Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Configure fips on the bastion node of openshift cluster #276

Closed
wants to merge 1 commit into from
Closed

WIP: Configure fips on the bastion node of openshift cluster #276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions modules/1_bastion/bastion.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,3 +345,52 @@ resource "null_resource" "setup_nfs_disk" {
]
}
}

gauravpbankar marked this conversation as resolved.
Show resolved Hide resolved
resource "null_resource" "fips_enablement" {
count = var.fips_compliant ? local.bastion_count : 0
depends_on = [openstack_compute_keypair_v2.key-pair, random_id.label, openstack_compute_flavor_v2.bastion_scg, openstack_compute_instance_v2.bastion, null_resource.bastion_init, null_resource.setup_proxy_info, null_resource.bastion_register, null_resource.enable_repos, null_resource.bastion_packages, openstack_blockstorage_volume_v3.storage_volume, openstack_compute_volume_attach_v2.storage_v_attach, null_resource.setup_nfs_disk]

connection {
type = "ssh"
user = var.rhel_username
host = openstack_compute_instance_v2.bastion[count.index].access_ip_v4
private_key = var.private_key
agent = var.ssh_agent
timeout = "${var.connection_timeout}m"
}
provisioner "remote-exec" {
inline = [
<<EOF
sudo fips-mode-setup --enable
sudo shutdown -r +1
EOF
]
}
}

resource "time_sleep" "wait_60_seconds" {
count = var.fips_compliant ? local.bastion_count : 0
depends_on = [null_resource.fips_enablement]

create_duration = "60s"
}

gauravpbankar marked this conversation as resolved.
Show resolved Hide resolved
resource "null_resource" "bastion_nop" {
#This step waits for the bastion to come back up and runs a simple command
count = var.fips_compliant ? local.bastion_count : 0
depends_on = [null_resource.fips_enablement, time_sleep.wait_60_seconds]

connection {
type = "ssh"
user = var.rhel_username
host = openstack_compute_instance_v2.bastion[count.index].access_ip_v4
private_key = var.private_key
agent = var.ssh_agent
timeout = "${var.connection_timeout}m"
}
provisioner "remote-exec" {
inline = [
"whoami"
]
}
}
1 change: 1 addition & 0 deletions modules/1_bastion/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,4 @@ variable "volume_storage_template" {}

variable "setup_squid_proxy" {}
variable "proxy" {}
variable "fips_compliant" {}
3 changes: 3 additions & 0 deletions modules/1_bastion/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ terraform {
source = "hashicorp/random"
version = "~> 3.4"
}
time = {
source = "hashicorp/time"
version = "0.9.1"
Comment on lines +35 to +37
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a new dependency to facilitate synchronization between null_resource providers

}
required_version = ">= 1.2.0"
}
2 changes: 2 additions & 0 deletions ocp.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ module "bastion" {
volume_storage_template = var.volume_storage_template
setup_squid_proxy = var.setup_squid_proxy
proxy = var.proxy
fips_compliant = var.fips_compliant
}

module "network" {
Expand All @@ -83,6 +84,7 @@ module "network" {
}

module "helpernode" {
depends_on = [module.bastion]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added due to module level synchronization problems when FIPS is enabled.

There is an option to use a small dummy step that uses fips_compliant as the synchronization point only when fips is enabled. We opted for this cleaner approach.

source = "./modules/3_helpernode"

cluster_domain = var.cluster_domain
Expand Down