From ee61eddc1adc5c60a9c853cdab51f6e01ff1ee9e Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Sat, 11 Oct 2025 12:02:23 +0900
Subject: [PATCH] Add service role by default

This is the role created to be used by service users. At this moment
several services/functionalities still need the admin role so is kept.

Change-Id: I166c1934bdca28bb09df7c26d15c015bc7abc8c0
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
---
 manifests/keystone/auth.pp                            | 4 ++--
 releasenotes/notes/service-role-722a430c5ee0c573.yaml | 5 +++++
 spec/classes/octavia_keystone_auth_spec.rb            | 6 +++---
 3 files changed, 10 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/service-role-722a430c5ee0c573.yaml

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index 3d3ced42..d8be49ff 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -21,7 +21,7 @@
 #
 # [*roles*]
 #   (Optional) List of roles assigned to octavia user.
-#   Defaults to ['admin']
+#   Defaults to ['admin', 'service']
 #
 # [*system_scope*]
 #   (Optional) Scope for system operations.
@@ -83,7 +83,7 @@ class octavia::keystone::auth (
   String[1] $auth_name                    = 'octavia',
   String[1] $email                        = 'octavia@localhost',
   String[1] $tenant                       = 'services',
-  Array[String[1]] $roles                 = ['admin'],
+  Array[String[1]] $roles                 = ['admin', 'service'],
   String[1] $system_scope                 = 'all',
   Array[String[1]] $system_roles          = [],
   Boolean $configure_endpoint             = true,
diff --git a/releasenotes/notes/service-role-722a430c5ee0c573.yaml b/releasenotes/notes/service-role-722a430c5ee0c573.yaml
new file mode 100644
index 00000000..ab227acf
--- /dev/null
+++ b/releasenotes/notes/service-role-722a430c5ee0c573.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``octavia::keystone::auth`` class now adds the ``service`` role by
+    default. Set the ``roles`` parameter not to add the role.
diff --git a/spec/classes/octavia_keystone_auth_spec.rb b/spec/classes/octavia_keystone_auth_spec.rb
index 3dffdfbe..2325c4b4 100644
--- a/spec/classes/octavia_keystone_auth_spec.rb
+++ b/spec/classes/octavia_keystone_auth_spec.rb
@@ -24,7 +24,7 @@ describe 'octavia::keystone::auth' do
         :password            => 'octavia_password',
         :email               => 'octavia@localhost',
         :tenant              => 'services',
-        :roles               => ['admin'],
+        :roles               => ['admin', 'service'],
         :system_scope        => 'all',
         :system_roles        => [],
         :public_url          => 'http://127.0.0.1:9876',
@@ -39,7 +39,7 @@ describe 'octavia::keystone::auth' do
           :auth_name           => 'alt_octavia',
           :email               => 'alt_octavia@alt_localhost',
           :tenant              => 'alt_service',
-          :roles               => ['admin', 'service'],
+          :roles               => ['admin'],
           :system_scope        => 'atl_all',
           :system_roles        => ['admin', 'member', 'reader'],
           :configure_endpoint  => false,
@@ -68,7 +68,7 @@ describe 'octavia::keystone::auth' do
         :password            => 'octavia_password',
         :email               => 'alt_octavia@alt_localhost',
         :tenant              => 'alt_service',
-        :roles               => ['admin', 'service'],
+        :roles               => ['admin'],
         :system_scope        => 'atl_all',
         :system_roles        => ['admin', 'member', 'reader'],
         :public_url          => 'https://10.10.10.10:80',