Merge pull request #280 from ody/install_fips

Support the installation of PE on FIPS enabled RHEL

Author: davidsandilands

Diff for: .fixtures.yml

@@ -4,6 +4,7 @@ fixtures:
     ruby_task_helper: "puppetlabs/ruby_task_helper"
     service: "puppetlabs/service"
     package: "puppetlabs/package"
+    reboot: "puppetlabs/reboot"
   repositories:
     facts: 'https://github.com/puppetlabs/puppetlabs-facts.git'
     puppet_agent: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git'

Diff for: .github/workflows/test-fips-install-matrix.yaml

@@ -0,0 +1,152 @@
+---
+name: "Install fips test matrix"
+
+on:
+  pull_request:
+    branches: [main]
+    types: [review_requested]
+  workflow_dispatch: {}
+
+env:
+  HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6
+  HONEYCOMB_DATASET: litmus tests
+
+jobs:
+  test-install:
+    name: "PE ${{ matrix.version }} ${{ matrix.architecture }} on ${{ matrix.image }} with fips ${{ matrix.fips }}"
+    runs-on: ubuntu-20.04
+    env:
+      BOLT_GEM: true
+      BOLT_DISABLE_ANALYTICS: true
+      BUILDEVENT_FILE: '../buildevents.txt'
+      LANG: 'en_US.UTF-8'
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - standard-with-dr
+          - large
+          - extra-large-with-dr
+        version:
+          - 2019.8.11
+          - 2021.6.0
+        image:
+          - rhel-8
+        fips:
+          - enable
+
+    steps:
+      - name: "Honeycomb: Start recording"
+        uses: puppetlabs/kvrhdn-gha-buildevents@pdk-templates-v1
+        with:
+          apikey: ${{ env.HONEYCOMB_WRITEKEY }}
+          dataset: ${{ env.HONEYCOMB_DATASET }}
+          job-status: ${{ job.status }}
+
+      - name: "Honeycomb: Start first step"
+        run: |
+          echo STEP_ID=setup-test-cluster >> $GITHUB_ENV
+          echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+      - name: "Checkout Source"
+        uses: actions/checkout@v2
+
+      - name: "Activate Ruby 2.7"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "2.7"
+          bundler-cache: true
+
+      - name: "Print bundle environment"
+        if: ${{ github.repository_owner == 'puppetlabs' }}
+        run: |
+          echo ::group::info:bundler
+            buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
+          echo ::endgroup::
+
+      - name: "Honeycomb: Record environment setup time"
+        if: ${{ always() }}
+        run: |
+          echo ::group::honeycomb
+            buildevents step $TRACE_ID $STEP_ID $STEP_START 'Set up environment'
+            echo STEP_ID=${{ matrix.architecture }}-${{ matrix.image }}-fips_${{ matrix.fips }}-provision >> $GITHUB_ENV
+            echo STEP_START=$(date +%s) >> $GITHUB_ENV
+          echo ::endgroup::
+
+      - name: 'Provision test cluster'
+        timeout-minutes: 15
+        run: |
+          echo ::group::prepare
+            mkdir -p $HOME/.ssh
+            echo 'Host *'                      >  $HOME/.ssh/config
+            echo '    ServerAliveInterval 150' >> $HOME/.ssh/config
+            echo '    ServerAliveCountMax 2'   >> $HOME/.ssh/config
+            buildevents cmd $TRACE_ID $STEP_ID 'rake spec_prep' -- bundle exec rake spec_prep
+          echo ::endgroup::
+
+          echo ::group::provision
+            buildevents cmd $TRACE_ID $STEP_ID 'bolt plan run peadm_spec::provision_test_cluster' -- \
+              bundle exec bolt plan run peadm_spec::provision_test_cluster \
+                --modulepath spec/fixtures/modules \
+                provider=provision_service \
+                image=${{ matrix.image }} \
+                architecture=${{ matrix.architecture }}
+          echo ::endgroup::
+
+          echo ::group::info:request
+            cat request.json || true; echo
+          echo ::endgroup::
+
+          echo ::group::info:inventory
+            sed -e 's/password: .*/password: "[redacted]"/' < spec/fixtures/litmus_inventory.yaml || true
+          echo ::endgroup::
+
+      - name: "Honeycomb: Record provision time"
+        if: ${{ always() }}
+        run: |
+          echo ::group::honeycomb
+            buildevents step $TRACE_ID $STEP_ID $STEP_START 'Provision test cluster'
+            echo STEP_ID=${{ matrix.architecture }}-${{ matrix.image }}-fips_${{ matrix.fips }}-install >> $GITHUB_ENV
+            echo STEP_START=$(date +%s) >> $GITHUB_ENV
+          echo ::endgroup::
+
+      - name: 'Install PE on test cluster'
+        timeout-minutes: 120
+        run: |
+          buildevents cmd $TRACE_ID $STEP_ID 'bolt plan run peadm_spec::install_test_cluster' -- \
+            bundle exec bolt plan run peadm_spec::install_test_cluster \
+              --inventoryfile spec/fixtures/litmus_inventory.yaml \
+              --modulepath spec/fixtures/modules \
+              architecture=${{ matrix.architecture }} \
+              version=${{ matrix.version }} \
+              fips=${{ matrix.fips }} 
+
+      - name: "Honeycomb: Record install time"
+        if: ${{ always() }}
+        run: |
+          echo ::group::honeycomb
+            buildevents step $TRACE_ID $STEP_ID $STEP_START 'Install PE on test cluster'
+            echo STEP_ID=${{ matrix.architecture }}-${{ matrix.image }}-fips_${{ matrix.fips }}-tear_down >> $GITHUB_ENV
+            echo STEP_START=$(date +%s) >> $GITHUB_ENV
+          echo ::endgroup::
+
+      - name: 'Tear down test cluster'
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          if [ -f spec/fixtures/litmus_inventory.yaml ]; then
+            echo ::group::tear_down
+              buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:tear_down' -- bundle exec rake 'litmus:tear_down'
+            echo ::endgroup::
+
+            echo ::group::info:request
+              cat request.json || true; echo
+            echo ::endgroup::
+          fi
+
+      - name: "Honeycomb: Record tear down time"
+        if: ${{ always() }}
+        run: |
+          echo ::group::honeycomb
+            buildevents step $TRACE_ID $STEP_ID $STEP_START 'Tear down test cluster'
+          echo ::endgroup::

Diff for: spec/acceptance/peadm_spec/plans/install_test_cluster.pp

@@ -1,6 +1,7 @@
 plan peadm_spec::install_test_cluster (
-  $architecture,
-  $version,
+  String[1]                 $architecture,
+  String[1]                 $version,
+  Enum['enable', 'disable'] $fips = 'disable'
 ) {
 
   $t = get_targets('*')
@@ -11,6 +12,15 @@
     $target.set_var('certname', $fqdn.first['stdout'].chomp)
   }
 
+  if $fips == 'enable' {
+    run_command('/bin/fips-mode-setup --enable', $t)
+    run_plan('reboot', $t)
+    $fips_status = run_command('/bin/fips-mode-setup --check', $t)
+    $fips_status.each |$status| {
+      out::message("${status.target.name}: ${status.value['stdout']}")
+    }
+  }
+
   $common_params = {
     console_password => 'puppetlabs',
     download_mode    => 'direct',

Diff for: tasks/precheck.sh

@@ -7,18 +7,20 @@ if grep -qi ubuntu /etc/os-release; then
   osfamily="ubuntu"
 elif grep -qi sles /etc/os-release; then
   osfamily="sles"
+elif grep -qi redhat /etc/os-release && fips-mode-setup --is-enabled; then
+  osfamily="redhatfips"
 else
   osfamily="el"
 fi
 
 # OS-specific modifications
 [ "$osfamily" = "ubuntu" -a "$arch" = "x86_64" ] && arch="amd64"
-[ "$osfamily" = "el"  ] || [ "$osfamily" = "sles"  ]  && version=$(echo "$version" | cut -d . -f 1)
+[ "$osfamily" = "el"  ] || [ "$osfamily" = "sles"  ] || [ "$osfamily" = "redhatfips" ]  && version=$(echo "$version" | cut -d . -f 1)
 
 # Output a JSON result for ease of Task usage in Puppet Task Plans
 cat <<EOS
   {
     "hostname": "${hostname}",
     "platform": "${osfamily}-${version}-${arch}"
   }
-EOS
+EOS