From d3221813229b9366c50d48187253b9dc4eb839ca Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 27 Jan 2023 17:10:39 +0100
Subject: [PATCH] Add base openstack FIPS job

A new job openstack-fips is created.  This job is expected to be
a base job for most OpenStack jobs, so that FIPS testing can be
easily enabled throughout OpenStack CI.

A base job is required here because, for Ubuntu nodes, we need
to enable an Ubuntu Advantage subscription, as Ubuntu considers
FIPS to be a UA feature.  The subscription key is stored here in
project-config.

Depends-On: I47a31f680172b47584510adb672b68498a85bd32
Change-Id: I8a88d6a9bcf5725986b00b063e03686d3225b48e
---
 playbooks/openstack-fips/README.rst | 22 ++++++++++++++++++++++
 playbooks/openstack-fips/pre.yaml   |  7 +++++++
 zuul.d/jobs.yaml                    | 12 ++++++------
 3 files changed, 35 insertions(+), 6 deletions(-)
 create mode 100644 playbooks/openstack-fips/README.rst
 create mode 100644 playbooks/openstack-fips/pre.yaml

diff --git a/playbooks/openstack-fips/README.rst b/playbooks/openstack-fips/README.rst
new file mode 100644
index 0000000000..8fa084ff8f
--- /dev/null
+++ b/playbooks/openstack-fips/README.rst
@@ -0,0 +1,22 @@
+This pre.yaml playbook is called as part of the openstack-fips job.
+Its primary purpose is enable an Ubuntu Advantage subscription using
+a subscription key that is stored in project-config.
+
+Enabling FIPS requires a reboot, and so we need the FIPS playbook to
+run very early in the node setup, so that resources set up by
+subsequent pre-scripts are not affected by the reboot.
+
+Therefore, the openstack-fips job must be definied as a base job for
+most OpenStack jobs.  As most jobs will not require fips, a playbook
+variable enable_fips - which defaults to False - is provided.
+
+To enable FIPS mode, a job will simply need to set enable_fips to
+True as a job variable.
+
+**Job Variables**
+
+.. zuul:jobvar:: enable_fips
+   :default: False
+
+   Whether to run the playbook and enable fips.  Defaults to False.
+
diff --git a/playbooks/openstack-fips/pre.yaml b/playbooks/openstack-fips/pre.yaml
new file mode 100644
index 0000000000..f7fb163811
--- /dev/null
+++ b/playbooks/openstack-fips/pre.yaml
@@ -0,0 +1,7 @@
+- name: enable ua subscription
+  hosts: all
+  tasks:
+    - name: enable ua subscription for fips
+      include_role:
+        name: enable-ua-subscription
+      when: enable_fips | default(false)
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 38c6b619c6..ed2c034ddc 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -1265,12 +1265,12 @@
     nodeset: ubuntu-xenial
 
 - job:
-    name: openstack-multinode-fips
-    parent: multinode-fips
+    name: openstack-fips
+    abstract: true
     description: |
-      Multinode job with fips enabled and passing
-      the ubuntu_fips_token needed for UA subscription.
+      Base job for OpenStack jobs that enables an
+      Ubuntu Advantage subscription if FIPS is enabled.
     secrets:
       - secret: openstack_ubuntu_fips
-        name: ubuntu_fips_token
-        pass-to-parent: true
+        name: ubuntu_ua_token
+    pre-run: playbooks/openstack-fips/pre.yaml