Move role setup into service setup tasks

Instead of adding the same boilerplate as the service setup
in order to create the roles required, we simply move the
role creation into the service add tasks.

Change-Id: I27f26e79735dd1e60d41691deb70e11bbef315e1

tasks/octavia_policy.yml

@@ -13,30 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Create load-balancer_observer role
-  keystone:
-    command: "ensure_role"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    region_name: "{{ octavia_service_region }}"
-    service_name: "{{ octavia_service_name }}"
-    service_type: "{{ octavia_service_type }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-    role_name: "{{ item }}"
-  register: add_role
-  until: add_role is success
-  retries: 5
-  delay: 10
-  no_log: True
-  with_items:
-    - load-balancer_observer
-    - load-balancer_global_observer
-    - load-balancer_member
-    - load-balancer_admin
-    - load-balancer_quota_admin
-
 - name: Set legacy role policies
   config_template:
     src: policy.json.j2

tasks/octavia_service_add.yml

@@ -93,3 +93,16 @@
           url: "{{ octavia_service_adminuri }}"
       when: octavia_v2 | bool
 
+    - name: Create service roles
+      os_keystone_role:
+        cloud: default
+        state: present
+        name: "{{ item }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      with_items:
+        - load-balancer_observer
+        - load-balancer_global_observer
+        - load-balancer_member
+        - load-balancer_admin
+        - load-balancer_quota_admin