From 513e73099035b11bf024c2df14b671bbf583bf11 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Mon, 22 Mar 2021 20:16:31 +0200
Subject: [PATCH] Allow to override zun policy files

We implement `zun_policy_overrides` variable in order to allow
management of zun policy files when needed.

Change-Id: If58446a2ca1aa645e098df86c3d76c8ac94bf1a1
---
 defaults/main.yml                             |  1 +
 ...zun_policy_overrides-bc4e5d658969f0c8.yaml |  5 +++++
 tasks/zun_post_install.yml                    | 19 +++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 releasenotes/notes/zun_policy_overrides-bc4e5d658969f0c8.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 47844ee..52cce58 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -368,3 +368,4 @@ zun_compute_init_overrides: {}
 zun_kuryr_init_overrides: {}
 zun_docker_init_overrides: {}
 zun_docker_cleanup_init_overrides: {}
+zun_policy_overrides: {}
diff --git a/releasenotes/notes/zun_policy_overrides-bc4e5d658969f0c8.yaml b/releasenotes/notes/zun_policy_overrides-bc4e5d658969f0c8.yaml
new file mode 100644
index 0000000..6ca19a1
--- /dev/null
+++ b/releasenotes/notes/zun_policy_overrides-bc4e5d658969f0c8.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added variable ``zun_policy_overrides`` that aims to allow deploying
+    policy.yaml file with provided overrides for Zun service.
diff --git a/tasks/zun_post_install.yml b/tasks/zun_post_install.yml
index 20cd4ff..95d3333 100644
--- a/tasks/zun_post_install.yml
+++ b/tasks/zun_post_install.yml
@@ -60,6 +60,25 @@
     - zun-config
     - zun-post-install
 
+- name: Implement policy.yaml if there are overrides configured
+  config_template:
+    content: "{{ zun_policy_overrides }}"
+    dest: "/etc/zun/policy.yaml"
+    config_type: yaml
+  when:
+    - zun_policy_overrides | length > 0
+  tags:
+    - zun-policy-override
+
+- name: Remove legacy policy.yaml file
+  file:
+    path: "/etc/zun/policy.yaml"
+    state: absent
+  when:
+    - zun_policy_overrides | length == 0
+  tags:
+    - zun-policy-override
+
 - name: Synchronize the zun DB schema
   command: "{{ zun_bin }}/zun-db-manage --config-dir /etc/zun upgrade"
   become: yes