Enable CIS benchmark hardening in AIO and Multinode

jovial · jovial · commit 775fc1da44fb · 2024-06-21T10:48:38.000+01:00
Currently we do not have coverage of this feature in CI.
diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst
@@ -40,3 +40,18 @@ whether or not workloads or API requests are affected by any configuration chang
 
     kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml
 
+Enabling the host configure hook
+--------------------------------
+
+A hook is pre-installed but its execution is guarded by the 
+``stackhpc_enable_cis_benchmark_hardening`` configuration option.
+If you want the hardening playbooks to run automatically, as part of
+host configure, simply set this flag to ``true``:
+
+.. code-block:: yaml
+  :caption: $KAYOBE_CONFIG_PATH/stackhpc.yml
+   
+    stackhpc_enable_cis_benchmark_hardening: true
+
+Alternatively, this can be toggled on a per-environment basis by
+setting it in an environment specific config file.
diff --git a/etc/kayobe/environments/ci-aio/stackhpc.yml b/etc/kayobe/environments/ci-aio/stackhpc.yml
@@ -0,0 +1,3 @@
+---
+
+stackhpc_enable_cis_benchmark_hardening: true
diff --git a/etc/kayobe/environments/ci-multinode/stackhpc.yml b/etc/kayobe/environments/ci-multinode/stackhpc.yml
@@ -0,0 +1,3 @@
+---
+
+stackhpc_enable_cis_benchmark_hardening: true
diff --git a/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml b/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml
@@ -0,0 +1,4 @@
+---
+
+import_playbook: ../../../ansible/cis.yml
+when: stackhpc_enable_cis_benchmark_hardening | bool
diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml
@@ -148,3 +148,9 @@ stackhpc_docker_registry: "{{ pulp_url | regex_replace('^https?://', '') }}"
 # Username and password of container registry.
 stackhpc_docker_registry_username: "{{ pulp_username }}"
 stackhpc_docker_registry_password: "{{ pulp_password }}"
+
+###############################################################################
+# Feature flags
+
+# Whether or not to run CIS benchmark hardening playbooks
+stackhpc_enable_cis_benchmark_hardening: false
diff --git a/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml b/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Adds a hook to automatically run the CIS benchmark hardening playbooks as
+    part of host configure. This is guarded by the
+    ``stackhpc_enable_cis_benchmark_hardening`` configuration option and is
+    disabled by default.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+`
	`3`	`+stackhpc_enable_cis_benchmark_hardening: true`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
++
 +import_playbook: ../../../ansible/cis.yml
 +when: stackhpc_enable_cis_benchmark_hardening | bool