Support policy.yaml file [part 7]

- Vitrage - Watcher - Zun This will copy only yaml or json policy file if they exist. Change-Id: I913b3b067237cc4694894cc00bcc363127dd3806 Implements: blueprint support-custom-policy-yaml Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
2018-01-08 17:36:42 +07:00 · 2018-01-08 17:36:42 +07:00 · de54518b34
commit de54518b34
parent 49360f0c35
19 changed files with 151 additions and 109 deletions
--- a/ansible/roles/vitrage/handlers/main.yml
+++ b/ansible/roles/vitrage/handlers/main.yml
@ -5,7 +5,7 @@
    service: "{{ vitrage_services[service_name] }}"
    config_json: "{{ vitrage_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_conf: "{{ vitrage_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ vitrage_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ vitrage_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_api_container: "{{ check_vitrage_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -19,7 +19,7 @@
    - service.enabled | bool
    - config_json.changed | bool
      or vitrage_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or vitrage_api_container.changed | bool
 - name: Restart vitrage-collector container
@ -28,7 +28,7 @@
    service: "{{ vitrage_services[service_name] }}"
    config_json: "{{ vitrage_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_conf: "{{ vitrage_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ vitrage_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ vitrage_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_collector_container: "{{ check_vitrage_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -42,7 +42,7 @@
    - service.enabled | bool
    - config_json.changed | bool
      or vitrage_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or vitrage_collector_container.changed | bool
 - name: Restart vitrage-notifier container
@ -51,7 +51,7 @@
    service: "{{ vitrage_services[service_name] }}"
    config_json: "{{ vitrage_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_conf: "{{ vitrage_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ vitrage_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ vitrage_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_notifier_container: "{{ check_vitrage_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -65,7 +65,7 @@
    - service.enabled | bool
    - config_json.changed | bool
      or vitrage_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or vitrage_notifier_container.changed | bool
 - name: Restart vitrage-graph container
@ -74,7 +74,7 @@
    service: "{{ vitrage_services[service_name] }}"
    config_json: "{{ vitrage_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_conf: "{{ vitrage_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ vitrage_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ vitrage_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_graph_container: "{{ check_vitrage_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -88,7 +88,7 @@
    - service.enabled | bool
    - config_json.changed | bool
      or vitrage_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or vitrage_graph_container.changed | bool
 - name: Restart vitrage-ml container
@ -97,7 +97,7 @@
    service: "{{ vitrage_services[service_name] }}"
    config_json: "{{ vitrage_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_conf: "{{ vitrage_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ vitrage_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ vitrage_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    vitrage_ml_container: "{{ check_vitrage_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -111,5 +111,5 @@
    - service.enabled | bool
    - config_json.changed | bool
      or vitrage_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or vitrage_ml_container.changed | bool
--- a/ansible/roles/vitrage/tasks/config.yml
+++ b/ansible/roles/vitrage/tasks/config.yml
@ -9,6 +9,23 @@
    - item.value.enabled | bool
  with_dict: "{{ vitrage_services }}"
 - name: Check if policies shall be overwritten
  local_action: stat path="{{ item }}"
  run_once: True
  register: vitrage_policy
  with_first_found:
    - files: "{{ supported_policy_format_list }}"
      paths:
        - "{{ node_custom_config }}/vitrage/"
      skip: true
 - name: Set vitrage policy file
  set_fact:
    vitrage_policy_file: "{{ vitrage_policy.results.0.stat.path | basename }}"
    vitrage_policy_file_path: "{{ vitrage_policy.results.0.stat.path }}"
  when:
    - vitrage_policy.results
 - name: Copying over config.json files for services
  template:
    src: "{{ item.key }}.json.j2"
@ -58,17 +75,13 @@
  notify:
    - Restart vitrage-api container
- name: Check if policies shall be overwritten
+- name: Copying over existing policy file
  local_action: stat path="{{ node_custom_config }}/vitrage/policy.json"
  register: vitrage_policy
 - name: Copying over existing policy.json
  template:
-    src: "{{ node_custom_config }}/vitrage/policy.json"
+    src: "{{ vitrage_policy_file_path }}"
-    dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ vitrage_policy_file }}"
-  register: vitrage_policy_jsons
+  register: vitrage_policy_overwriting
  when:
-    - vitrage_policy.stat.exists
+    - vitrage_policy_file is defined
    - inventory_hostname in groups[item.value.group]
    - item.value.enabled | bool
  with_dict: "{{ vitrage_services }}"
--- a/ansible/roles/vitrage/templates/vitrage-api.json.j2
+++ b/ansible/roles/vitrage/templates/vitrage-api.json.j2
@ -15,14 +15,13 @@
            "dest": "/etc/{{ apache_dir }}/{{ apache_file }}",
            "owner": "vitrage",
            "perm": "0644"
-        },
+        }{% if vitrage_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ vitrage_policy_file }}",
-            "dest": "/etc/vitrage/policy.json",
+            "dest": "/etc/vitrage/{{ vitrage_policy_file }}",
            "owner": "vitrage",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/vitrage/templates/vitrage-collector.json.j2
+++ b/ansible/roles/vitrage/templates/vitrage-collector.json.j2
@ -6,14 +6,13 @@
            "dest": "/etc/vitrage/vitrage.conf",
            "owner": "vitrage",
            "perm": "0644"
-        },
+        }{% if vitrage_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ vitrage_policy_file }}",
-            "dest": "/etc/vitrage/policy.json",
+            "dest": "/etc/vitrage/{{ vitrage_policy_file }}",
            "owner": "vitrage",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/vitrage/templates/vitrage-graph.json.j2
+++ b/ansible/roles/vitrage/templates/vitrage-graph.json.j2
@ -6,14 +6,13 @@
            "dest": "/etc/vitrage/vitrage.conf",
            "owner": "vitrage",
            "perm": "0644"
-        },
+        }{% if vitrage_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ vitrage_policy_file }}",
-            "dest": "/etc/vitrage/policy.json",
+            "dest": "/etc/vitrage/{{ vitrage_policy_file }}",
            "owner": "vitrage",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/vitrage/templates/vitrage-ml.json.j2
+++ b/ansible/roles/vitrage/templates/vitrage-ml.json.j2
@ -6,14 +6,13 @@
            "dest": "/etc/vitrage/vitrage.conf",
            "owner": "vitrage",
            "perm": "0644"
-        },
+        }{% if vitrage_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ vitrage_policy_file }}",
-            "dest": "/etc/vitrage/policy.json",
+            "dest": "/etc/vitrage/{{ vitrage_policy_file }}",
            "owner": "vitrage",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/vitrage/templates/vitrage-notifier.json.j2
+++ b/ansible/roles/vitrage/templates/vitrage-notifier.json.j2
@ -6,14 +6,13 @@
            "dest": "/etc/vitrage/vitrage.conf",
            "owner": "vitrage",
            "perm": "0644"
-        },
+        }{% if vitrage_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ vitrage_policy_file }}",
-            "dest": "/etc/vitrage/policy.json",
+            "dest": "/etc/vitrage/{{ vitrage_policy_file }}",
            "owner": "vitrage",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/vitrage/templates/vitrage.conf.j2
+++ b/ansible/roles/vitrage/templates/vitrage.conf.j2
@ -61,6 +61,11 @@ driver = messagingv2
 [oslo_concurrency]
 lock_path = /var/lib/vitrage/tmp
 {% if vitrage_policy_file is defined %}
 [oslo_policy]
 policy_file = {{ vitrage_policy_file }}
 {% endif %}
 {% if enable_osprofiler | bool %}
 [profiler]
 enabled = true
--- a/ansible/roles/watcher/handlers/main.yml
+++ b/ansible/roles/watcher/handlers/main.yml
@ -5,7 +5,7 @@
    service: "{{ watcher_services[service_name] }}"
    config_json: "{{ watcher_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    watcher_conf: "{{ watcher_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ watcher_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ watcher_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    watcher_applier_container: "{{ check_watcher_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -19,7 +19,7 @@
    - service.enabled | bool
    - config_json.changed | bool
      or watcher_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or watcher_applier_container.changed | bool
 - name: Restart watcher-engine container
@ -28,7 +28,7 @@
    service: "{{ watcher_services[service_name] }}"
    config_json: "{{ watcher_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    watcher_conf: "{{ watcher_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ watcher_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ watcher_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    watcher_engine_container: "{{ check_watcher_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -42,7 +42,7 @@
    - service.enabled | bool
    - config_json.changed | bool
      or watcher_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or watcher_engine_container.changed | bool
 - name: Restart watcher-api container
@ -51,7 +51,7 @@
    service: "{{ watcher_services[service_name] }}"
    config_json: "{{ watcher_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    watcher_conf: "{{ watcher_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ watcher_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ watcher_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    watcher_api_container: "{{ check_watcher_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -65,5 +65,5 @@
    - service.enabled | bool
    - config_json.changed | bool
      or watcher_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or watcher_api_container.changed | bool
--- a/ansible/roles/watcher/tasks/config.yml
+++ b/ansible/roles/watcher/tasks/config.yml
@ -9,6 +9,23 @@
    - item.value.enabled | bool
  with_dict: "{{ watcher_services }}"
 - name: Check if policies shall be overwritten
  local_action: stat path="{{ item }}"
  run_once: True
  register: watcher_policy
  with_first_found:
    - files: "{{ supported_policy_format_list }}"
      paths:
        - "{{ node_custom_config }}/watcher/"
      skip: true
 - name: Set watcher policy file
  set_fact:
    watcher_policy_file: "{{ watcher_policy.results.0.stat.path | basename }}"
    watcher_policy_file_path: "{{ watcher_policy.results.0.stat.path }}"
  when:
    - watcher_policy.results
 - name: Copying over config.json files for services
  template:
    src: "{{ item.key }}.json.j2"
@ -44,18 +61,13 @@
    - Restart watcher-engine container
    - Restart watcher-applier container
- name: Check if policies shall be overwritten
+- name: Copying over existing policy file
  local_action: stat path="{{ node_custom_config }}/watcher/policy.json"
  run_once: True
  register: watcher_policy
 - name: Copying over existing policy.json
  template:
-    src: "{{ node_custom_config }}/watcher/policy.json"
+    src: "{{ watcher_policy_file_path }}"
-    dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ watcher_policy_file }}"
-  register: watcher_policy_jsons
+  register: watcher_policy_overwriting
  when:
-    - watcher_policy.stat.exists
+    - watcher_policy_file is defined
    - inventory_hostname in groups[item.value.group]
    - item.value.enabled | bool
  with_dict: "{{ watcher_services }}"
--- a/ansible/roles/watcher/templates/watcher-api.json.j2
+++ b/ansible/roles/watcher/templates/watcher-api.json.j2
@ -6,14 +6,13 @@
            "dest": "/etc/watcher/watcher.conf",
            "owner": "watcher",
            "perm": "0600"
-        },
+        }{% if watcher_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ watcher_policy_file }}",
-            "dest": "/etc/watcher/policy.json",
+            "dest": "/etc/watcher/{{ watcher_policy_file }}",
            "owner": "watcher",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/watcher/templates/watcher-applier.json.j2
+++ b/ansible/roles/watcher/templates/watcher-applier.json.j2
@ -6,14 +6,13 @@
            "dest": "/etc/watcher/watcher.conf",
            "owner": "watcher",
            "perm": "0600"
-        },
+        }{% if watcher_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ watcher_policy_file }}",
-            "dest": "/etc/watcher/policy.json",
+            "dest": "/etc/watcher/{{ watcher_policy_file }}",
            "owner": "watcher",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/watcher/templates/watcher-engine.json.j2
+++ b/ansible/roles/watcher/templates/watcher-engine.json.j2
@ -6,14 +6,13 @@
            "dest": "/etc/watcher/watcher.conf",
            "owner": "watcher",
            "perm": "0600"
-        },
+        }{% if watcher_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ watcher_policy_file }}",
-            "dest": "/etc/watcher/policy.json",
+            "dest": "/etc/watcher/{{ watcher_policy_file }}",
            "owner": "watcher",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/watcher/templates/watcher.conf.j2
+++ b/ansible/roles/watcher/templates/watcher.conf.j2
@ -46,3 +46,8 @@ lock_path = /var/lib/watcher/tmp
 [oslo_messaging_notifications]
 transport_url = {{ notify_transport_url }}
 {% if watcher_policy_file is defined %}
 [oslo_policy]
 policy_file = {{ watcher_policy_file }}
 {% endif %}
--- a/ansible/roles/zun/handlers/main.yml
+++ b/ansible/roles/zun/handlers/main.yml
@ -5,7 +5,7 @@
    service: "{{ zun_services[service_name] }}"
    config_json: "{{ zun_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    zun_conf: "{{ zun_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ zun_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ zun_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    zun_api_container: "{{ check_zun_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -21,7 +21,7 @@
    - config_json.changed | bool
      or zun_conf.changed | bool
      or zun_conf_wsgi.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or zun_api_container.changed | bool
 - name: Restart zun-compute container
@ -30,7 +30,7 @@
    service: "{{ zun_services[service_name] }}"
    config_json: "{{ zun_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    zun_conf: "{{ zun_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ zun_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    policy_overwriting: "{{ zun_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
    zun_compute_container: "{{ check_zun_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
  kolla_docker:
    action: "recreate_or_restart_container"
@ -45,5 +45,5 @@
    - service.enabled | bool
    - config_json.changed | bool
      or zun_conf.changed | bool
-      or policy_json.changed | bool
+      or policy_overwriting.changed | bool
      or zun_compute_container.changed | bool
--- a/ansible/roles/zun/tasks/config.yml
+++ b/ansible/roles/zun/tasks/config.yml
@ -7,6 +7,23 @@
  when: inventory_hostname in groups[item.value.group]
  with_dict: "{{ zun_services }}"
 - name: Check if policies shall be overwritten
  local_action: stat path="{{ item }}"
  run_once: True
  register: zun_policy
  with_first_found:
    - files: "{{ supported_policy_format_list }}"
      paths:
        - "{{ node_custom_config }}/zun/"
      skip: true
 - name: Set zun policy file
  set_fact:
    zun_policy_file: "{{ zun_policy.results.0.stat.path | basename }}"
    zun_policy_file_path: "{{ zun_policy.results.0.stat.path }}"
  when:
    - zun_policy.results
 - name: Copying over config.json files for services
  template:
    src: "{{ item.key }}.json.j2"
@ -53,18 +70,13 @@
  notify:
    - Restart zun-api container
- name: Check if policies shall be overwritten
+- name: Copying over existing policy file
  local_action: stat path="{{ node_custom_config }}/zun/policy.json"
  run_once: True
  register: zun_policy
 - name: Copying over existing policy.json
  template:
-    src: "{{ node_custom_config }}/zun/policy.json"
+    src: "{{ zun_policy_file_path }}"
-    dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ zun_policy_file }}"
-  register: zun_policy_jsons
+  register: zun_policy_overwriting
  when:
-    - zun_policy.stat.exists
+    - zun_policy_file is defined
    - inventory_hostname in groups[item.value.group]
  with_dict: "{{ zun_services }}"
  notify:
--- a/ansible/roles/zun/templates/zun-api.json.j2
+++ b/ansible/roles/zun/templates/zun-api.json.j2
@ -14,14 +14,13 @@
            "dest": "/etc/{{ zun_dir }}/wsgi-zun.conf",
            "owner": "root",
            "perm": "0600"
-        },
+        }{% if zun_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ zun_policy_file }}",
-            "dest": "/etc/zun/policy.json",
+            "dest": "/etc/zun/{{ zun_policy_file }}",
            "owner": "zun",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/zun/templates/zun-compute.json.j2
+++ b/ansible/roles/zun/templates/zun-compute.json.j2
@ -6,14 +6,13 @@
            "dest": "/etc/zun/zun.conf",
            "owner": "zun",
            "perm": "0600"
-        },
+        }{% if zun_policy_file is defined %},
        {
-            "source": "{{ container_config_directory }}/policy.json",
+            "source": "{{ container_config_directory }}/{{ zun_policy_file }}",
-            "dest": "/etc/zun/policy.json",
+            "dest": "/etc/zun/{{ zun_policy_file }}",
            "owner": "zun",
-            "perm": "0600",
+            "perm": "0600"
-            "optional": true
+        }{% endif %}
        }
    ],
    "permissions": [
        {
--- a/ansible/roles/zun/templates/zun.conf.j2
+++ b/ansible/roles/zun/templates/zun.conf.j2
@ -101,3 +101,8 @@ connection_string = elasticsearch://{{ elasticsearch_address }}:{{ elasticsearch
 [oslo_concurrency]
 lock_path = /var/lib/zun/tmp
 {% if zun_policy_file is defined %}
 [oslo_policy]
 policy_file = {{ zun_policy_file }}
 {% endif %}