I have deployed Kubernetes using a non-admin tenant in Openstack (and fairly common use-case I think) and I have enabled manage-security groups to allow Kubernetes (via the openstack provider) to update security groups for services deployed e.g. to open ports. The problem is that when this is enabled, the openstack-integrator charm is performing some actions that won't work with a non-admin tenant such as trying to apply a octavia security group to an loadbalancer vip port:
https://github.com/juju-solutions/charm-openstack-integrator/blob/3d0ac0601bc7105e1a2975a1d1438916a1d7dcbb/lib/charms/layer/openstack.py#L439
This fails [1] because the security group is not owned by the (non-admin in my case) project in use by the openstack-integrator.
A recent commit [2] from bug 1868062 extended this to open the port the LB is created to listen on - something that Octavia should have done automatically.
If I understand correctly both this and [2] were created for the use-case where the security group used with the loadbalancer has not been created by Octavia (and i'm not sure how that is even possible, perhaps this was with the older/deprecated neutron lbaasv2).
There is an easy way to fix this i.e. only perform these operations if the loadbalancer security group was created by the charm. I still question why the charm even needs to support that use case though because if using Octavia with all of this should have been setup by Octavia itself so the fact that it hasn't perhaps highlight a more fundamental problem.
[1] https://pastebin.ubuntu.com/p/5v63nM8gpZ/
[2] https://github.com/juju-solutions/charm-openstack-integrator/commit/3d0ac0601bc7105e1a2975a1d1438916a1d7dcbb
Patch submitted: https:/