(Renamed and adapted from Switch octavia to use service project in
service_auth on master and stable/ussuri)
Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.
There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_amp_secgroup_list' to match its ID. Ideally the flavor and
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.
This change adds a new variable, 'octavia_service_auth_project', that
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch to Train and
earlier branches it should be switched to 'admin' to maintain
compatibility.
In Train and earlier, if a deployer keeps the default
'octavia_service_auth_project' of 'admin', the octavia user will be
assigned the admin role in the admin project, as was done previously.
They may also set 'octavia_service_auth_project' to 'service' to use the
new behaviour, and avoid a breaking change when later upgrading to
Ussuri.
Closes-Bug: #1882643
Related-Bug: #1873176
[1] https://review.opendev.org/720243/
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Change-Id: I1efd0154ebaee69373ae5bccd391ee9c68d09b30
(cherry picked from commit c2037885e7)
(cherry picked from commit 1851d88126)
a0868027ff