Changing all policies to yaml format

In the Victoria cycle oslo.policy decided to change all default policies to yaml format. Today on openstack-helm we have a mix of json and yaml on projects and, after having a bad time debugging policies that should have beeing mounted somewhere but was being mounted elsewhere, I'm proposing this change so we can unify the delivery method for all policies across components on yaml (that is supported for quite some time). This will also avoid having problems in the future as the services move from json to yaml. [1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html Signed-off-by: Thiago Brito <thiago.brito@windriver.com> Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
2021-05-17 19:16:54 -03:00 · 2021-05-17 19:16:54 -03:00 · 8ab6013409
parent 43b3d86811
commit 8ab6013409
85 changed files with 136 additions and 99 deletions
--- a/aodh/Chart.yaml
+++ b/aodh/Chart.yaml
@ -16,7 +16,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: Openstack-Helm Aodh
 name: aodh
-version: 0.2.0
+version: 0.2.1
 home: https://docs.openstack.org/aodh/latest/
 sources:
  - https://opendev.org/openstack/aodh
--- a/aodh/templates/configmap-etc.yaml
+++ b/aodh/templates/configmap-etc.yaml
@ -115,6 +115,6 @@ data:
  aodh.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.aodh | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
-  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
 {{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_aodh "key" "wsgi-aodh.conf" "format" "Secret" ) | indent 2 }}
 {{- end }}
--- a/aodh/templates/deployment-api.yaml
+++ b/aodh/templates/deployment-api.yaml
@ -97,8 +97,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: aodh-etc
-              mountPath: /etc/aodh/policy.json
-              subPath: policy.json
+              mountPath: /etc/aodh/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: aodh-etc
              mountPath: /etc/apache2/conf-enabled/wsgi-aodh.conf
--- a/aodh/templates/deployment-evaluator.yaml
+++ b/aodh/templates/deployment-evaluator.yaml
@ -84,8 +84,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: aodh-etc
-              mountPath: /etc/aodh/policy.json
-              subPath: policy.json
+              mountPath: /etc/aodh/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: aodh-bin
              mountPath: /tmp/aodh-evaluator.sh
--- a/aodh/templates/deployment-listener.yaml
+++ b/aodh/templates/deployment-listener.yaml
@ -84,8 +84,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: aodh-etc
-              mountPath: /etc/aodh/policy.json
-              subPath: policy.json
+              mountPath: /etc/aodh/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: aodh-bin
              mountPath: /tmp/aodh-listener.sh
--- a/aodh/templates/deployment-notifier.yaml
+++ b/aodh/templates/deployment-notifier.yaml
@ -84,8 +84,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: aodh-etc
-              mountPath: /etc/aodh/policy.json
-              subPath: policy.json
+              mountPath: /etc/aodh/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: aodh-bin
              mountPath: /tmp/aodh-notifier.sh
--- a/aodh/values.yaml
+++ b/aodh/values.yaml
@ -463,6 +463,8 @@ conf:
      log_config_append: /etc/aodh/logging.conf
    oslo_middleware:
      enable_proxy_headers_parsing: true
+    oslo_policy:
+      policy_file: /etc/aodh/policy.yaml
    database:
      alarm_history_time_to_live: 86400
      max_retries: -1
--- a/barbican/Chart.yaml
+++ b/barbican/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Barbican
 name: barbican
-version: 0.2.0
+version: 0.2.1
 home: https://docs.openstack.org/barbican/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
 sources:
--- a/barbican/templates/configmap-etc.yaml
+++ b/barbican/templates/configmap-etc.yaml
@ -93,6 +93,6 @@ data:
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
  barbican-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
  api_audit_map.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.audit_map | b64enc }}
-  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
  barbican-api.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api | b64enc }}
 {{- end }}
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@ -101,8 +101,8 @@ spec:
              subPath: barbican-api-paste.ini
              readOnly: true
            - name: barbican-etc
-              mountPath: /etc/barbican/policy.json
-              subPath: policy.json
+              mountPath: /etc/barbican/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: barbican-bin
              mountPath: /tmp/barbican.sh
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -464,6 +464,8 @@ conf:
      # NOTE(portdirect): the bind port should not be defined, and is manipulated
      # via the endpoints section.
      bind_port: null
+    oslo_policy:
+      policy_file: /etc/barbican/policy.yaml
  logging:
    loggers:
      keys:
--- a/ceilometer/Chart.yaml
+++ b/ceilometer/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceilometer
 name: ceilometer
-version: 0.2.0
+version: 0.2.1
 home: https://docs.openstack.org/ceilometer/latest/
 sources:
  - https://opendev.org/openstack/ceilometer
--- a/ceilometer/templates/configmap-etc.yaml
+++ b/ceilometer/templates/configmap-etc.yaml
@ -117,7 +117,7 @@ data:
  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests | b64enc }}
  ceilometer.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.ceilometer | b64enc }}
  api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
-  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
  event_pipeline.yaml: {{ toYaml .Values.conf.event_pipeline | b64enc }}
  pipeline.yaml: {{ toYaml .Values.conf.pipeline | b64enc }}
--- a/ceilometer/templates/daemonset-compute.yaml
+++ b/ceilometer/templates/daemonset-compute.yaml
@ -73,8 +73,8 @@ spec:
              subPath: api_paste.ini
              readOnly: true
            - name: ceilometer-etc
-              mountPath: /etc/ceilometer/policy.json
-              subPath: policy.json
+              mountPath: /etc/ceilometer/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: ceilometer-etc
              mountPath: /etc/ceilometer/event_definitions.yaml
--- a/ceilometer/templates/daemonset-ipmi.yaml
+++ b/ceilometer/templates/daemonset-ipmi.yaml
@ -75,8 +75,8 @@ spec:
              subPath: api_paste.ini
              readOnly: true
            - name: ceilometer-etc
-              mountPath: /etc/ceilometer/policy.json
-              subPath: policy.json
+              mountPath: /etc/ceilometer/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: ceilometer-etc
              mountPath: /etc/ceilometer/event_definitions.yaml
--- a/ceilometer/templates/deployment-api.yaml
+++ b/ceilometer/templates/deployment-api.yaml
@ -85,8 +85,8 @@ spec:
              subPath: api_paste.ini
              readOnly: true
            - name: ceilometer-etc
-              mountPath: /etc/ceilometer/policy.json
-              subPath: policy.json
+              mountPath: /etc/ceilometer/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: ceilometer-etc
              mountPath: /etc/ceilometer/api_audit_map.conf
--- a/ceilometer/templates/deployment-central.yaml
+++ b/ceilometer/templates/deployment-central.yaml
@ -71,8 +71,8 @@ spec:
              subPath: api_paste.ini
              readOnly: true
            - name: ceilometer-etc
-              mountPath: /etc/ceilometer/policy.json
-              subPath: policy.json
+              mountPath: /etc/ceilometer/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: ceilometer-etc
              mountPath: /etc/ceilometer/event_definitions.yaml
--- a/ceilometer/templates/deployment-collector.yaml
+++ b/ceilometer/templates/deployment-collector.yaml
@ -71,8 +71,8 @@ spec:
              subPath: api_paste.ini
              readOnly: true
            - name: ceilometer-etc
-              mountPath: /etc/ceilometer/policy.json
-              subPath: policy.json
+              mountPath: /etc/ceilometer/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: ceilometer-etc
              mountPath: /etc/ceilometer/event_definitions.yaml
--- a/ceilometer/templates/deployment-notification.yaml
+++ b/ceilometer/templates/deployment-notification.yaml
@ -71,8 +71,8 @@ spec:
              subPath: api_paste.ini
              readOnly: true
            - name: ceilometer-etc
-              mountPath: /etc/ceilometer/policy.json
-              subPath: policy.json
+              mountPath: /etc/ceilometer/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: ceilometer-etc
              mountPath: /etc/ceilometer/event_definitions.yaml
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@ -208,6 +208,8 @@ conf:
      topics:
        - notifications
        - profiler
+    oslo_policy:
+      policy_file: /etc/ceilometer/policy.yaml
    cache:
      enabled: true
      backend: dogpile.cache.memcached
--- a/designate/Chart.yaml
+++ b/designate/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Designate
 name: designate
-version: 0.2.0
+version: 0.2.1
 home: https://docs.openstack.org/designate/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Designate/OpenStack_Project_Designate_vertical.jpg
 sources:
--- a/designate/templates/configmap-etc.yaml
+++ b/designate/templates/configmap-etc.yaml
@ -74,7 +74,7 @@ type: Opaque
 data:
  designate.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.designate | b64enc }}
  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
-  policy.json: {{  toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.pools "key" "pools.yaml" "format" "Secret" ) | indent 2 }}

--- a/designate/templates/deployment-api.yaml
+++ b/designate/templates/deployment-api.yaml
@ -87,8 +87,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: designate-etc
-              mountPath: /etc/designate/policy.json
-              subPath: policy.json
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
            - name: designate-etc
--- a/designate/templates/deployment-central.yaml
+++ b/designate/templates/deployment-central.yaml
@ -74,8 +74,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: designate-etc
-              mountPath: /etc/designate/policy.json
-              subPath: policy.json
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
            - name: designate-etc
--- a/designate/templates/deployment-mdns.yaml
+++ b/designate/templates/deployment-mdns.yaml
@ -85,8 +85,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: designate-etc
-              mountPath: /etc/designate/policy.json
-              subPath: policy.json
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
            - name: designate-etc
--- a/designate/templates/deployment-producer.yaml
+++ b/designate/templates/deployment-producer.yaml
@ -74,8 +74,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: designate-etc
-              mountPath: /etc/designate/policy.json
-              subPath: policy.json
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
            - name: designate-etc
--- a/designate/templates/deployment-sink.yaml
+++ b/designate/templates/deployment-sink.yaml
@ -70,8 +70,8 @@ spec:
              subPath: designate.conf
              readOnly: true
            - name: designate-etc
-              mountPath: /etc/designate/policy.json
-              subPath: policy.json
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
            - name: designate-etc
--- a/designate/templates/deployment-worker.yaml
+++ b/designate/templates/deployment-worker.yaml
@ -99,8 +99,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: designate-etc
-              mountPath: /etc/designate/policy.json
-              subPath: policy.json
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
            - name: designate-etc
--- a/designate/values.yaml
+++ b/designate/values.yaml
@ -562,6 +562,8 @@ conf:
      notify: false
    oslo_middleware:
      enable_proxy_headers_parsing: true
+    oslo_policy:
+      policy_file: /etc/designate/policy.yaml
    database:
      max_retries: -1
    storage:sqlalchemy:
--- a/glance/Chart.yaml
+++ b/glance/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Glance
 name: glance
-version: 0.2.2
+version: 0.2.3
 home: https://docs.openstack.org/glance/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
 sources:
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@ -195,7 +195,7 @@ data:
  glance-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
  glance-registry.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.glance_registry | b64enc }}
  glance-registry-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste_registry | b64enc }}
-  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
 {{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@ -194,8 +194,8 @@ spec:
              subPath: glance-api-paste.ini
              readOnly: true
            - name: glance-etc
-              mountPath: /etc/glance/policy.json
-              subPath: policy.json
+              mountPath: /etc/glance/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: glance-etc
              mountPath: /etc/glance/api_audit_map.conf
--- a/glance/templates/deployment-registry.yaml
+++ b/glance/templates/deployment-registry.yaml
@ -105,8 +105,8 @@ spec:
              subPath: glance-registry-paste.ini
              readOnly: true
            - name: glance-etc
-              mountPath: /etc/glance/policy.json
-              subPath: policy.json
+              mountPath: /etc/glance/policy.yaml
+              subPath: policy.yaml
              readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -284,6 +284,8 @@ conf:
      driver: messagingv2
    oslo_messaging_rabbit:
      rabbit_ha_queues: true
+    oslo_policy:
+      policy_file: /etc/glance/policy.yaml
    cors: {}
  logging:
    loggers:
--- a/heat/Chart.yaml
+++ b/heat/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Heat
 name: heat
-version: 0.2.1
+version: 0.2.2
 home: https://docs.openstack.org/heat/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
 sources:
--- a/heat/templates/configmap-etc.yaml
+++ b/heat/templates/configmap-etc.yaml
@ -140,7 +140,7 @@ data:
  heat.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.heat | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
-  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
 {{- if .Values.manifests.certificates }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_heat "key" "wsgi-heat.conf" "format" "Secret" ) | indent 2 }}
--- a/heat/templates/deployment-api.yaml
+++ b/heat/templates/deployment-api.yaml
@ -104,8 +104,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: heat-etc
-              mountPath: /etc/heat/policy.json
-              subPath: policy.json
+              mountPath: /etc/heat/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: heat-etc
              mountPath: /etc/heat/api_audit_map.conf
--- a/heat/templates/deployment-cfn.yaml
+++ b/heat/templates/deployment-cfn.yaml
@ -104,8 +104,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: heat-etc
-              mountPath: /etc/heat/policy.json
-              subPath: policy.json
+              mountPath: /etc/heat/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: heat-etc
              mountPath: /etc/heat/api_audit_map.conf
--- a/heat/templates/deployment-cloudwatch.yaml
+++ b/heat/templates/deployment-cloudwatch.yaml
@ -97,8 +97,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: heat-etc
-              mountPath: /etc/heat/policy.json
-              subPath: policy.json
+              mountPath: /etc/heat/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: heat-etc
              mountPath: /etc/heat/api_audit_map.conf
--- a/heat/templates/deployment-engine.yaml
+++ b/heat/templates/deployment-engine.yaml
@ -96,8 +96,8 @@ spec:
              readOnly: true
            {{ end }}
            - name: heat-etc
-              mountPath: /etc/heat/policy.json
-              subPath: policy.json
+              mountPath: /etc/heat/policy.yaml
+              subPath: policy.yaml
              readOnly: true
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -473,6 +473,8 @@ conf:
      enable_proxy_headers_parsing: true
    oslo_messaging_rabbit:
      rabbit_ha_queues: True
+    oslo_policy:
+      policy_file: /etc/heat/policy.yaml
  api_audit_map:
    DEFAULT:
      target_endpoint_type: None
--- a/horizon/Chart.yaml
+++ b/horizon/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Horizon
 name: horizon
-version: 0.2.1
+version: 0.2.2
 home: https://docs.openstack.org/horizon/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png
 sources:
--- a/horizon/templates/configmap-etc.yaml
+++ b/horizon/templates/configmap-etc.yaml
@ -27,6 +27,6 @@ data:
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
 {{- end }}
 {{- range $key, $value := .Values.conf.horizon.policy }}
-  {{ printf "%s_policy.json" $key }}: {{ $value | toPrettyJson | b64enc }}
+  {{ printf "%s_policy.yaml" $key }}: {{ $value | toPrettyJson | b64enc }}
 {{- end }}
 {{- end }}
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@ -123,7 +123,7 @@ spec:
              subPath: local_settings
              readOnly: true
            {{- range $key, $value := $envAll.Values.conf.horizon.policy }}
-            {{- $policyFile := printf "/etc/openstack-dashboard/%s_policy.json" $key }}
+            {{- $policyFile := printf "/etc/openstack-dashboard/%s_policy.yaml" $key }}
            - name: horizon-etc
              mountPath: {{ $policyFile }}
              subPath: {{ base $policyFile }}
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -631,17 +631,17 @@ conf:
        # OpenStack services are using to determine role based access control in the
        # target installation.

-        # Path to directory containing policy.json files
+        # Path to directory containing policy.yaml files
        POLICY_FILES_PATH = '/etc/openstack-dashboard'
        # Map of local copy of service policy files
        #POLICY_FILES = {
-        #    'identity': 'keystone_policy.json',
-        #    'compute': 'nova_policy.json',
-        #    'volume': 'cinder_policy.json',
-        #    'image': 'glance_policy.json',
-        #    'orchestration': 'heat_policy.json',
-        #    'network': 'neutron_policy.json',
-        #    'telemetry': 'ceilometer_policy.json',
+        #    'identity': 'keystone_policy.yaml',
+        #    'compute': 'nova_policy.yaml',
+        #    'volume': 'cinder_policy.yaml',
+        #    'image': 'glance_policy.yaml',
+        #    'orchestration': 'heat_policy.yaml',
+        #    'network': 'neutron_policy.yaml',
+        #    'telemetry': 'ceilometer_policy.yaml',
        #}

        # Trove user and database extension support. By default support for
--- a/ironic/Chart.yaml
+++ b/ironic/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ironic
 name: ironic
-version: 0.2.0
+version: 0.2.1
 home: https://docs.openstack.org/ironic/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Ironic/OpenStack_Project_Ironic_vertical.png
 sources:
--- a/ironic/templates/configmap-etc.yaml
+++ b/ironic/templates/configmap-etc.yaml
@ -203,7 +203,7 @@ type: Opaque
 data:
  ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.ironic | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
-  policy.json: {{  toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.tftp_map_file "key" "tftp-map-file" "format" "Secret" ) | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
 {{- end }}
--- a/ironic/templates/deployment-api.yaml
+++ b/ironic/templates/deployment-api.yaml
@ -131,8 +131,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: ironic-etc
-              mountPath: /etc/ironic/policy.json
-              subPath: policy.json
+              mountPath: /etc/ironic/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: pod-shared
              mountPath: /tmp/pod-shared
--- a/ironic/templates/statefulset-conductor.yaml
+++ b/ironic/templates/statefulset-conductor.yaml
@ -181,8 +181,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: ironic-etc
-              mountPath: /etc/ironic/policy.json
-              subPath: policy.json
+              mountPath: /etc/ironic/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: host-var-lib-ironic
              mountPath: /var/lib/ironic
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@ -136,6 +136,8 @@ conf:
      auth_type: password
    swift:
      auth_url: null
+    oslo_policy:
+      policy_file: /etc/ironic/policy.yaml
  logging:
    loggers:
      keys:
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.3
+version: 0.2.4
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@ -54,7 +54,7 @@ data:
  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
  keystone.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.logging | b64enc }}
-  policy.json: {{  toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
  access_rules.json: {{ toJson .Values.conf.access_rules | b64enc }}
  ports.conf: ''
 {{- range $k, $v := .Values.conf.ks_domains }}
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@ -106,8 +106,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: keystone-etc
-              mountPath: /etc/keystone/policy.json
-              subPath: policy.json
+              mountPath: /etc/keystone/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: keystone-etc
              mountPath: /etc/keystone/access_rules.json
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -551,6 +551,8 @@ conf:
      rabbit_ha_queues: true
    oslo_middleware:
      enable_proxy_headers_parsing: true
+    oslo_policy:
+      policy_file: /etc/keystone/policy.yaml
    security_compliance:
      # NOTE(vdrok): The following two options have effect only for SQL backend
      lockout_failure_attempts: 5
--- a/magnum/Chart.yaml
+++ b/magnum/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Magnum
 name: magnum
-version: 0.2.0
+version: 0.2.1
 home: https://docs.openstack.org/magnum/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Magnum/OpenStack_Project_Magnum_vertical.png
 sources:
--- a/magnum/templates/configmap-etc.yaml
+++ b/magnum/templates/configmap-etc.yaml
@ -93,5 +93,5 @@ data:
  magnum.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.magnum | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
-  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
 {{- end }}
--- a/magnum/templates/deployment-api.yaml
+++ b/magnum/templates/deployment-api.yaml
@ -103,8 +103,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: magnum-etc
-              mountPath: /etc/magnum/policy.json
-              subPath: policy.json
+              mountPath: /etc/magnum/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: magnum-lock-path
              mountPath: {{ .Values.conf.magnum.oslo_concurrency.lock_path }}
--- a/magnum/templates/statefulset-conductor.yaml
+++ b/magnum/templates/statefulset-conductor.yaml
@ -99,8 +99,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: magnum-etc
-              mountPath: /etc/magnum/policy.json
-              subPath: policy.json
+              mountPath: /etc/magnum/policy.yaml
+              subPath: policy.yaml
              readOnly: true
            - name: pod-shared
              mountPath: /tmp/pod-shared
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@ -119,6 +119,8 @@ conf:
      driver: messaging
    oslo_concurrency:
      lock_path: /var/lib/magnum/tmp
+    oslo_policy:
+      policy_file: /etc/magnum/policy.yaml
    certificates:
      cert_manager_type: barbican
    database:
--- a/mistral/Chart.yaml
+++ b/mistral/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Mistral
 name: mistral
-version: 0.2.0
+version: 0.2.1
 home: https://docs.openstack.org/mistral/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Mistral/OpenStack_Project_Mistral_vertical.png
 sources:
--- a/mistral/templates/configmap-etc.yaml
+++ b/mistral/templates/configmap-etc.yaml
@ -83,7 +83,7 @@ data:
  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
  mistral.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.mistral | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
-  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
 {{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
  {{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}
 {{- end }}
--- a/mistral/templates/deployment-api.yaml
+++ b/mistral/templates/deployment-api.yaml
@ -93,8 +93,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: mistral-etc
-              mountPath: /etc/mistral/policy.json
-              subPath: policy.json
+              mountPath: /etc/mistral/policy.yaml
+              subPath: policy.yaml
              readOnly: true
 {{ if $mounts_mistral_api.volumeMounts }}{{ toYaml $mounts_mistral_api.volumeMounts | indent 12 }}{{ end }}
      volumes:
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@ -468,6 +468,8 @@ conf:
      auth_type: password
      auth_version: v3
      memcache_security_strategy: ENCRYPT
+    oslo_policy:
+      policy_file: /etc/mistral/policy.yaml
  logging:
    loggers:
      keys:
--- a/neutron/Chart.yaml
+++ b/neutron/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Neutron
 name: neutron
-version: 0.2.1
+version: 0.2.2
 home: https://docs.openstack.org/neutron/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
 sources:
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@ -251,7 +251,7 @@ type: Opaque
 data:
  rally_tests.yaml: {{ toYaml $envAll.Values.conf.rally_tests.tests | b64enc }}
  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" $envAll.Values.conf.paste | b64enc }}
-  policy.json: {{ toJson $envAll.Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml $envAll.Values.conf.policy | b64enc }}
  neutron.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.neutron | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@ -234,8 +234,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: neutron-etc
-              mountPath: /etc/neutron/policy.json
-              subPath: policy.json
+              mountPath: /etc/neutron/policy.yaml
+              subPath: policy.yaml
              readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -1906,6 +1906,8 @@ conf:
      rabbit_ha_queues: true
    oslo_middleware:
      enable_proxy_headers_parsing: true
+    oslo_policy:
+      policy_file: /etc/neutron/policy.yaml
    nova:
      auth_type: password
      auth_version: v3
--- a/releasenotes/notes/aodh.yaml
+++ b/releasenotes/notes/aodh.yaml
@ -3,3 +3,4 @@ aodh:
  - 0.1.0 Initial Chart
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.2.0 Remove support for releases before T
+  - 0.2.1 Use policies in yaml format
--- a/releasenotes/notes/barbican.yaml
+++ b/releasenotes/notes/barbican.yaml
@ -4,3 +4,4 @@ barbican:
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.1.2 Added post-install and post-upgrade helm hook for Jobs
  - 0.2.0 Remove support for releases before T
+  - 0.2.1 Use policies in yaml format
--- a/releasenotes/notes/ceilometer.yaml
+++ b/releasenotes/notes/ceilometer.yaml
@ -3,3 +3,4 @@ ceilometer:
  - 0.1.0 Initial Chart
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.2.0 Remove support for releases before T
+  - 0.2.1 Use policies in yaml format
--- a/releasenotes/notes/designate.yaml
+++ b/releasenotes/notes/designate.yaml
@ -4,3 +4,4 @@ designate:
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.1.2 Added post-install and post-upgrade helm hooks on Jobs
  - 0.2.0 Remove support for releases before T
+  - 0.2.1 Use policies in yaml format
--- a/releasenotes/notes/glance.yaml
+++ b/releasenotes/notes/glance.yaml
@ -12,3 +12,4 @@ glance:
  - 0.2.0 Remove support for releases before T
  - 0.2.1 Fix the ceph pool creations for openstack services
  - 0.2.2 Adding rabbitmq TLS logic
+  - 0.2.3 Use policies in yaml format
--- a/releasenotes/notes/heat.yaml
+++ b/releasenotes/notes/heat.yaml
@ -8,3 +8,4 @@ heat:
  - 0.1.5 Change Issuer to ClusterIssuer
  - 0.2.0 Remove support for releases before T
  - 0.2.1 Adding rabbitmq TLS logic
+  - 0.2.2 Use policies in yaml format
--- a/releasenotes/notes/horizon.yaml
+++ b/releasenotes/notes/horizon.yaml
@ -11,4 +11,5 @@ horizon:
  - 0.1.8 Implement "CSRF_COOKIE_HTTPONLY" option support in horizon
  - 0.2.0 Remove support for releases before T
  - 0.2.1 Make python script PEP8 compliant
+  - 0.2.2 Use policies in yaml format
 ...
--- a/releasenotes/notes/ironic.yaml
+++ b/releasenotes/notes/ironic.yaml
@ -4,3 +4,4 @@ ironic:
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.1.2 Added post-install and post-upgrade helm.sh/hook for jobs
  - 0.2.0 Remove support for releases before T
+  - 0.2.1 Use policies in yaml format
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@ -19,4 +19,5 @@ keystone:
  - 0.2.1 Remove paste ini config settings
  - 0.2.2 Make python script PEP8 compliant
  - 0.2.3 Adding rabbitmq TLS logic
+  - 0.2.4 Use policies in yaml format
 ...
--- a/releasenotes/notes/magnum.yaml
+++ b/releasenotes/notes/magnum.yaml
@ -4,3 +4,4 @@ magnum:
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.1.2 Added post-install and post-upgrade helm hook for jobs
  - 0.2.0 Remove support for releases before T
+  - 0.2.1 Use policies in yaml format
--- a/releasenotes/notes/mistral.yaml
+++ b/releasenotes/notes/mistral.yaml
@ -4,3 +4,4 @@ mistral:
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.1.2 Added post-install and post-upgrade hook for Jobs
  - 0.2.0 Remove support for releases before T
+  - 0.2.1 Use policies in yaml format
--- a/releasenotes/notes/neutron.yaml
+++ b/releasenotes/notes/neutron.yaml
@ -15,3 +15,4 @@ neutron:
  - 0.1.12 Removed "name" parameter from Rally tests
  - 0.2.0 Remove support for releases before T
  - 0.2.1 Adding rabbitmq TLS logic
+  - 0.2.2 Use policies in yaml format
--- a/releasenotes/notes/senlin.yaml
+++ b/releasenotes/notes/senlin.yaml
@ -3,3 +3,4 @@ senlin:
  - 0.1.0 Initial Chart
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.2.0 Remove support for releases before T
+  - 0.2.1 Use policies in yaml format
--- a/senlin/Chart.yaml
+++ b/senlin/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Senlin
 name: senlin
-version: 0.2.0
+version: 0.2.1
 home: https://docs.openstack.org/senlin/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Senlin/OpenStack_Project_Senlin_vertical.png
 sources:
--- a/senlin/templates/configmap-etc.yaml
+++ b/senlin/templates/configmap-etc.yaml
@ -104,5 +104,5 @@ data:
  senlin.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.senlin | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
-  policy.json: {{  toJson .Values.conf.policy | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
 {{- end }}
--- a/senlin/templates/deployment-api.yaml
+++ b/senlin/templates/deployment-api.yaml
@ -103,8 +103,8 @@ spec:
              subPath: api-paste.ini
              readOnly: true
            - name: senlin-etc
-              mountPath: /etc/senlin/policy.json
-              subPath: policy.json
+              mountPath: /etc/senlin/policy.yaml
+              subPath: policy.yaml
              readOnly: true
 {{ if $mounts_senlin_api.volumeMounts }}{{ toYaml $mounts_senlin_api.volumeMounts | indent 12 }}{{ end }}
      volumes:
--- a/senlin/templates/deployment-engine.yaml
+++ b/senlin/templates/deployment-engine.yaml
@ -78,8 +78,8 @@ spec:
              readOnly: true
            {{- end }}
            - name: senlin-etc
-              mountPath: /etc/senlin/policy.json
-              subPath: policy.json
+              mountPath: /etc/senlin/policy.yaml
+              subPath: policy.yaml
              readOnly: true
 {{ if $mounts_senlin_engine.volumeMounts }}{{ toYaml $mounts_senlin_engine.volumeMounts | indent 12 }}{{ end }}
      volumes:
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@ -179,6 +179,8 @@ conf:
      # NOTE(portdirect): the bind port should not be defined, and is manipulated
      # via the endpoints section.
      bind_port: null
+    oslo_policy:
+      policy_file: /etc/senlin/policy.yaml
  logging:
    loggers:
      keys: