From fbd80bcdc869cf22330d5d3c8770ec11bb28b4cd Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 31 Mar 2021 10:51:20 +0100
Subject: [PATCH] octavia: Ensure service auth project exists

Kolla Ansible supports configuration of the project used by Octavia to
communicate with other services, via octavia_service_auth_project. Until
Ussuri, this was set to admin. In Ussuri it changed to service. It may
also be set to a different value.

Kolla Ansible currently gives the octavia user the admin role in the
project, but it does not ensure that the project exists. For admin and
service projects, this is not a problem. If the project has been
customised however, it will not necessarily exist, which will cause
Octavia deployment to fail.

This change fixes the issue by ensuring that the service auth project
exists, in addition to the service project.

Closes-Bug: #1922100
Change-Id: I968efbf3ad1de676548b4e3aeefc20bf80ca94a0
---
 ansible/roles/octavia/defaults/main.yml           |  7 +++++++
 ansible/roles/octavia/tasks/register.yml          | 15 ---------------
 ...ate-service-auth-project-aa38b12ebb601777.yaml |  7 +++++++
 3 files changed, 14 insertions(+), 15 deletions(-)
 create mode 100644 releasenotes/notes/octavia-create-service-auth-project-aa38b12ebb601777.yaml

diff --git a/ansible/roles/octavia/defaults/main.yml b/ansible/roles/octavia/defaults/main.yml
index c2ca8e774a..cb63dd1560 100644
--- a/ansible/roles/octavia/defaults/main.yml
+++ b/ansible/roles/octavia/defaults/main.yml
@@ -227,6 +227,13 @@ octavia_ks_users:
     user: "{{ octavia_keystone_user }}"
     password: "{{ octavia_keystone_password }}"
     role: "admin"
+  # NOTE(mgoddard): The default for the service auth project is service, but
+  # may be customised. Ensure the project exists, and assign the octavia user
+  # the admin role in it.
+  - project: "{{ octavia_service_auth_project }}"
+    user: "{{ octavia_keystone_user }}"
+    password: "{{ octavia_keystone_password }}"
+    role: "admin"
 
 ####################
 # Kolla
diff --git a/ansible/roles/octavia/tasks/register.yml b/ansible/roles/octavia/tasks/register.yml
index f8e9fe1148..079a59a022 100644
--- a/ansible/roles/octavia/tasks/register.yml
+++ b/ansible/roles/octavia/tasks/register.yml
@@ -6,21 +6,6 @@
     service_ks_register_services: "{{ octavia_ks_services }}"
     service_ks_register_users: "{{ octavia_ks_users }}"
 
-- name: "Adding admin role to octavia user in {{ octavia_service_auth_project }} project"
-  become: true
-  kolla_toolbox:
-    module_name: "os_user_role"
-    module_args:
-      user: "{{ octavia_keystone_user }}"
-      role: admin
-      project: "{{ octavia_service_auth_project }}"
-      auth: "{{ openstack_octavia_auth }}"
-      endpoint_type: "{{ openstack_interface }}"
-      cacert: "{{ openstack_cacert }}"
-      region_name: "{{ openstack_region_name }}"
-  run_once: True
-  when: octavia_service_auth_project != 'service'
-
 - name: Adding octavia related roles
   become: true
   kolla_toolbox:
diff --git a/releasenotes/notes/octavia-create-service-auth-project-aa38b12ebb601777.yaml b/releasenotes/notes/octavia-create-service-auth-project-aa38b12ebb601777.yaml
new file mode 100644
index 0000000000..8f1d8bc5dc
--- /dev/null
+++ b/releasenotes/notes/octavia-create-service-auth-project-aa38b12ebb601777.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue with Octavia deployment when using a custom service auth
+    project. If ``octavia_service_auth_project`` is set to a project that does
+    not exist, Octavia deployment would fail. The project is now created.
+    `LP#1922100 <https://bugs.launchpad.net/kolla-ansible/+bug/1922100>`__
-- 
GitLab