From bb7e1e86601d46d1d12620ec44993c493bb923fe Mon Sep 17 00:00:00 2001
From: Xing Zhang <angeiv.zhang@gmail.com>
Date: Thu, 16 Apr 2020 00:48:09 +0800
Subject: [PATCH] Remove octavia user from admin project

It is unnecessary to add octavia user into admin project.
Octavia project does not require this action. Like other projects,
octavia user in service project with admin role is enough.

[1] https://docs.openstack.org/octavia/latest/install/install-ubuntu.html
[2] https://docs.openstack.org/octavia/latest/contributor/guides/dev-quick-start.html#production-deployment-walkthrough
[3] https://github.com/openstack/octavia/blob/master/devstack/plugin.sh

Closes-Bug: #1873176
Change-Id: I35d35177aaabfc6f0abc533a1f756b363bd02308
---
 ansible/roles/octavia/tasks/register.yml          | 13 -------------
 ansible/roles/octavia/tasks/upgrade.yml           | 15 +++++++++++++++
 ...-in-admin-project-action-95c87ca45a1188d6.yaml |  9 +++++++++
 3 files changed, 24 insertions(+), 13 deletions(-)
 create mode 100644 releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml

diff --git a/ansible/roles/octavia/tasks/register.yml b/ansible/roles/octavia/tasks/register.yml
index c44ac4e202..39a0bc577b 100644
--- a/ansible/roles/octavia/tasks/register.yml
+++ b/ansible/roles/octavia/tasks/register.yml
@@ -7,19 +7,6 @@
     service_ks_register_users: "{{ octavia_ks_users }}"
   tags: always
 
-- name: Adding octavia user into admin project
-  become: true
-  kolla_toolbox:
-    module_name: "os_user_role"
-    module_args:
-      user: "{{ octavia_keystone_user }}"
-      role: admin
-      project: "{{ keystone_admin_project }}"
-      auth: "{{ openstack_octavia_auth }}"
-      endpoint_type: "{{ openstack_interface }}"
-      cacert: "{{ openstack_cacert }}"
-  run_once: True
-
 - name: Adding octavia related roles
   become: true
   kolla_toolbox:
diff --git a/ansible/roles/octavia/tasks/upgrade.yml b/ansible/roles/octavia/tasks/upgrade.yml
index 2d4777ab57..f7c6365883 100644
--- a/ansible/roles/octavia/tasks/upgrade.yml
+++ b/ansible/roles/octavia/tasks/upgrade.yml
@@ -5,3 +5,18 @@
 
 - name: Flush handlers
   meta: flush_handlers
+
+# TODO(mgoddard): Remove this task in Victoria.
+- name: Removing octavia user from admin project
+  become: true
+  kolla_toolbox:
+    module_name: "os_user_role"
+    module_args:
+      user: "{{ octavia_keystone_user }}"
+      role: admin
+      state: absent
+      project: "{{ keystone_admin_project }}"
+      auth: "{{ openstack_octavia_auth }}"
+      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
+  run_once: True
diff --git a/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml b/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
new file mode 100644
index 0000000000..63b69524f3
--- /dev/null
+++ b/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    The octavia user is no longer given the admin role in the admin
+    project. Octavia does not require this role and instead uses octavia
+    user with admin role in service project. During an upgrade the octavia
+    user is removed from the admin project. See
+    `bug 1873176 <https://bugs.launchpad.net/kolla-ansible/+bug/1873176>`__
+    for details.