Merge "Add ironic-inspector policy configuration"

ansible/roles/ironic/tasks/config.yml

@@ -12,7 +12,7 @@
     - item.value.enabled | bool
   with_dict: "{{ ironic_services }}"
 
-- name: Check if policies shall be overwritten
+- name: Check if Ironic policies shall be overwritten
   stat:
     path: "{{ item }}"
   delegate_to: localhost
@@ -24,6 +24,18 @@
         - "{{ node_custom_config }}/ironic/"
       skip: true
 
+- name: Check if Ironic Inspector policies shall be overwritten
+  stat:
+    path: "{{ item }}"
+  delegate_to: localhost
+  run_once: True
+  register: ironic_inspector_policy
+  with_first_found:
+    - files: "{{ supported_policy_format_list }}"
+      paths:
+        - "{{ node_custom_config }}/ironic/inspector/"
+      skip: true
+
 - name: Set ironic policy file
   set_fact:
     ironic_policy_file: "{{ ironic_policy.results.0.stat.path | basename }}"
@@ -31,6 +43,13 @@
   when:
     - ironic_policy.results
 
+- name: Set ironic-inspector policy file
+  set_fact:
+    ironic_inspector_policy_file: "{{ ironic_inspector_policy.results.0.stat.path | basename }}"
+    ironic_inspector_policy_file_path: "{{ ironic_inspector_policy.results.0.stat.path }}"
+  when:
+    - ironic_inspector_policy.results
+
 - include_tasks: copy-certs.yml
   when:
     - kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool
@@ -224,12 +243,11 @@
   notify:
     - Restart ironic-ipxe container
 
-- name: Copying over existing policy file
+- name: Copying over existing Ironic policy file
   vars:
     services_require_policy_json:
       - ironic-api
       - ironic-conductor
-      - ironic-inspector
   template:
     src: "{{ ironic_policy_file_path }}"
     dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_policy_file }}"
@@ -244,6 +262,24 @@
   notify:
     - "Restart {{ item.key }} container"
 
+- name: Copying over existing Ironic Inspector policy file
+  vars:
+    services_require_inspector_policy_json:
+      - ironic-inspector
+  template:
+    src: "{{ ironic_inspector_policy_file_path }}"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_inspector_policy_file }}"
+    mode: "0660"
+  become: true
+  when:
+    - ironic_inspector_policy_file is defined
+    - item.key in services_require_inspector_policy_json
+    - inventory_hostname in groups[item.value.group]
+    - item.value.enabled | bool
+  with_dict: "{{ ironic_services }}"
+  notify:
+    - "Restart {{ item.key }} container"
+
 - name: Copying over ironic-api-wsgi.conf
   template:
     src: "ironic-api-wsgi.conf.j2"

ansible/roles/ironic/templates/ironic-inspector.json.j2

@@ -6,11 +6,11 @@
             "dest": "/etc/ironic-inspector/inspector.conf",
             "owner": "ironic-inspector",
             "perm": "0600"
-        }{% if ironic_policy_file is defined %},
+        }{% if ironic_inspector_policy_file is defined %},
         {
-            "source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
+            "source": "{{ container_config_directory }}/{{ ironic_inspector_policy_file }}",
-            "dest": "/etc/ironic/{{ ironic_policy_file }}",
+            "dest": "/etc/ironic-inspector/{{ ironic_inspector_policy_file }}",
-            "owner": "ironic",
+            "owner": "ironic-inspector",
             "perm": "0600"
         }{% endif %}
     ]

releasenotes/notes/bug-1952948-003aabe18144f569.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Ironic API and Ironic Inspector API use separate policy files. Ironic role
+    was updated to be able to handle both policies separately.
+    `LP#1952948 <https://bugs.launchpad.net/kolla-ansible/+bug/1952948>`__