Support extending default hardening group

jovial · jovial · commit 4ded47e08fbf · 2024-06-21T11:25:33.000+01:00
diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst
@@ -54,4 +54,5 @@ host configure, simply set this flag to ``true``:
     stackhpc_enable_cis_benchmark_hardening: true
 
 Alternatively, this can be toggled on a per-environment basis by
-setting it in an environment specific config file.
+setting it in an environment specific config file, or even on
+targeted hosts by using group or host vars.
diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: Security hardening
-  hosts: overcloud
+  hosts: cis-hardening
   become: true
   tasks:
     # TODO: Remove this when Red Hat FIPS policy has been updated to allow ed25519 keys.
diff --git a/etc/kayobe/inventory/group_vars/all/stackhpc b/etc/kayobe/inventory/group_vars/all/stackhpc
@@ -0,0 +1,6 @@
+---
+###############################################################################
+# Feature flags
+
+# Whether or not to run CIS benchmark hardening playbooks. Default is false.
+stackhpc_enable_cis_benchmark_hardening: false
diff --git a/etc/kayobe/inventory/groups b/etc/kayobe/inventory/groups
@@ -125,3 +125,9 @@ rgws
 [mgrs]
 [osds]
 [rgws]
+
+###############################################################################
+# Feature control groups
+
+[cis-hardening:children]
+overcloud
diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml
@@ -152,5 +152,5 @@ stackhpc_docker_registry_password: "{{ pulp_password }}"
 ###############################################################################
 # Feature flags
 
-# Whether or not to run CIS benchmark hardening playbooks
-stackhpc_enable_cis_benchmark_hardening: false
+# Whether or not to run CIS benchmark hardening playbooks. Default is false.
+#stackhpc_enable_cis_benchmark_hardening:
