)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":9725,"name":"Dong Ma","email":"winterma.dong@gmail.com","username":"larainema"},"change_message_id":"f3372ec9f87e503340f120b18452091a9f114655","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"9dcff424_8f818ccd","updated":"2026-04-10 05:52:55.000000000","message":"recheck","commit_id":"52d3dc751c4dffbc18a7eb1ee1216f7dbb7e4c7c"}],"octavia/templates/bin/_octavia-worker-get-port.sh.tpl":[{"author":{"_account_id":7156,"name":"Mathieu Gagné","email":"mgagne@calavera.ca","username":"mgagne"},"change_message_id":"670c1fe4e2681615882a9c5ff3f4f15d262bf6ce","unresolved":true,"context_lines":[{"line_number":20,"context_line":"PORTNAME\u003doctavia-worker-port-$HOSTNAME"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"# Create the port if it doesn\u0027t already exist"},{"line_number":23,"context_line":"openstack port show $PORTNAME \u003e /dev/null 2\u003e\u00261 || \\"},{"line_number":24,"context_line":"  openstack port create \\"},{"line_number":25,"context_line":"    --security-group {{ .Values.conf.octavia_resources.worker_security_group }} \\"},{"line_number":26,"context_line":"    --device-owner Octavia:worker \\"}],"source_content_type":"text/x-smarty","patch_set":1,"id":"a32ffde0_b242a5be","line":23,"updated":"2026-04-10 17:47:58.000000000","message":"I have a concern related to how the chart is finding the port.\n\nThose commands are ran as admin which, by default, can access Neutron resources across all projects. This means any other/untrusted projects can create a Neutron network, security group or port matching Octavia resource names, causing all sort of issues like:\n\n  More than one Network exists with the name \u0027lb-mgmt-net\u0027.\n  More than one SecurityGroup exists with the name \u0027lb-health-mgr-sec-grp\u0027.\n\nOr a different project manages to create the port with the same name before it\u0027s created here.\n\nI am of the opinion that we need to better scope the search and resource creation.\nFurthermore, I\u0027m not a fan of creating resources within the admin project, or at least, not be given a choice. If anything, it should be possible to opt-out of the automated resource creation.","commit_id":"52d3dc751c4dffbc18a7eb1ee1216f7dbb7e4c7c"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"60c303426368b823c241c19d8a1e1097ab78957f","unresolved":true,"context_lines":[{"line_number":20,"context_line":"PORTNAME\u003doctavia-worker-port-$HOSTNAME"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"# Create the port if it doesn\u0027t already exist"},{"line_number":23,"context_line":"openstack port show $PORTNAME \u003e /dev/null 2\u003e\u00261 || \\"},{"line_number":24,"context_line":"  openstack port create \\"},{"line_number":25,"context_line":"    --security-group {{ .Values.conf.octavia_resources.worker_security_group }} \\"},{"line_number":26,"context_line":"    --device-owner Octavia:worker \\"}],"source_content_type":"text/x-smarty","patch_set":1,"id":"8935e4a6_2943a1dd","line":23,"in_reply_to":"a32ffde0_b242a5be","updated":"2026-04-10 18:26:15.000000000","message":"Actually you\u0027re right here. I would want this to live in a project of my choice. That\u0027s how we do things today. We\u0027re splitting up various projects for segregation.","commit_id":"52d3dc751c4dffbc18a7eb1ee1216f7dbb7e4c7c"},{"author":{"_account_id":9725,"name":"Dong Ma","email":"winterma.dong@gmail.com","username":"larainema"},"change_message_id":"5fda6cc075289ec1e5b0830a5e892a9e60bd0b7f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"527404fa_06d9f17a","in_reply_to":"8935e4a6_2943a1dd","updated":"2026-04-11 00:49:26.000000000","message":"Done. You can now set conf.octavia_resources.project_id to the project of your choice. The port creation will use --project to scope everything to that project.","commit_id":"5b9d89a0f09d219ff5b08510bf6c559ac01b64cc"},{"author":{"_account_id":9725,"name":"Dong Ma","email":"winterma.dong@gmail.com","username":"larainema"},"change_message_id":"76db5d483cc064bdaf6f4d320d39819c6163fd44","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"7cc39da8_aac2dfa0","in_reply_to":"8935e4a6_2943a1dd","updated":"2026-04-11 00:49:50.000000000","message":"Done. You can now set conf.octavia_resources.project_id to the project of your choice. The port creation will use --project to scope everything to that project.","commit_id":"5b9d89a0f09d219ff5b08510bf6c559ac01b64cc"},{"author":{"_account_id":9725,"name":"Dong Ma","email":"winterma.dong@gmail.com","username":"larainema"},"change_message_id":"5fda6cc075289ec1e5b0830a5e892a9e60bd0b7f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a99dd891_8398c58a","in_reply_to":"a32ffde0_b242a5be","updated":"2026-04-11 00:49:26.000000000","message":"Done. Addressed in PS2:\n\n1. The feature is now opt-in: auto_create_ports defaults to false, so existing deployments are unaffected.\n2. All port lookups and creation are scoped to a configurable project_id (--project flag), preventing cross-project name collisions.\n3. The management_network and security group values accept UUIDs (recommended in the comments) to avoid name ambiguity.\n4. Operators can choose which project owns the resources by setting project_id to any valid Keystone project UUID.","commit_id":"5b9d89a0f09d219ff5b08510bf6c559ac01b64cc"},{"author":{"_account_id":9725,"name":"Dong Ma","email":"winterma.dong@gmail.com","username":"larainema"},"change_message_id":"76db5d483cc064bdaf6f4d320d39819c6163fd44","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"e85ef38c_3b939d46","in_reply_to":"a32ffde0_b242a5be","updated":"2026-04-11 00:49:50.000000000","message":"Done. Addressed in PS2:\n\n1. The feature is now opt-in: auto_create_ports defaults to false, so existing deployments are unaffected.\n2. All port lookups and creation are scoped to a configurable project_id (--project flag), preventing cross-project name collisions.\n3. The management_network and security group values accept UUIDs (recommended in the comments) to avoid name ambiguity.\n4. Operators can choose which project owns the resources by setting project_id to any valid Keystone project UUID.","commit_id":"5b9d89a0f09d219ff5b08510bf6c559ac01b64cc"},{"author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"change_message_id":"3a8f22bb1caff9b37a28acb37fc466c02d5f8979","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"38bb3884_d75f26db","in_reply_to":"e85ef38c_3b939d46","updated":"2026-04-21 02:55:28.000000000","message":"I would also suggest to implement this as a job. Like how we currently do for creating keystone users/endpoints/services. \n\nAlso people from different sides have been suggesting using OSH operator for managing openstack resources. I added this topic to the PTG etherpad.","commit_id":"5b9d89a0f09d219ff5b08510bf6c559ac01b64cc"},{"author":{"_account_id":9725,"name":"Dong Ma","email":"winterma.dong@gmail.com","username":"larainema"},"change_message_id":"d8bd6f4b953994048b686a6a3f1aa001c3eb0a05","unresolved":false,"context_lines":[{"line_number":20,"context_line":"PORTNAME\u003doctavia-worker-port-$HOSTNAME"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"{{- if .Values.conf.octavia_resources.auto_create_ports }}"},{"line_number":23,"context_line":"# Look up the port scoped to the configured project to avoid cross-project"},{"line_number":24,"context_line":"# name collisions."},{"line_number":25,"context_line":"PROJECT_SCOPE\u003d\"--project {{ .Values.conf.octavia_resources.project_id }}\""},{"line_number":26,"context_line":""}],"source_content_type":"text/x-smarty","patch_set":2,"id":"a60a1629_24302e44","line":23,"in_reply_to":"38bb3884_d75f26db","updated":"2026-04-22 05:20:53.000000000","message":"Thanks for the suggestion. I considered the bootstrap-Job pattern but I don\u0027t think it fits this particular case, and I\u0027d like to explain why before refactoring:\n\n1. Per-node ports: the ports are named octavia-{worker,health-manager}-port-$HOSTNAME -- one port per node. The bug this patch fixes is precisely that when a *new* node joins the cluster (after the chart was installed), the per-node port doesn\u0027t exist yet and the DaemonSet pod CrashLoopBackOffs.\n\n2. Helm Jobs run only at install/upgrade hooks. They have no awareness of nodes added later, so a Job alone wouldn\u0027t fix the original problem -- we\u0027d still need the init container (or a separate operator) to handle node-add events.\n\n3. The keystone users/endpoints/services Jobs are a good fit because those resources are cluster-singletons created once. Per-node Neutron ports are not -- the natural Kubernetes primitive is exactly the DaemonSet init container we already have.\n\n4. The feature is opt-in (auto_create_ports defaults to false), so existing operators who provision ports externally are unaffected.\n\nIf you\u0027d still prefer a Job-based approach (e.g. a Job that lists Nodes via RBAC and pre-creates ports, plus keeping the init container as a safety net), I\u0027m happy to do it -- but it would be additive complexity rather than a replacement. WDYT?","commit_id":"5b9d89a0f09d219ff5b08510bf6c559ac01b64cc"}],"octavia/values.yaml":[{"author":{"_account_id":7156,"name":"Mathieu Gagné","email":"mgagne@calavera.ca","username":"mgagne"},"change_message_id":"6bc8871b42d20b0d17fa7ca12b59086e45e0fc65","unresolved":true,"context_lines":[{"line_number":327,"context_line":"    # -- Project ID used to scope port lookups and creation."},{"line_number":328,"context_line":"    ## This MUST be set to a valid Keystone project UUID when"},{"line_number":329,"context_line":"    ## auto_create_ports is true, to avoid cross-project name collisions."},{"line_number":330,"context_line":"    project_id: \"\""},{"line_number":331,"context_line":"    # -- Name or UUID of the Octavia management network."},{"line_number":332,"context_line":"    ## Using a UUID is recommended to avoid ambiguity."},{"line_number":333,"context_line":"    management_network: lb-mgmt-net"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"b8cddda2_ad2a089c","line":330,"updated":"2026-04-22 19:11:23.000000000","message":"Maybe I suggest adding some kind of validation to ensure `project_id` is defined when `auto_create_ports` is true?\nOr are you relying on `openstack port` command to fail if `project_id` is empty?","commit_id":"5b9d89a0f09d219ff5b08510bf6c559ac01b64cc"}]}