Merge "Add fips check jobs"

4 files changed, 62 insertions, 0 deletions

diff --git a/.zuul.yaml b/.zuul.yaml
index 694962907..e15853006 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -58,6 +58,9 @@
             irrelevant-files: *gate-irrelevant-files
         - cinder-tempest-plugin-lvm-lio-barbican:
             irrelevant-files: *gate-irrelevant-files
+        - cinder-tempest-plugin-lvm-lio-barbican-fips:
+            voting: false
+            irrelevant-files: *gate-irrelevant-files
         - cinder-grenade-mn-sub-volbak:
             irrelevant-files: *gate-irrelevant-files
         - cinder-tempest-lvm-multibackend:
@@ -68,6 +71,9 @@
             irrelevant-files: *gate-irrelevant-files
         - devstack-plugin-nfs-tempest-full:
             irrelevant-files: *gate-irrelevant-files
+        - devstack-plugin-nfs-tempest-full-fips:
+            voting: false
+            irrelevant-files: *gate-irrelevant-files
         - tempest-slow-py3:
             irrelevant-files: *gate-irrelevant-files
         - tempest-integrated-storage:
@@ -179,6 +185,17 @@
               volume_revert: True
 
 - job:
+    # this depends on some ceph admin setup which is not yet complete
+    # TODO(alee) enable this test when ceph admin work is complete.
+    name: cinder-plugin-ceph-tempest-fips
+    parent: cinder-plugin-ceph-tempest
+    nodeset: devstack-single-node-centos-9-stream
+    pre-run: playbooks/enable-fips.yaml
+    vars:
+      configure_swap_size: 4096
+      nslookup_target: 'opendev.org'
+
+- job:
     name: cinder-plugin-ceph-tempest-mn-aa
     parent: devstack-plugin-ceph-multinode-tempest-py3
     roles:
diff --git a/bindep.txt b/bindep.txt
index d32d02680..6311a1885 100644
--- a/bindep.txt
+++ b/bindep.txt
@@ -29,6 +29,7 @@ postgresql
 postgresql-client [platform:dpkg]
 postgresql-devel [platform:rpm]
 postgresql-server [platform:rpm]
+python3-devel [platform:rpm test]
 libpq-dev [platform:dpkg]
 thin-provisioning-tools [platform:debian]
 libxml2-dev [platform:dpkg test]
diff --git a/playbooks/enable-fips.yaml b/playbooks/enable-fips.yaml
new file mode 100644
index 000000000..bc1dc04ea
--- /dev/null
+++ b/playbooks/enable-fips.yaml
@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - enable-fips
diff --git a/tools/test-setup.sh b/tools/test-setup.sh
index 5b986ced3..fced9be5e 100755
--- a/tools/test-setup.sh
+++ b/tools/test-setup.sh
@@ -15,6 +15,47 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
 DB_USER=openstack_citest
 DB_PW=openstack_citest
 
+function is_rhel7 {
+    [ -f /usr/bin/yum ] && \
+        cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
+        cat /etc/*release | grep -q 'release 7'
+}
+
+function is_rhel8 {
+    [ -f /usr/bin/dnf ] && \
+        cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
+        cat /etc/*release | grep -q 'release 8'
+}
+
+function is_rhel9 {
+    [ -f /usr/bin/dnf ] && \
+        cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
+        cat /etc/*release | grep -q 'release 9'
+}
+
+function set_conf_line { # file regex value
+    sudo sh -c "grep -q -e '$2' $1 && \
+            sed -i 's|$2|$3|g' $1 || \
+            echo '$3' >> $1"
+}
+
+if is_rhel7 || is_rhel8 || is_rhel9; then
+    # mysql needs to be started on centos/rhel
+    sudo systemctl restart mariadb.service
+
+    # postgres setup for centos
+    sudo postgresql-setup --initdb
+    PG_CONF=/var/lib/pgsql/data/postgresql.conf
+    set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
+
+    PG_HBA=/var/lib/pgsql/data/pg_hba.conf
+    set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
+
+    sudo systemctl restart postgresql.service
+fi
+
 sudo -H mysqladmin -u root password $DB_ROOT_PW
 
 # It's best practice to remove anonymous users from the database.  If