Skip to content

Commit

Permalink
Merge pull request #536 from bawaler/fipstask
Browse files Browse the repository at this point in the history
OPENSHIFTP-8: add fips enablement for 4.16 and higher
  • Loading branch information
Power Cloud Robot authored Sep 11, 2024
2 parents 352cf66 + d2a6bae commit 4098c3d
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 14 deletions.
36 changes: 31 additions & 5 deletions modules/1_prepare/prepare.tf
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,38 @@ data "ibm_pi_instance_ip" "bastion_public_ip" {
pi_cloud_instance_id = var.service_instance_id
}

resource "null_resource" "bastion_fips" {
count = var.fips_compliant ? local.bastion_count : 0
depends_on = [ibm_pi_instance.bastion]

connection {
type = "ssh"
user = var.rhel_username
host = data.ibm_pi_instance_ip.bastion_public_ip[count.index].external_ip
private_key = var.private_key
agent = var.ssh_agent
timeout = "${var.connection_timeout}m"
}

provisioner "remote-exec" {
inline = [<<EOF
sudo fips-mode-setup --enable
sudo systemctl reboot
EOF
]
}
}

resource "time_sleep" "fips_wait_30_seconds" {
depends_on = [null_resource.bastion_fips]
count = var.fips_compliant ? 1 : 0

create_duration = "30s"
}

resource "null_resource" "bastion_init" {
count = local.bastion_count
depends_on = [time_sleep.fips_wait_30_seconds]
count = local.bastion_count

connection {
type = "ssh"
Expand Down Expand Up @@ -178,10 +208,6 @@ for cidr in "$${cidrs[@]}"; do
done
done
# enable FIPS as required
if [[ ${var.fips_compliant} = true ]]; then
sudo fips-mode-setup --enable
fi
EOF
]
Expand Down
9 changes: 1 addition & 8 deletions modules/5_install/install.tf
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ locals {
# trying to start named and haproxy
# TODO: This is hardcoded to 9.9.9.9 to use external nameserver. Need to read from dns_forwarders.
ext_dns = var.use_ibm_cloud_services ? "9.9.9.9" : ""
fips = var.fips_compliant
}

helpernode_inventory = {
Expand Down Expand Up @@ -589,11 +590,3 @@ resource "null_resource" "csi_driver_install" {
}
}

resource "ibm_pi_instance_action" "fips_bastion_reboot" {
depends_on = [null_resource.config, null_resource.setup_snat, null_resource.configure_public_vip, null_resource.external_services, null_resource.pre_install, null_resource.install, null_resource.powervs_config, null_resource.upgrade, null_resource.csi_driver_install]
count = var.fips_compliant ? var.bastion_count : 0

pi_cloud_instance_id = var.service_instance_id
pi_instance_id = "${var.name_prefix}bastion-${count.index}"
pi_action = "soft-reboot"
}
1 change: 1 addition & 0 deletions modules/5_install/templates/helpernode_vars.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -89,3 +89,4 @@ ocp_install_kernel: "file:///dev/null"

# This is required for latest helpernode. TODO: Remove when https://github.com/RedHatOfficial/ocp4-helpernode/pull/140 is merged
helm_source: "https://get.helm.sh/helm-v3.3.4-linux-ppc64le.tar.gz"
fips: ${fips}
2 changes: 1 addition & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,7 @@ variable "helpernode_repo" {
variable "helpernode_tag" {
type = string
description = "Set the branch/tag name or commit# for using ocp4-helpernode repo"
default = "94b8a123308f3566835a8ea2f189b204f77af88c"
default = "d1ab538df6aeba915bf056f7983a60a68717d4d9"
# Checkout level for var.helpernode_repo which is used for setting up services required on bastion node
}

Expand Down

0 comments on commit 4098c3d

Please sign in to comment.