There are two problems we need to solve when enabling FIPS for
multinode Ubuntu jobs.
1. Ubuntu nodes require a subscription to be activated with a
subscription key that is stored as a secret in project-config.
2. Because enabling FIPS requires a reboot, we need to execute the
enable-fips playbook before the multinode playbook. If not,
resources set up by the multinode playbook may not survive the
reboot.
To solve these problems, we have created a new base job for
OpenStack multinode jobs. (openstack-multinode-fips). We expect
to use this job as the base job for OpenStack multinode jobs
instead of the multinode job in zuul-jobs.
The openstack-multinode-fips inherits from openstack-fips, which
is a job defined in project-config that access the UA subscription
key and activates the UA subscription. This solves problem #1.
It then executes the enable-fips and multinode playbooks
(FIPS first!), which in turn, invoke the enable-fips and multinode
roles in zuul-jobs. This solves problem #2.
This has the unfortunate result of having to duplicate the logic
of the multinode/pre.yaml playbook in zuul-jobs here in
openstack-zuul-jobs instead, but I can't see a way around that.
Note that unless the variable enable_fips is defined to be true
in the job, all the FIPS logic is essentially a no-op.
If enable_fips is set to True, then jobs will also need to specify
nslookup_target for the post-reboot-tasks role invoked by the
enable_fips role.
Depends-On: I8a88d6a9bcf5725986b00b063e03686d3225b48e
Change-Id: I080df90af850088893976c8649aa528638c6f373
176daf9c82