From 6cc58e8ac46ec0d4a0b3208b05eaccb289905e31 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Mon, 27 Dec 2021 15:42:57 +0900
Subject: [PATCH] Enable policy rule management in nova-compute

There are some features in nova-compute which validate policy rules.
For example when connecting an instance to an external network,
nova-compute checks ``network:attach_external_network`` to determine
whether the operation is permitted.

This change makes sure that the nova policy file in compute nodes are
also managed by puppet-tripleo.

Partial-Bug: #1955786
Change-Id: I490cc558238719d4c9585e2a57497d1b1787a9ed
---
 manifests/profile/base/nova/compute.pp                 | 5 +++++
 spec/classes/tripleo_profile_base_nova_compute_spec.rb | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp
index 551266076..66806796e 100644
--- a/manifests/profile/base/nova/compute.pp
+++ b/manifests/profile/base/nova/compute.pp
@@ -46,6 +46,11 @@ class tripleo::profile::base::nova::compute (
     include nova::key_manager
     include nova::key_manager::barbican
 
+    # NOTE(tkajinam): Policies are used in some features in nova-compute,
+    #                 For example when connecting an instance to an external
+    #                 network
+    include nova::policy
+
     # deploy basic bits for nova-compute
     include nova::compute
 
diff --git a/spec/classes/tripleo_profile_base_nova_compute_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_spec.rb
index c753f10be..840477fc8 100644
--- a/spec/classes/tripleo_profile_base_nova_compute_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_compute_spec.rb
@@ -32,6 +32,7 @@ describe 'tripleo::profile::base::nova::compute' do
         is_expected.to_not contain_class('nova::vendordata')
         is_expected.to_not contain_class('nova::key_manager')
         is_expected.to_not contain_class('nova::key_manager::barbican')
+        is_expected.to_not contain_class('nova::policy')
         is_expected.to_not contain_class('nova::compute')
         is_expected.to_not contain_class('nova::network::neutron')
       }
@@ -63,6 +64,7 @@ eos
           is_expected.to contain_class('nova::vendordata')
           is_expected.to contain_class('nova::key_manager')
           is_expected.to contain_class('nova::key_manager::barbican')
+          is_expected.to contain_class('nova::policy')
           is_expected.to contain_class('nova::compute')
           is_expected.to contain_class('nova::network::neutron')
           is_expected.to_not contain_package('nfs-utils')
@@ -79,6 +81,7 @@ eos
           is_expected.to contain_class('nova::vendordata')
           is_expected.to contain_class('nova::key_manager')
           is_expected.to contain_class('nova::key_manager::barbican')
+          is_expected.to contain_class('nova::policy')
           is_expected.to contain_class('nova::compute')
           is_expected.to contain_class('nova::network::neutron')
           is_expected.to contain_package('nfs-utils')
@@ -95,6 +98,7 @@ eos
           is_expected.to contain_class('nova::vendordata')
           is_expected.to contain_class('nova::key_manager')
           is_expected.to contain_class('nova::key_manager::barbican')
+          is_expected.to contain_class('nova::policy')
           is_expected.to contain_class('nova::compute')
           is_expected.to contain_class('nova::network::neutron')
           is_expected.to contain_package('nfs-utils')