openstack
/
puppet-tripleo
Code Issues Proposed changes

Enable policy rule management in nova-compute 

There are some features in nova-compute which validate policy rules.
For example when connecting an instance to an external network,
nova-compute checks ``network:attach_external_network`` to determine
whether the operation is permitted.

This change makes sure that the nova policy file in compute nodes are
also managed by puppet-tripleo.

Partial-Bug: #1955786
Change-Id: I490cc558238719d4c9585e2a57497d1b1787a9ed
This commit is contained in:
Takashi Kajinami 2021-12-27 15:42:57 +09:00
parent 1e61d0bf27
commit 6cc58e8ac4
2 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
manifests/profile/base/nova/compute.pp
View File

@ -46,6 +46,11 @@ class tripleo::profile::base::nova::compute (
include nova::key_manager include nova::key_manager
include nova::key_manager::barbican include nova::key_manager::barbican
# NOTE(tkajinam): Policies are used in some features in nova-compute,
# For example when connecting an instance to an external
# network
include nova::policy
# deploy basic bits for nova-compute # deploy basic bits for nova-compute
include nova::compute include nova::compute

4
spec/classes/tripleo_profile_base_nova_compute_spec.rb
View File

@ -32,6 +32,7 @@ describe 'tripleo::profile::base::nova::compute' do
is_expected.to_not contain_class('nova::vendordata') is_expected.to_not contain_class('nova::vendordata')
is_expected.to_not contain_class('nova::key_manager') is_expected.to_not contain_class('nova::key_manager')
is_expected.to_not contain_class('nova::key_manager::barbican') is_expected.to_not contain_class('nova::key_manager::barbican')
is_expected.to_not contain_class('nova::policy')
is_expected.to_not contain_class('nova::compute') is_expected.to_not contain_class('nova::compute')
is_expected.to_not contain_class('nova::network::neutron') is_expected.to_not contain_class('nova::network::neutron')
} }
@ -63,6 +64,7 @@ eos
is_expected.to contain_class('nova::vendordata') is_expected.to contain_class('nova::vendordata')
is_expected.to contain_class('nova::key_manager') is_expected.to contain_class('nova::key_manager')
is_expected.to contain_class('nova::key_manager::barbican') is_expected.to contain_class('nova::key_manager::barbican')
is_expected.to contain_class('nova::policy')
is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::compute')
is_expected.to contain_class('nova::network::neutron') is_expected.to contain_class('nova::network::neutron')
is_expected.to_not contain_package('nfs-utils') is_expected.to_not contain_package('nfs-utils')
@ -79,6 +81,7 @@ eos
is_expected.to contain_class('nova::vendordata') is_expected.to contain_class('nova::vendordata')
is_expected.to contain_class('nova::key_manager') is_expected.to contain_class('nova::key_manager')
is_expected.to contain_class('nova::key_manager::barbican') is_expected.to contain_class('nova::key_manager::barbican')
is_expected.to contain_class('nova::policy')
is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::compute')
is_expected.to contain_class('nova::network::neutron') is_expected.to contain_class('nova::network::neutron')
is_expected.to contain_package('nfs-utils') is_expected.to contain_package('nfs-utils')
@ -95,6 +98,7 @@ eos
is_expected.to contain_class('nova::vendordata') is_expected.to contain_class('nova::vendordata')
is_expected.to contain_class('nova::key_manager') is_expected.to contain_class('nova::key_manager')
is_expected.to contain_class('nova::key_manager::barbican') is_expected.to contain_class('nova::key_manager::barbican')
is_expected.to contain_class('nova::policy')
is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::compute')
is_expected.to contain_class('nova::network::neutron') is_expected.to contain_class('nova::network::neutron')
is_expected.to contain_package('nfs-utils') is_expected.to contain_package('nfs-utils')