Merge "Add base openstack FIPS job"

playbooks/openstack-fips/README.rst

@@ -0,0 +1,22 @@
+This pre.yaml playbook is called as part of the openstack-fips job.
+Its primary purpose is enable an Ubuntu Advantage subscription using
+a subscription key that is stored in project-config.
+
+Enabling FIPS requires a reboot, and so we need the FIPS playbook to
+run very early in the node setup, so that resources set up by
+subsequent pre-scripts are not affected by the reboot.
+
+Therefore, the openstack-fips job must be definied as a base job for
+most OpenStack jobs.  As most jobs will not require fips, a playbook
+variable enable_fips - which defaults to False - is provided.
+
+To enable FIPS mode, a job will simply need to set enable_fips to
+True as a job variable.
+
+**Job Variables**
+
+.. zuul:jobvar:: enable_fips
+   :default: False
+
+   Whether to run the playbook and enable fips.  Defaults to False.
+

playbooks/openstack-fips/pre.yaml

@@ -0,0 +1,7 @@
+- name: enable ua subscription
+  hosts: all
+  tasks:
+    - name: enable ua subscription for fips
+      include_role:
+        name: enable-ua-subscription
+      when: enable_fips | default(false)

zuul.d/jobs.yaml

@@ -1265,12 +1265,12 @@
     nodeset: ubuntu-xenial
 
 - job:
-    name: openstack-multinode-fips
-    parent: multinode-fips
+    name: openstack-fips
+    abstract: true
     description: |
-      Multinode job with fips enabled and passing
-      the ubuntu_fips_token needed for UA subscription.
+      Base job for OpenStack jobs that enables an
+      Ubuntu Advantage subscription if FIPS is enabled.
     secrets:
       - secret: openstack_ubuntu_fips
-        name: ubuntu_fips_token
-        pass-to-parent: true
+        name: ubuntu_ua_token
+    pre-run: playbooks/openstack-fips/pre.yaml