Merge "Switch octavia to use service project in service_auth"

e2e77ccf · Zuul · Gerrit Code Review · 99936f12 · c2037885 · e2e77ccf
Commit e2e77ccf authored 4 years ago by Zuul Committed by Gerrit Code Review 4 years ago
--- a/ansible/roles/octavia/defaults/main.yml
+++ b/ansible/roles/octavia/defaults/main.yml
@@ -123,6 +123,10 @@ octavia_logging_debug: "{{ openstack_logging_debug }}"
 octavia_keystone_user: "octavia"
+# Project that Octavia will use to interact with other services.  Note that in
+# Train and earlier releases this was "admin".
+octavia_service_auth_project: "service"
 openstack_octavia_auth: "{{ openstack_auth }}"
 ####################

--- a/ansible/roles/octavia/tasks/register.yml
+++ b/ansible/roles/octavia/tasks/register.yml
@@ -7,6 +7,20 @@
    service_ks_register_users: "{{ octavia_ks_users }}"
  tags: always
+- name: "Adding admin role to octavia user in {{ octavia_service_auth_project }} project"
+  become: true
+  kolla_toolbox:
+    module_name: "os_user_role"
+    module_args:
+      user: "{{ octavia_keystone_user }}"
+      role: admin
+      project: "{{ octavia_service_auth_project }}"
+      auth: "{{ openstack_octavia_auth }}"
+      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
+  run_once: True
+  when: octavia_service_auth_project != 'service'
 - name: Adding octavia related roles
  become: true
  kolla_toolbox:

--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -33,7 +33,7 @@ auth_type = password
 username = {{ octavia_keystone_user }}
 password = {{ octavia_keystone_password }}
 user_domain_name = {{ default_user_domain_name }}
-project_name = {{ openstack_auth.project_name }}
+project_name = {{ octavia_service_auth_project }}
 project_domain_name = {{ default_project_domain_name }}
 cafile = {{ openstack_cacert }}

--- a/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
+++ b/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
@@ -3,7 +3,20 @@ upgrade:
  - |
    The octavia user is no longer given the admin role in the admin
    project. Octavia does not require this role and instead uses octavia
-    user with admin role in service project. During an upgrade the octavia
+    user with admin role in service project. During an upgrade the octavia user
-    user is removed from the admin project. See
+    is removed from the admin project.
-    `bug 1873176 <https://bugs.launchpad.net/kolla-ansible/+bug/1873176>`__
+    For existing deployments this may cause problems, so a
+    ``octavia_service_auth_project`` variable has been added which may be set
+    to ``admin`` to return to the previous behaviour.
+    To switch an existing deployment from using the ``admin`` project to the
+    ``service`` project, it will at least be necessary to create the required
+    security group in the ``service`` project, and update
+    ``octavia_amp_secgroup_list`` to this group's ID. Ideally the Amphora
+    flavor and network would also be recreated in the ``service`` project,
+    although this does not appear to be necessary for operation, and will
+    impact existing Amphorae.
+    See `bug 1873176 <https://bugs.launchpad.net/kolla-ansible/+bug/1873176>`__
    for details.