From 590cd71893b853f2ccc36a5e3cfe6be9e0702c74 Mon Sep 17 00:00:00 2001
From: Margarita Shakhova <shakhova.margarita@gmail.com>
Date: Wed, 1 Dec 2021 14:17:04 -0500
Subject: [PATCH] Add ironic-inspector policy configuration

Fix configuration for ironic role in order to apply custom
policies for ironic-inspector API

Closes-Bug: #1952948
Change-Id: Id454c693f570e99ea58d2a6231f01a84b80ca56a
---
 ansible/roles/ironic/tasks/config.yml         | 42 +++++++++++++++++--
 .../ironic/templates/ironic-inspector.json.j2 |  8 ++--
 .../notes/bug-1952948-003aabe18144f569.yaml   |  6 +++
 3 files changed, 49 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/bug-1952948-003aabe18144f569.yaml

diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml
index fc51e4a2b5..fc7b24156d 100644
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@@ -12,7 +12,7 @@
     - item.value.enabled | bool
   with_dict: "{{ ironic_services }}"
 
-- name: Check if policies shall be overwritten
+- name: Check if Ironic policies shall be overwritten
   stat:
     path: "{{ item }}"
   delegate_to: localhost
@@ -24,6 +24,18 @@
         - "{{ node_custom_config }}/ironic/"
       skip: true
 
+- name: Check if Ironic Inspector policies shall be overwritten
+  stat:
+    path: "{{ item }}"
+  delegate_to: localhost
+  run_once: True
+  register: ironic_inspector_policy
+  with_first_found:
+    - files: "{{ supported_policy_format_list }}"
+      paths:
+        - "{{ node_custom_config }}/ironic/inspector/"
+      skip: true
+
 - name: Set ironic policy file
   set_fact:
     ironic_policy_file: "{{ ironic_policy.results.0.stat.path | basename }}"
@@ -31,6 +43,13 @@
   when:
     - ironic_policy.results
 
+- name: Set ironic-inspector policy file
+  set_fact:
+    ironic_inspector_policy_file: "{{ ironic_inspector_policy.results.0.stat.path | basename }}"
+    ironic_inspector_policy_file_path: "{{ ironic_inspector_policy.results.0.stat.path }}"
+  when:
+    - ironic_inspector_policy.results
+
 - include_tasks: copy-certs.yml
   when:
     - kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool
@@ -224,12 +243,11 @@
   notify:
     - Restart ironic-ipxe container
 
-- name: Copying over existing policy file
+- name: Copying over existing Ironic policy file
   vars:
     services_require_policy_json:
       - ironic-api
       - ironic-conductor
-      - ironic-inspector
   template:
     src: "{{ ironic_policy_file_path }}"
     dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_policy_file }}"
@@ -244,6 +262,24 @@
   notify:
     - "Restart {{ item.key }} container"
 
+- name: Copying over existing Ironic Inspector policy file
+  vars:
+    services_require_inspector_policy_json:
+      - ironic-inspector
+  template:
+    src: "{{ ironic_inspector_policy_file_path }}"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_inspector_policy_file }}"
+    mode: "0660"
+  become: true
+  when:
+    - ironic_inspector_policy_file is defined
+    - item.key in services_require_inspector_policy_json
+    - inventory_hostname in groups[item.value.group]
+    - item.value.enabled | bool
+  with_dict: "{{ ironic_services }}"
+  notify:
+    - "Restart {{ item.key }} container"
+
 - name: Copying over ironic-api-wsgi.conf
   template:
     src: "ironic-api-wsgi.conf.j2"
diff --git a/ansible/roles/ironic/templates/ironic-inspector.json.j2 b/ansible/roles/ironic/templates/ironic-inspector.json.j2
index d82d506d3d..6047e14c3d 100644
--- a/ansible/roles/ironic/templates/ironic-inspector.json.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.json.j2
@@ -6,11 +6,11 @@
             "dest": "/etc/ironic-inspector/inspector.conf",
             "owner": "ironic-inspector",
             "perm": "0600"
-        }{% if ironic_policy_file is defined %},
+        }{% if ironic_inspector_policy_file is defined %},
         {
-            "source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
-            "dest": "/etc/ironic/{{ ironic_policy_file }}",
-            "owner": "ironic",
+            "source": "{{ container_config_directory }}/{{ ironic_inspector_policy_file }}",
+            "dest": "/etc/ironic-inspector/{{ ironic_inspector_policy_file }}",
+            "owner": "ironic-inspector",
             "perm": "0600"
         }{% endif %}
     ]
diff --git a/releasenotes/notes/bug-1952948-003aabe18144f569.yaml b/releasenotes/notes/bug-1952948-003aabe18144f569.yaml
new file mode 100644
index 0000000000..9c6ffc7f22
--- /dev/null
+++ b/releasenotes/notes/bug-1952948-003aabe18144f569.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Ironic API and Ironic Inspector API use separate policy files. Ironic role
+    was updated to be able to handle both policies separately.
+    `LP#1952948 <https://bugs.launchpad.net/kolla-ansible/+bug/1952948>`__