Add role to enable FIPS on a node

Adds role to be used to enable FIPS on test nodes, so that projects
can create jobs that would test when FIPS is enabled.

This is pretty much copied from the same role in ansible zuul jobs, where
it works well. Thanks to Paul Belanger for pointing it out.
https://github.com/ansible/ansible-zuul-jobs/blob/master/roles/enable-fips-mode/tasks/main.yaml

An example showing how this is can be used is in:
https://review.opendev.org/c/openstack/barbican/+/760665

Change-Id: If07b8ddb77368d591659f3a111e3f5306daf6f06

doc/source/general-roles.rst

@@ -13,6 +13,7 @@ General Purpose Roles
 .. zuul:autorole:: download-artifact
 .. zuul:autorole:: dstat-graph
 .. zuul:autorole:: emit-job-header
+.. zuul:autorole:: enable-fips
 .. zuul:autorole:: enable-netconsole
 .. zuul:autorole:: ensure-bazelisk
 .. zuul:autorole:: ensure-dhall

roles/enable-fips/README.rst

@@ -0,0 +1,4 @@
+Enable FIPS on a node.
+
+Set a node into FIPS mode, to test functionality when crypto
+policies are set to FIPS in RHEL 8/Centos 8.

roles/enable-fips/tasks/main.yaml

@@ -0,0 +1,63 @@
+---
+- name: Make sure this role is run on RHEL/CentOS 8 systems
+  fail:
+    msg: This role supports RHEL/CentOS 8 systems only
+  when:
+    - (ansible_distribution != 'CentOS' and ansible_distribution != 'Red Hat Enterprise Linux') or
+      ansible_distribution_major_version != '8'
+
+- name: Install fips-mode-setup
+  become: true
+  package:
+    name: crypto-policies-scripts
+    state: present
+
+- name: Enable FIPS mode
+  become: true
+  command: fips-mode-setup --enable
+
+- name: check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
+  become: true
+  shell: |
+    set -o pipefail
+    grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
+  register: test_grep
+  failed_when: false
+
+- name: add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
+  when: test_grep.rc != 0
+
+- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
+    backrefs: true
+  when: test_grep.rc == 0
+
+- name: Rebuild grub.cfg file
+  become: true
+  command: grub2-mkconfig -o /boot/grub2/grub.cfg
+
+- name: Reboot server for FIPS mode
+  become: true
+  reboot:
+    reboot_timeout: 1800
+
+- name: Run start-zuul-console role
+  include_role:
+    name: start-zuul-console
+
+- name: Ensure FIPS mode is enabled
+  become: true
+  command: fips-mode-setup --check
+  register: _result
+
+- name: Assert FIPS is enabled
+  assert:
+    that: _result.stdout == "FIPS mode is enabled."

zuul-tests.d/general-roles-jobs.yaml

@@ -368,6 +368,19 @@
     vars:
       role_name: clear-firewall
 
+- job:
+    name: zuul-jobs-test-enable-fips
+    description: Test the enable-fips role
+    files:
+      - roles/enable-fips/.*
+    run: test-playbooks/simple-role-test.yaml
+    vars:
+      role_name: enable-fips
+    nodeset:
+      nodes:
+        - name: centos-8-stream
+          label: centos-8-stream
+
 - job:
     name: zuul-jobs-test-ensure-bazelisk
     description: Test the ensure-bazelisk role
@@ -749,6 +762,7 @@
         - zuul-jobs-test-bindep-ubuntu-xenial
         - zuul-jobs-test-bindep-ubuntu-focal
         - zuul-jobs-test-clear-firewall
+        - zuul-jobs-test-enable-fips
         - zuul-jobs-test-ensure-bazelisk
         - zuul-jobs-test-netconsole
         - zuul-jobs-test-dstat-graph
@@ -798,6 +812,7 @@
         - zuul-jobs-test-bindep-ubuntu-xenial
         - zuul-jobs-test-bindep-ubuntu-focal
         - zuul-jobs-test-clear-firewall
+        - zuul-jobs-test-enable-fips
         - zuul-jobs-test-ensure-bazelisk
         - zuul-jobs-test-netconsole
         - zuul-jobs-test-dstat-graph