Merge "Switch octavia to use service project in service_auth"

2020-06-17 17:46:27 +00:00 · 2020-06-17 17:46:27 +00:00 · e2e77ccf01
commit e2e77ccf01
parent 99936f1215 c2037885e7
4 changed files with 35 additions and 4 deletions
--- a/ansible/roles/octavia/defaults/main.yml
+++ b/ansible/roles/octavia/defaults/main.yml
@ -123,6 +123,10 @@ octavia_logging_debug: "{{ openstack_logging_debug }}"

 octavia_keystone_user: "octavia"

+# Project that Octavia will use to interact with other services.  Note that in
+# Train and earlier releases this was "admin".
+octavia_service_auth_project: "service"
+
 openstack_octavia_auth: "{{ openstack_auth }}"

 ####################
--- a/ansible/roles/octavia/tasks/register.yml
+++ b/ansible/roles/octavia/tasks/register.yml
@ -7,6 +7,20 @@
    service_ks_register_users: "{{ octavia_ks_users }}"
  tags: always

+- name: "Adding admin role to octavia user in {{ octavia_service_auth_project }} project"
+  become: true
+  kolla_toolbox:
+    module_name: "os_user_role"
+    module_args:
+      user: "{{ octavia_keystone_user }}"
+      role: admin
+      project: "{{ octavia_service_auth_project }}"
+      auth: "{{ openstack_octavia_auth }}"
+      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
+  run_once: True
+  when: octavia_service_auth_project != 'service'
+
 - name: Adding octavia related roles
  become: true
  kolla_toolbox:
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@ -33,7 +33,7 @@ auth_type = password
 username = {{ octavia_keystone_user }}
 password = {{ octavia_keystone_password }}
 user_domain_name = {{ default_user_domain_name }}
-project_name = {{ openstack_auth.project_name }}
+project_name = {{ octavia_service_auth_project }}
 project_domain_name = {{ default_project_domain_name }}
 cafile = {{ openstack_cacert }}

--- a/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
+++ b/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
@ -3,7 +3,20 @@ upgrade:
  - |
    The octavia user is no longer given the admin role in the admin
    project. Octavia does not require this role and instead uses octavia
-    user with admin role in service project. During an upgrade the octavia
-    user is removed from the admin project. See
-    `bug 1873176 <https://bugs.launchpad.net/kolla-ansible/+bug/1873176>`__
+    user with admin role in service project. During an upgrade the octavia user
+    is removed from the admin project.
+
+    For existing deployments this may cause problems, so a
+    ``octavia_service_auth_project`` variable has been added which may be set
+    to ``admin`` to return to the previous behaviour.
+
+    To switch an existing deployment from using the ``admin`` project to the
+    ``service`` project, it will at least be necessary to create the required
+    security group in the ``service`` project, and update
+    ``octavia_amp_secgroup_list`` to this group's ID. Ideally the Amphora
+    flavor and network would also be recreated in the ``service`` project,
+    although this does not appear to be necessary for operation, and will
+    impact existing Amphorae.
+
+    See `bug 1873176 <https://bugs.launchpad.net/kolla-ansible/+bug/1873176>`__
    for details.