Policyd override implementation

This patchset implements policy overrides for octavia.  It uses the
code in charmhelpers.

Change-Id: Ia46e7aa885f6fadfe45cd8ea1db76400a5f6c34e
Closed-Bug: #1741723

src/README.md

@@ -105,6 +105,48 @@ The UUID of the Nova flavor you want to use must be set with the
 | `Amphora` Security Group  | charm-octavia        | Security group for Amphora ports                          |
 | Controller Security Group | charm-octavia-health | Security group for Controller ports                       |
 
+# Policy Overrides
+
+This feature allows for policy overrides using the `policy.d` directory.  This
+is an **advanced** feature and the policies that the OpenStack service supports
+should be clearly understood before trying to override, or
+add to, the default policies that the service uses.  The charm also has some
+policy defaults.  They should also be understood before being overridden.
+
+> **Caution**: It is possible to break the system (for tenants and other
+  services) if policies are incorrectly applied to the service.
+
+Policy overrides are YAML files that contain rules that will add to, or
+override, existing policy rules in the service.  The `policy.d` directory is
+a place to put the YAML override files.  This charm owns the
+`/etc/octavia/policy.d` directory, and as such, any manual changes to it will
+be overwritten on charm upgrades.
+
+Overrides are provided to the charm using a Juju resource called
+`policyd-override`.  The resource is a ZIP file.  This file, say
+`overrides.zip`, is attached to the charm by:
+
+    juju attach-resource octavia policyd-override=overrides.zip
+
+The policy override is enabled in the charm using:
+
+    juju config octavia use-policyd-override=true
+
+When `use-policyd-override` is `True` the status line of the charm will be
+prefixed with `PO:` indicating that policies have been overridden.  If the
+installation of the policy override YAML files failed for any reason then the
+status line will be prefixed with `PO (broken):`.  The log file for the charm
+will indicate the reason.  No policy override files are installed if the `PO
+(broken):` is shown.  The status line indicates that the overrides are broken,
+not that the policy for the service has failed. The policy will be the defaults
+for the charm and service.
+
+Policy overrides on one service may affect the functionality of another
+service. Therefore, it may be necessary to provide policy overrides for
+multiple service charms to achieve a consistent set of policies across the
+OpenStack system.  The charms for the other services that may need overrides
+should be checked to ensure that they support overrides before proceeding.
+
 # Bugs
 
 Please report bugs on [Launchpad](https://bugs.launchpad.net/charm-octavia/+filebug).

src/config.yaml

@@ -120,3 +120,11 @@ options:
       time for new load balancers.
       .
       The default behaviour is to not maintain any spare servers.
+  use-policyd-override:
+    type: boolean
+    default: False
+    description: |
+      If True then use the resource file named 'policyd-override' to install
+      override YAML files in the service's policy.d directory.  The resource
+      file should be a ZIP file containing at least one yaml file with a .yaml
+      or .yml extension.  If False then remove the overrides.

src/lib/charm/openstack/octavia.py

@@ -21,6 +21,7 @@ import subprocess
 import charms_openstack.charm
 import charms_openstack.adapters
 import charms_openstack.ip as os_ip
+import charms_openstack.plugins as ch_plugins
 
 import charms.leadership as leadership
 import charms.reactive as reactive
@@ -53,7 +54,10 @@ OCTAVIA_ROLES = [
     'load-balancer_admin',
 ]
 
-charms_openstack.charm.use_defaults('charm.default-select-release')
+# config.changed is needed to get the policyd override clean-up to work when
+# setting use-policyd-override=false
+charms_openstack.charm.use_defaults('charm.default-select-release',
+                                    'config.changed')
 
 
 @charms_openstack.adapters.config_property
@@ -300,7 +304,9 @@ def spare_amphora_pool_size(cls):
     return ch_core.hookenv.config('spare-pool-size')
 
 
-class OctaviaCharm(charms_openstack.charm.HAOpenStackCharm):
+# note plugin comes first to override the config_changed method as a mixin
+class OctaviaCharm(ch_plugins.PolicydOverridePlugin,
+                   charms_openstack.charm.HAOpenStackCharm):
     """Charm class for the Octavia charm."""
     # layer-openstack-api uses service_type as service name in endpoint catalog
     name = service_type = 'octavia'
@@ -336,6 +342,10 @@ class OctaviaCharm(charms_openstack.charm.HAOpenStackCharm):
     }
     group = 'octavia'
 
+    # policyd override constants
+    policyd_service_name = 'octavia'
+    policyd_restart_on_change = True
+
     def install(self):
         """Custom install function.
 

src/metadata.yaml

@@ -28,3 +28,8 @@ requires:
   neutron-openvswitch:
     interface: neutron-plugin
     scope: container
+resources:
+  policyd-override:
+    type: file
+    filename: policyd-override.zip
+    description: The policy.d overrides file

src/tests/tests.yaml

@@ -38,3 +38,7 @@ tests:
 - zaza.openstack.charm_tests.neutron_openvswitch.tests.NeutronOpenvSwitchOverlayTest
 - zaza.openstack.charm_tests.octavia.tests.LBAASv2Test
 - zaza.openstack.charm_tests.octavia.tests.CharmOperationTest
+- zaza.openstack.charm_tests.policyd.tests.OctaviaTests
+tests_options:
+  policyd:
+    service: octavia