octavia: Ensure service auth project exists

Kolla Ansible supports configuration of the project used by Octavia to communicate with other services, via octavia_service_auth_project. Until Ussuri, this was set to admin. In Ussuri it changed to service. It may also be set to a different value. Kolla Ansible currently gives the octavia user the admin role in the project, but it does not ensure that the project exists. For admin and service projects, this is not a problem. If the project has been customised however, it will not necessarily exist, which will cause Octavia deployment to fail. This change fixes the issue by ensuring that the service auth project exists, in addition to the service project. Closes-Bug: #1922100 Change-Id: I968efbf3ad1de676548b4e3aeefc20bf80ca94a0 (cherry picked from commit fbd80bcdc8)
2021-03-31 10:51:20 +01:00 · 2021-03-31 10:51:20 +01:00 · cbd474cc48
parent 76ff914860
commit cbd474cc48
3 changed files with 14 additions and 15 deletions
--- a/ansible/roles/octavia/defaults/main.yml
+++ b/ansible/roles/octavia/defaults/main.yml
@ -227,6 +227,13 @@ octavia_ks_users:
    user: "{{ octavia_keystone_user }}"
    password: "{{ octavia_keystone_password }}"
    role: "admin"
+  # NOTE(mgoddard): The default for the service auth project is service, but
+  # may be customised. Ensure the project exists, and assign the octavia user
+  # the admin role in it.
+  - project: "{{ octavia_service_auth_project }}"
+    user: "{{ octavia_keystone_user }}"
+    password: "{{ octavia_keystone_password }}"
+    role: "admin"

 ####################
 # Kolla
--- a/ansible/roles/octavia/tasks/register.yml
+++ b/ansible/roles/octavia/tasks/register.yml
@ -6,21 +6,6 @@
    service_ks_register_services: "{{ octavia_ks_services }}"
    service_ks_register_users: "{{ octavia_ks_users }}"

- name: "Adding admin role to octavia user in {{ octavia_service_auth_project }} project"
-  become: true
-  kolla_toolbox:
-    module_name: "os_user_role"
-    module_args:
-      user: "{{ octavia_keystone_user }}"
-      role: admin
-      project: "{{ octavia_service_auth_project }}"
-      auth: "{{ openstack_octavia_auth }}"
-      endpoint_type: "{{ openstack_interface }}"
-      cacert: "{{ openstack_cacert }}"
-      region_name: "{{ openstack_region_name }}"
-  run_once: True
-  when: octavia_service_auth_project != 'service'
-
 - name: Adding octavia related roles
  become: true
  kolla_toolbox:
--- a/releasenotes/notes/octavia-create-service-auth-project-aa38b12ebb601777.yaml
+++ b/releasenotes/notes/octavia-create-service-auth-project-aa38b12ebb601777.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue with Octavia deployment when using a custom service auth
+    project. If ``octavia_service_auth_project`` is set to a project that does
+    not exist, Octavia deployment would fail. The project is now created.
+    `LP#1922100 <https://bugs.launchpad.net/kolla-ansible/+bug/1922100>`__