Merge "Add ironic-inspector policy configuration"

2021-12-30 15:22:33 +00:00 · 2021-12-30 15:22:33 +00:00 · dbe9bbc2ad
commit dbe9bbc2ad
parent 1fd1f131e7 590cd71893
3 changed files with 49 additions and 7 deletions
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@ -12,7 +12,7 @@
    - item.value.enabled | bool
  with_dict: "{{ ironic_services }}"

- name: Check if policies shall be overwritten
+- name: Check if Ironic policies shall be overwritten
  stat:
    path: "{{ item }}"
  delegate_to: localhost
@ -24,6 +24,18 @@
        - "{{ node_custom_config }}/ironic/"
      skip: true

+- name: Check if Ironic Inspector policies shall be overwritten
+  stat:
+    path: "{{ item }}"
+  delegate_to: localhost
+  run_once: True
+  register: ironic_inspector_policy
+  with_first_found:
+    - files: "{{ supported_policy_format_list }}"
+      paths:
+        - "{{ node_custom_config }}/ironic/inspector/"
+      skip: true
+
 - name: Set ironic policy file
  set_fact:
    ironic_policy_file: "{{ ironic_policy.results.0.stat.path | basename }}"
@ -31,6 +43,13 @@
  when:
    - ironic_policy.results

+- name: Set ironic-inspector policy file
+  set_fact:
+    ironic_inspector_policy_file: "{{ ironic_inspector_policy.results.0.stat.path | basename }}"
+    ironic_inspector_policy_file_path: "{{ ironic_inspector_policy.results.0.stat.path }}"
+  when:
+    - ironic_inspector_policy.results
+
 - include_tasks: copy-certs.yml
  when:
    - kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool
@ -224,12 +243,11 @@
  notify:
    - Restart ironic-ipxe container

- name: Copying over existing policy file
+- name: Copying over existing Ironic policy file
  vars:
    services_require_policy_json:
      - ironic-api
      - ironic-conductor
-      - ironic-inspector
  template:
    src: "{{ ironic_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_policy_file }}"
@ -244,6 +262,24 @@
  notify:
    - "Restart {{ item.key }} container"

+- name: Copying over existing Ironic Inspector policy file
+  vars:
+    services_require_inspector_policy_json:
+      - ironic-inspector
+  template:
+    src: "{{ ironic_inspector_policy_file_path }}"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_inspector_policy_file }}"
+    mode: "0660"
+  become: true
+  when:
+    - ironic_inspector_policy_file is defined
+    - item.key in services_require_inspector_policy_json
+    - inventory_hostname in groups[item.value.group]
+    - item.value.enabled | bool
+  with_dict: "{{ ironic_services }}"
+  notify:
+    - "Restart {{ item.key }} container"
+
 - name: Copying over ironic-api-wsgi.conf
  template:
    src: "ironic-api-wsgi.conf.j2"
--- a/ansible/roles/ironic/templates/ironic-inspector.json.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.json.j2
@ -6,11 +6,11 @@
            "dest": "/etc/ironic-inspector/inspector.conf",
            "owner": "ironic-inspector",
            "perm": "0600"
-        }{% if ironic_policy_file is defined %},
+        }{% if ironic_inspector_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
-            "dest": "/etc/ironic/{{ ironic_policy_file }}",
-            "owner": "ironic",
+            "source": "{{ container_config_directory }}/{{ ironic_inspector_policy_file }}",
+            "dest": "/etc/ironic-inspector/{{ ironic_inspector_policy_file }}",
+            "owner": "ironic-inspector",
            "perm": "0600"
        }{% endif %}
    ]
--- a/releasenotes/notes/bug-1952948-003aabe18144f569.yaml
+++ b/releasenotes/notes/bug-1952948-003aabe18144f569.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Ironic API and Ironic Inspector API use separate policy files. Ironic role
+    was updated to be able to handle both policies separately.
+    `LP#1952948 <https://bugs.launchpad.net/kolla-ansible/+bug/1952948>`__