Add fips check jobs

Some jobs have been modified to run to confirm that functionality is
still working when FIPS is enabled on the nodes.

As the FIPS tests currently run on centos nodes, code is added
to the test-setup script to set up the databases correctly.  Also had
to increase the swap space on the nodes; see [0] for an explanation.

The current FIPS jobs run using python 3.6 on centos-8-stream.  We will
modify these to run on centos-9-stream and python 3.9 in a
subsequent patch.

[0] https://review.opendev.org/c/openstack/devstack/+/803706

Change-Id: I060d8247c7b09f63990ea411e6c6a056bb50410d

.zuul.yaml

@@ -256,16 +256,25 @@
               output_format: raw
 
 - job:
-    name: glance-multistore-cinder-import
+    name: glance-multistore-cinder-import-fips
     parent: tempest-integrated-storage-import
     description: |
-      The regular import workflow job to test with multiple cinder stores
+      The regular import workflow job to test with multiple cinder stores with
+      fips enabled
+    nodeset: devstack-single-node-centos-8-stream
+    pre-run: playbooks/enable-fips.yaml
     vars:
+      configure_swap_size: 4096
       devstack_localrc:
         USE_CINDER_FOR_GLANCE: True
         GLANCE_ENABLE_MULTIPLE_STORES: True
         CINDER_ENABLED_BACKENDS: lvm:lvmdriver-1,lvm:lvmdriver-2
         GLANCE_CINDER_DEFAULT_BACKEND: lvmdriver-1
+      devstack_local_conf:
+        test-config:
+          "$TEMPEST_CONFIG":
+            validation:
+              ssh_key_type: 'ecdsa'
 
 - job:
     name: tempest-integrated-storage-import-standalone
@@ -303,7 +312,7 @@
       - release-notes-jobs-python3
     check:
       jobs:
-        - openstack-tox-functional-py36
+        - openstack-tox-functional-py36-fips
         - openstack-tox-functional-py39
         - glance-tox-functional-py39-rbac-defaults
         - glance-code-constants-check
@@ -327,7 +336,7 @@
             irrelevant-files: *tempest-irrelevant-files
         - tempest-integrated-storage-import-standalone:
             irrelevant-files: *tempest-irrelevant-files
-        - glance-multistore-cinder-import:
+        - glance-multistore-cinder-import-fips:
             irrelevant-files: *tempest-irrelevant-files
         - grenade:
             irrelevant-files: *tempest-irrelevant-files

playbooks/enable-fips.yaml

@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - enable-fips

tools/test-setup.sh

@@ -15,6 +15,34 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
 DB_USER=openstack_citest
 DB_PW=openstack_citest
 
+function set_conf_line {
+    # parameters: file regex value
+    # check if the regex occurs in the file
+    # If so, replace with the value.
+    # If not, append the value to the end of the file.
+    sudo sh -c "grep -q -e '$2' $1 && \
+            sed -i 's|$2|$3|g' $1 || \
+            echo '$3' >> $1"
+}
+
+if $(egrep -q "^.*(centos:centos:|cloudlinux:cloudlinux:|redhat:enterprise_linux:)[78].*$" /etc/*release); then
+    # mysql needs to be started on centos/rhel
+    sudo systemctl restart mariadb.service
+
+    # postgres setup for centos
+    # make sure to use scram-sha-256 instead of md5 for fips!
+    sudo postgresql-setup --initdb
+    PG_CONF=/var/lib/pgsql/data/postgresql.conf
+    set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
+
+    PG_HBA=/var/lib/pgsql/data/pg_hba.conf
+    set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
+
+    sudo systemctl restart postgresql.service
+fi
+
 sudo -H mysqladmin -u root password $DB_ROOT_PW
 
 # It's best practice to remove anonymous users from the database.  If