project exists

markgoddard · yoctozepto · commit 1d6906bbb8b4 · 2021-06-20T08:15:12.000Z
Kolla Ansible supports configuration of the project used by Octavia to communicate with other services, via octavia_service_auth_project. Until Ussuri, this was set to admin. In Ussuri it changed to service. It may also be set to a different value. Kolla Ansible currently gives the octavia user the admin role in the project, but it does not ensure that the project exists. For admin and service projects, this is not a problem. If the project has been customised however, it will not necessarily exist, which will cause Octavia deployment to fail. This change fixes the issue by ensuring that the service auth project exists, in addition to the service project. Closes-Bug: #1922100 Change-Id: I968efbf3ad1de676548b4e3aeefc20bf80ca94a0 (cherry picked from commit fbd80bc)
diff --git a/ansible/roles/octavia/defaults/main.yml b/ansible/roles/octavia/defaults/main.yml
@@ -146,6 +146,13 @@ octavia_ks_users:
     user: "{{ octavia_keystone_user }}"
     password: "{{ octavia_keystone_password }}"
     role: "admin"
+  # NOTE(mgoddard): The default for the service auth project is service, but
+  # may be customised. Ensure the project exists, and assign the octavia user
+  # the admin role in it.
+  - project: "{{ octavia_service_auth_project }}"
+    user: "{{ octavia_keystone_user }}"
+    password: "{{ octavia_keystone_password }}"
+    role: "admin"
 
 ####################
 # Kolla
diff --git a/ansible/roles/octavia/tasks/register.yml b/ansible/roles/octavia/tasks/register.yml
@@ -6,21 +6,6 @@
     service_ks_register_services: "{{ octavia_ks_services }}"
     service_ks_register_users: "{{ octavia_ks_users }}"
 
-- name: "Adding admin role to octavia user in {{ octavia_service_auth_project }} project"
-  become: true
-  kolla_toolbox:
-    module_name: "os_user_role"
-    module_args:
-      user: "{{ octavia_keystone_user }}"
-      role: admin
-      project: "{{ octavia_service_auth_project }}"
-      auth: "{{ openstack_octavia_auth }}"
-      endpoint_type: "{{ openstack_interface }}"
-      cacert: "{{ openstack_cacert }}"
-      region_name: "{{ openstack_region_name }}"
-  run_once: True
-  when: octavia_service_auth_project != 'service'
-
 - name: Adding octavia related roles
   become: true
   kolla_toolbox:
diff --git a/releasenotes/notes/octavia-create-service-auth-project-aa38b12ebb601777.yaml b/releasenotes/notes/octavia-create-service-auth-project-aa38b12ebb601777.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue with Octavia deployment when using a custom service auth
+    project. If ``octavia_service_auth_project`` is set to a project that does
+    not exist, Octavia deployment would fail. The project is now created.
+    `LP#1922100 <https://bugs.launchpad.net/kolla-ansible/+bug/1922100>`__
