feat: Add support for fips and some minor code allignments (#359)

This is the support for fips in Agend-based Installer (ABI). And solves issue #305. In addition some minor code changes based on ansible-lint. Signed-off-by: Amadeuds Podvratnik <[email protected]> Co-authored-by: Sumit Solanki <[email protected]>
IBM · Dec 4, 2024 · 0f68843 · 0f68843
1 parent d530b2b
commit 0f68843
Show file tree

Hide file tree

Showing 19 changed files with 148 additions and 49 deletions.
diff --git a/docs/set-variables-group-vars.md b/docs/set-variables-group-vars.md
@@ -221,7 +221,7 @@
 **install_config.cluster_network.type** | The cluster network provider Container Network Interface (CNI) plug-in to install. Either OpenShiftSDN or OVNKubernetes (default). | OVNKubernetes
 **install_config.service_network** | The IP address block for services. The default value is 172.30.0.0/16. The OpenShift SDN and OVN-Kubernetes network providers support only a single IP address block for the service network. An array with an IP address block in CIDR format. | 172.30.0.0/16
 **install_config.machine_network** | The IP address block for Nodes IP Pool. The default value is 192.168.122.0/24 For NAT Network Mode. In case of MacvTap it will be depend on Inteface IP assignment. An array with an IP address block in CIDR format. | 192.168.122.0/24
-**install_config.fips** | True or False (boolean) for whether or not to use the United States' Federal Information Processing Standards (FIPS). Not yet certified on IBM zSystems. Enclosed in 'single quotes'. | 'false'
+**install_config.fips** | true or false (boolean) for whether or not to use the United States' Federal Information Processing Standards (FIPS). Not yet certified on IBM zSystems. | false
 
 ## Packages (Optional)
 * Packages are installed based on the executed playbooks based on the given requirements. This means that these variables have default values which can be overwritten in all.yaml file.

diff --git a/inventories/default/.gitignore b/inventories/default/.gitignore
@@ -1,4 +1,5 @@
 /*
 !group_vars
 !host_vars
-!.gitignore
+!.gitignore
+!hosts
diff --git a/inventories/default/group_vars/.gitignore b/inventories/default/group_vars/.gitignore
@@ -2,4 +2,6 @@
 !.gitignore
 !all.yaml.template
 !hcp.yaml.template
+!disconnected.yaml
+!zvm.yaml
 
diff --git a/playbooks/5_setup_bastion.yaml b/playbooks/5_setup_bastion.yaml
@@ -31,23 +31,23 @@
       when: (env.network_mode | upper == "NAT") and (env.jumphost.ip is not none)
     - block:
         - name: Gather package facts on jumphost
-          package_facts:
+          ansible.builtin.package_facts:
             manager: auto
           when: (env.network_mode | upper == "NAT") and (env.jumphost.ip is not none)
 
         - name: Check if 'expect' is installed on jumphost, for use in ssh-copy-id role for NAT.
-          set_fact:
+          ansible.builtin.set_fact:
             expect_installed: "{{ 'expect' in ansible_facts.packages }}"
           when: (env.network_mode | upper == "NAT") and (env.jumphost.ip is not none)
 
         - name: Fail if 'expect' package is not installed on jumphost
-          fail:
+          ansible.builtin.fail:
             msg: "'expect' package is not installed on jumphost"
           when: (env.network_mode | upper == "NAT") and (env.jumphost.ip is not none) and (not expect_installed)
       rescue:
         - name: Package 'expect' must be installed on the jumphost, attempting to install it. #Using 'block' and 'rescue' to avoid running the 'package' module (which requires 'sudo') unless necessary.
           become: true
-          package:
+          ansible.builtin.package:
             name: expect
           when: (env.network_mode | upper == "NAT") and (env.jumphost.ip is not none)
   roles:

diff --git a/playbooks/create_abi_cluster.yaml b/playbooks/create_abi_cluster.yaml
@@ -21,15 +21,16 @@
   vars_files:
     - "{{ inventory_dir }}/group_vars/zvm.yaml"
   tasks:
-    - block:
+    - name: Support for z/VM
+      when: installation_type | lower == 'zvm'
+      block:
         - name: Setup Param File
-          include_role:
+          ansible.builtin.include_role:
             name: setup_params
 
         - name: Boot z/VM Guests
-          include_tasks: ../roles/boot_zvm_nodes/tasks/main.yaml
-          loop: "{{ range( zvm.nodes | length ) | list }}"
-      when: installation_type | lower == 'zvm'
+          ansible.builtin.include_tasks: ../roles/boot_zvm_nodes/tasks/main.yaml
+          loop: "{{ range(zvm.nodes | length) | list }}"
 
 # Boot ABI KVM Agents.
 - name: Boot ABI Agents

diff --git a/playbooks/monitor_create_abi_cluster.yaml b/playbooks/monitor_create_abi_cluster.yaml
@@ -7,4 +7,4 @@
   vars_files:
     - "{{ inventory_dir }}/group_vars/all.yaml"
   roles:
-    - abi_install_complete 
+    - abi_install_complete
diff --git a/roles/boot_abi_agents/tasks/main.yml b/roles/boot_abi_agents/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Add Route To Bastion From KVM Host.
-  command: "ip route add {{ env.bastion.networking.ip }} via {{ env.bastion.networking.gateway }}"
-  ignore_errors: yes
+  ansible.builtin.command: "ip route add {{ env.bastion.networking.ip }} via {{ env.bastion.networking.gateway }}"
+  ignore_errors: true
 
 - name: Get and print virsh list
   block:
@@ -14,7 +14,7 @@
         var: cmd_virsh_list
 
 - name: Download ISO from HTTP URL
-  get_url:
+  ansible.builtin.get_url:
     url: "http://{{ env.bastion.networking.ip }}:8080/agent.{{ ansible_architecture }}.iso"
     dest: "/var/lib/libvirt/images/agent.{{ ansible_architecture }}.iso"
     mode: '0644'
@@ -43,16 +43,22 @@
     {% endif %}
     --extra-args "rd.neednet=1 nameserver={{ env.cluster.networking.nameserver1 }}" \
     --extra-args "random.trust_cpu=on rd.luks.options=discard ignition.firstboot ignition.platform.id=metal" \
+    {% if (install_config.fips is defined and install_config.fips) %}
+    --extra-args "fips=1" \
+    {% endif %}
+    {% if (install_config.selinux is defined and install_config.selinux==0) %}
+    --extra-args "selinux=0" \
+    {% endif %}
     --memballoon none \
     --graphics none \
     --wait=-1 \
     --extra-args "{{ _vm_console }}" \
-    --noautoconsole 
+    --noautoconsole
   async: 3600
   poll: 0
   with_sequence: start=0 end={{ (env.cluster.nodes.control.hostname | length) - 1 }} stride=1
   loop_control:
-    extended: yes
+    extended: true
     index_var: i
   when: abi.boot_method | lower == "pxe"
 
@@ -78,7 +84,7 @@
   poll: 0
   with_sequence: start=0 end={{ (env.cluster.nodes.control.hostname | length) - 1 }} stride=1
   loop_control:
-    extended: yes
+    extended: true
     index_var: i
   when: abi.boot_method | lower == "iso"
 
@@ -105,16 +111,22 @@
     {% endif %}
     --extra-args "rd.neednet=1 nameserver={{ env.cluster.networking.nameserver1 }}" \
     --extra-args "random.trust_cpu=on rd.luks.options=discard ignition.firstboot ignition.platform.id=metal" \
+    {% if (install_config.fips is defined and install_config.fips) %}
+    --extra-args "fips=1" \
+    {% endif %}
+    {% if (install_config.selinux is defined and install_config.selinux==0) %}
+    --extra-args "selinux=0" \
+    {% endif %}
     --memballoon none \
     --graphics none \
     --wait=-1 \
     --extra-args "{{ _vm_console }}" \
-    --noautoconsole 
+    --noautoconsole
   async: 3600
   poll: 0
   with_sequence: start=0 end={{ (env.cluster.nodes.compute.hostname | length) - 1 }} stride=1
   loop_control:
-    extended: yes
+    extended: true
     index_var: i
   when: env.cluster.nodes.compute is defined and abi.boot_method | lower == "pxe"
 
@@ -140,6 +152,6 @@
   poll: 0
   with_sequence: start=0 end={{ (env.cluster.nodes.compute.hostname | length) - 1 }} stride=1
   loop_control:
-    extended: yes
+    extended: true
     index_var: i
   when: env.cluster.nodes.compute is defined and abi.boot_method | lower == "iso"
diff --git a/roles/create_agent/defaults/main.yaml b/roles/create_agent/defaults/main.yaml
@@ -0,0 +1,16 @@
+# Openshift Settings
+install_config_defaults:
+  api_version: v1
+  compute:
+    architecture: s390x
+    hyperthreading: Enabled
+  control:
+    architecture: s390x
+    hyperthreading: Enabled
+  cluster_network:
+    cidr: 10.128.0.0/14
+    host_prefix: 23
+    type: OVNKubernetes
+  service_network: 172.30.0.0/16
+  machine_network: 192.168.122.0/24
+  fips: false
diff --git a/roles/create_agent/tasks/main.yml b/roles/create_agent/tasks/main.yml
@@ -1,27 +1,41 @@
 ---
 
-- name: Create Agent Using PXE Boot
-  command: openshift-install agent create pxe-files --log-level=debug
+- name: Create Agent Using PXE Boot (fips = false)
+  ansible.builtin.command: openshift-install agent create pxe-files --log-level=debug
   args:
     chdir: ~/{{ abi.ansible_workdir }}
-  when: abi.boot_method | lower == "pxe"
+  when: abi.boot_method | lower == "pxe" and not install_config_vars.fips
 
-- name: Create Agent Using ISO Image
-  command: openshift-install agent create image --log-level=debug
+- name: Create Agent Using ISO Image (fips = false)
+  ansible.builtin.command: openshift-install agent create image --log-level=debug
   args:
     chdir: ~/{{ abi.ansible_workdir }}
-  when: abi.boot_method | lower == "iso"
+  when: abi.boot_method | lower == "iso" and not install_config_vars.fips
+
+- name: Create Agent Using PXE Boot (fips = true)
+  ansible.builtin.command: openshift-install-fips agent create pxe-files --log-level=debug
+  args:
+    chdir: ~/{{ abi.ansible_workdir }}
+  when: abi.boot_method | lower == "pxe" and install_config_vars.fips
+
+- name: Create Agent Using ISO Image (fips = true)
+  ansible.builtin.command: openshift-install-fips agent create image --log-level=debug
+  args:
+    chdir: ~/{{ abi.ansible_workdir }}
+  when: abi.boot_method | lower == "iso" and install_config_vars.fips
 
 - name: Copy initrd.img, kernel.img, and rootfs.img for PXE
   ansible.builtin.copy:
     src: "~/{{ abi.ansible_workdir }}/boot-artifacts/"
     dest: /var/www/html/
-    remote_src: yes
+    mode: '645'
+    remote_src: true
   when: abi.boot_method | lower == "pxe"
 
 - name: Copy ISO image to the server
   ansible.builtin.copy:
     src: "~/{{ abi.ansible_workdir }}/"
     dest: /var/www/html/
-    remote_src: yes
+    mode: '645'
+    remote_src: true
   when: abi.boot_method | lower == "iso"
diff --git a/roles/create_agent/vars/main.yaml b/roles/create_agent/vars/main.yaml
@@ -0,0 +1,6 @@
+install_config_vars: |
+  {%- if install_config is defined and install_config is iterable -%}
+  {{ install_config_defaults | combine (install_config, recursive=True) }}
+  {%- else -%}
+  {{ install_config_defaults }}
+  {%- endif -%}
diff --git a/roles/create_bastion/defaults/main.yaml b/roles/create_bastion/defaults/main.yaml
@@ -13,6 +13,6 @@ install_config_defaults:
     type: OVNKubernetes
   service_network: 172.30.0.0/16
   machine_network: 192.168.122.0/24
-  fips: 'false'
+  fips: false
 
-rhcos_os_variant: rhl9    
+rhcos_os_variant: rhl9
diff --git a/roles/create_bootstrap/tasks/main.yaml b/roles/create_bootstrap/tasks/main.yaml
@@ -33,7 +33,7 @@
     --console pty,target_type=serial \
     --wait=-1 \
     --noautoconsole
-  timeout: 360
+  timeout: 480
   register: cmd_output
 
 - name: Debug, print above command output

diff --git a/roles/download_ocp_installer/defaults/main.yaml b/roles/download_ocp_installer/defaults/main.yaml
@@ -1,5 +1,23 @@
+# Openshift Settings
+install_config_defaults:
+  api_version: v1
+  compute:
+    architecture: s390x
+    hyperthreading: Enabled
+  control:
+    architecture: s390x
+    hyperthreading: Enabled
+  cluster_network:
+    cidr: 10.128.0.0/14
+    host_prefix: 23
+    type: OVNKubernetes
+  service_network: 172.30.0.0/16
+  machine_network: 192.168.122.0/24
+  fips: false
+
 # ocp_download_url with '/' at the end !
 ocp_download_url: "https://mirror.openshift.com/pub/openshift-v4/multi/clients/ocp/latest/s390x/"
 # ocp client and installer filenames
 ocp_client_tgz: "openshift-client-linux.tar.gz"
 ocp_install_tgz: "openshift-install-linux.tar.gz"
+ocp_install_fips_tgz: "openshift-install-rhel9"
diff --git a/roles/download_ocp_installer/tasks/main.yaml b/roles/download_ocp_installer/tasks/main.yaml
@@ -1,18 +1,36 @@
 ---
-- name: Download OpenShift Installer.
-  get_url:
-    url: "{{ abi.ocp_installer_url }}{{abi.ocp_installer_version}}/openshift-install-linux.tar.gz"
+- name: Download OpenShift Installer (fips=false).
+  ansible.builtin.get_url:
+    url: "{{ abi.ocp_installer_url }}{{ abi.ocp_installer_version }}/openshift-install-linux.tar.gz"
     dest: /tmp
+    mode: '640'
     validate_certs: false
+  when: not install_config_vars.fips
 
-- name: Extract & Unzip Downloaded OpenShift Installer tar file on Remote
+- name: Download OpenShift Installer (fips=true).
+  ansible.builtin.get_url:
+    url: "{{ abi.ocp_installer_url }}{{ abi.ocp_installer_version }}/{{ ocp_install_fips_tgz }}-{{ install_config_vars.control.architecture }}.tar.gz"
+    dest: /tmp
+    mode: '640'
+    validate_certs: false
+  when: install_config_vars.fips
+
+- name: Extract & Unzip Downloaded OpenShift Installer tar file on Remote (fips=false)
   ansible.builtin.unarchive:
     src: /tmp/openshift-install-linux.tar.gz
     dest: /usr/local/bin
-    remote_src: yes
+    remote_src: true
+  when: not install_config_vars.fips
+
+- name: Extract & Unzip Downloaded OpenShift Installer tar file on Remote (fips=true)
+  ansible.builtin.unarchive:
+    src: /tmp/{{ ocp_install_fips_tgz }}-{{ install_config_vars.control.architecture }}.tar.gz
+    dest: /usr/local/bin
+    remote_src: true
+  when: install_config_vars.fips
 
 - name: Download OpenShift Client.
-  get_url:
+  ansible.builtin.get_url:
     url: "{{ ocp_download_url }}{{ ocp_client_tgz }}"
     dest: "/tmp/"
     mode: "0755"
@@ -21,10 +39,10 @@
   ansible.builtin.unarchive:
     src: "{{ ocp_download_url }}{{ ocp_client_tgz }}"
     dest: /usr/local/bin
-    remote_src: yes
+    remote_src: true
 
 - name: Install NMState package
   ansible.builtin.yum:
     name: nmstate
     state: latest
-    skip_broken: yes
+    skip_broken: true
diff --git a/roles/download_ocp_installer/vars/main.yaml b/roles/download_ocp_installer/vars/main.yaml
@@ -0,0 +1,6 @@
+install_config_vars: |
+  {%- if install_config is defined and install_config is iterable -%}
+  {{ install_config_defaults | combine (install_config, recursive=True) }}
+  {%- else -%}
+  {{ install_config_defaults }}
+  {%- endif -%}
diff --git a/roles/get_ocp/defaults/main.yaml b/roles/get_ocp/defaults/main.yaml
@@ -25,10 +25,10 @@ install_config_defaults:
     type: OVNKubernetes
   service_network: 172.30.0.0/16
   machine_network: 192.168.122.0/24
-  fips: 'false'
+  fips: false
 
 # (Optional) Proxy
-use_proxy: False 
+use_proxy: false
 proxy_http:
 proxy_https:
 proxy_no:
diff --git a/roles/prepare_configs/defaults/main.yaml b/roles/prepare_configs/defaults/main.yaml
@@ -3,7 +3,7 @@ install_config_defaults:
   api_version: v1
   compute:
     architecture: s390x
-    hyperthreading: Enabled                                                                                                                                                                                  
+    hyperthreading: Enabled
   control:
     architecture: s390x
     hyperthreading: Enabled
@@ -13,4 +13,4 @@ install_config_defaults:
     type: OVNKubernetes
   service_network: 172.30.0.0/16
   machine_network: 192.168.122.0/24
-  fips: 'false'
+  fips: false
diff --git a/roles/prepare_configs/templates/install-config.yaml.j2 b/roles/prepare_configs/templates/install-config.yaml.j2
@@ -22,6 +22,7 @@ compute:
   replicas: {{ compute_replicas }}
 metadata:
   name: {{ env.cluster.networking.metadata_name }}
+fips: {{ install_config_vars.fips }}
 networking:
   clusterNetwork:
   - cidr: {{ install_config_vars.cluster_network.cidr }}