project-config/playbooks/openstack-fips
Ade Lee d322181322 Add base openstack FIPS job
A new job openstack-fips is created.  This job is expected to be
a base job for most OpenStack jobs, so that FIPS testing can be
easily enabled throughout OpenStack CI.

A base job is required here because, for Ubuntu nodes, we need
to enable an Ubuntu Advantage subscription, as Ubuntu considers
FIPS to be a UA feature.  The subscription key is stored here in
project-config.

Depends-On: I47a31f680172b47584510adb672b68498a85bd32
Change-Id: I8a88d6a9bcf5725986b00b063e03686d3225b48e
2023-02-01 09:59:36 +01:00
..
pre.yaml Add base openstack FIPS job 2023-02-01 09:59:36 +01:00
README.rst Add base openstack FIPS job 2023-02-01 09:59:36 +01:00

This pre.yaml playbook is called as part of the openstack-fips job. Its primary purpose is enable an Ubuntu Advantage subscription using a subscription key that is stored in project-config.

Enabling FIPS requires a reboot, and so we need the FIPS playbook to run very early in the node setup, so that resources set up by subsequent pre-scripts are not affected by the reboot.

Therefore, the openstack-fips job must be definied as a base job for most OpenStack jobs. As most jobs will not require fips, a playbook variable enable_fips - which defaults to False - is provided.

To enable FIPS mode, a job will simply need to set enable_fips to True as a job variable.

Job Variables