Policyd override implementation
This patchset implements policy overrides for octavia. It uses the code in charmhelpers. Change-Id: Ia46e7aa885f6fadfe45cd8ea1db76400a5f6c34e Closed-Bug: #1741723
This commit is contained in:
parent
0b31603894
commit
5e3e942cd8
|
@ -105,6 +105,48 @@ The UUID of the Nova flavor you want to use must be set with the
|
|||
| `Amphora` Security Group | charm-octavia | Security group for Amphora ports |
|
||||
| Controller Security Group | charm-octavia-health | Security group for Controller ports |
|
||||
|
||||
# Policy Overrides
|
||||
|
||||
This feature allows for policy overrides using the `policy.d` directory. This
|
||||
is an **advanced** feature and the policies that the OpenStack service supports
|
||||
should be clearly understood before trying to override, or
|
||||
add to, the default policies that the service uses. The charm also has some
|
||||
policy defaults. They should also be understood before being overridden.
|
||||
|
||||
> **Caution**: It is possible to break the system (for tenants and other
|
||||
services) if policies are incorrectly applied to the service.
|
||||
|
||||
Policy overrides are YAML files that contain rules that will add to, or
|
||||
override, existing policy rules in the service. The `policy.d` directory is
|
||||
a place to put the YAML override files. This charm owns the
|
||||
`/etc/octavia/policy.d` directory, and as such, any manual changes to it will
|
||||
be overwritten on charm upgrades.
|
||||
|
||||
Overrides are provided to the charm using a Juju resource called
|
||||
`policyd-override`. The resource is a ZIP file. This file, say
|
||||
`overrides.zip`, is attached to the charm by:
|
||||
|
||||
juju attach-resource octavia policyd-override=overrides.zip
|
||||
|
||||
The policy override is enabled in the charm using:
|
||||
|
||||
juju config octavia use-policyd-override=true
|
||||
|
||||
When `use-policyd-override` is `True` the status line of the charm will be
|
||||
prefixed with `PO:` indicating that policies have been overridden. If the
|
||||
installation of the policy override YAML files failed for any reason then the
|
||||
status line will be prefixed with `PO (broken):`. The log file for the charm
|
||||
will indicate the reason. No policy override files are installed if the `PO
|
||||
(broken):` is shown. The status line indicates that the overrides are broken,
|
||||
not that the policy for the service has failed. The policy will be the defaults
|
||||
for the charm and service.
|
||||
|
||||
Policy overrides on one service may affect the functionality of another
|
||||
service. Therefore, it may be necessary to provide policy overrides for
|
||||
multiple service charms to achieve a consistent set of policies across the
|
||||
OpenStack system. The charms for the other services that may need overrides
|
||||
should be checked to ensure that they support overrides before proceeding.
|
||||
|
||||
# Bugs
|
||||
|
||||
Please report bugs on [Launchpad](https://bugs.launchpad.net/charm-octavia/+filebug).
|
||||
|
|
|
@ -120,3 +120,11 @@ options:
|
|||
time for new load balancers.
|
||||
.
|
||||
The default behaviour is to not maintain any spare servers.
|
||||
use-policyd-override:
|
||||
type: boolean
|
||||
default: False
|
||||
description: |
|
||||
If True then use the resource file named 'policyd-override' to install
|
||||
override YAML files in the service's policy.d directory. The resource
|
||||
file should be a ZIP file containing at least one yaml file with a .yaml
|
||||
or .yml extension. If False then remove the overrides.
|
||||
|
|
|
@ -21,6 +21,7 @@ import subprocess
|
|||
import charms_openstack.charm
|
||||
import charms_openstack.adapters
|
||||
import charms_openstack.ip as os_ip
|
||||
import charms_openstack.plugins as ch_plugins
|
||||
|
||||
import charms.leadership as leadership
|
||||
import charms.reactive as reactive
|
||||
|
@ -53,7 +54,10 @@ OCTAVIA_ROLES = [
|
|||
'load-balancer_admin',
|
||||
]
|
||||
|
||||
charms_openstack.charm.use_defaults('charm.default-select-release')
|
||||
# config.changed is needed to get the policyd override clean-up to work when
|
||||
# setting use-policyd-override=false
|
||||
charms_openstack.charm.use_defaults('charm.default-select-release',
|
||||
'config.changed')
|
||||
|
||||
|
||||
@charms_openstack.adapters.config_property
|
||||
|
@ -300,7 +304,9 @@ def spare_amphora_pool_size(cls):
|
|||
return ch_core.hookenv.config('spare-pool-size')
|
||||
|
||||
|
||||
class OctaviaCharm(charms_openstack.charm.HAOpenStackCharm):
|
||||
# note plugin comes first to override the config_changed method as a mixin
|
||||
class OctaviaCharm(ch_plugins.PolicydOverridePlugin,
|
||||
charms_openstack.charm.HAOpenStackCharm):
|
||||
"""Charm class for the Octavia charm."""
|
||||
# layer-openstack-api uses service_type as service name in endpoint catalog
|
||||
name = service_type = 'octavia'
|
||||
|
@ -336,6 +342,10 @@ class OctaviaCharm(charms_openstack.charm.HAOpenStackCharm):
|
|||
}
|
||||
group = 'octavia'
|
||||
|
||||
# policyd override constants
|
||||
policyd_service_name = 'octavia'
|
||||
policyd_restart_on_change = True
|
||||
|
||||
def install(self):
|
||||
"""Custom install function.
|
||||
|
||||
|
|
|
@ -28,3 +28,8 @@ requires:
|
|||
neutron-openvswitch:
|
||||
interface: neutron-plugin
|
||||
scope: container
|
||||
resources:
|
||||
policyd-override:
|
||||
type: file
|
||||
filename: policyd-override.zip
|
||||
description: The policy.d overrides file
|
||||
|
|
|
@ -38,3 +38,7 @@ tests:
|
|||
- zaza.openstack.charm_tests.neutron_openvswitch.tests.NeutronOpenvSwitchOverlayTest
|
||||
- zaza.openstack.charm_tests.octavia.tests.LBAASv2Test
|
||||
- zaza.openstack.charm_tests.octavia.tests.CharmOperationTest
|
||||
- zaza.openstack.charm_tests.policyd.tests.OctaviaTests
|
||||
tests_options:
|
||||
policyd:
|
||||
service: octavia
|
||||
|
|
Loading…
Reference in New Issue