Allow partial override about SshServerOptions

When operator needs to change any options described in sshd_config,
he/she should use the parameter named SshServerOptions to define
the updated configuration.

However the problem here is that he/she should define the whole content
instead of the actual lines to be overridden, otherwise some of the
lines defined in its default can be missing from configuration. This
makes it difficutlt to properly update the parameter during update or
upgrade, since operators always need to check whetehr any change has
been made about the default of SshServerOptions.

This change introduces a new parameter, SshServerOptionsOverride, which
can be used to override specific line in SshServerOptions. Note that
SshServerOptions should still be used if any of the lines in
SshServerOptions needs to be removed.

Change-Id: I8a018c8c7435a753c8ed5b5fa211d91d053f8d67

deployment/sshd/sshd-baremetal-ansible.yaml

@@ -60,6 +60,11 @@ parameters:
       Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
     description: Mapping of sshd_config values
     type: json
+  SshServerOptionsOverrides:
+    default: {}
+    description: Mapping of sshd_config values to override definitions in
+                 SshServerOptions
+    type: json
   PasswordAuthentication:
     default: 'no'
     description: Whether or not disable password authentication
@@ -89,7 +94,10 @@ outputs:
         - include_role:
             name: tripleo_ssh
           vars:
-            tripleo_sshd_server_options: {get_param: SshServerOptions}
+            tripleo_sshd_server_options:
+              map_merge:
+                - {get_param: SshServerOptions}
+                - {get_param: SshServerOptionsOverrides}
             tripleo_sshd_password_authentication: {get_param: PasswordAuthentication}
             tripleo_sshd_banner_enabled:
               if:

deployment/sshd/sshd-baremetal-puppet.yaml

@@ -60,6 +60,11 @@ parameters:
       Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
     description: Mapping of sshd_config values
     type: json
+  SshServerOptionsOverrides:
+    default: {}
+    description: Mapping of sshd_config values to override definitions in
+                 SshServerOptions
+    type: json
   PasswordAuthentication:
     default: 'no'
     description: Whether or not disable password authentication
@@ -86,7 +91,10 @@ outputs:
       config_settings:
         tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
         tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
-        tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
+        tripleo::profile::base::sshd::options:
+          map_merge:
+            - {get_param: SshServerOptions}
+            - {get_param: SshServerOptionsOverrides}
         tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
       step_config: |
         include tripleo::profile::base::sshd

releasenotes/notes/ssh-server-options-overrides-f677913bfd65efe1.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The new ``SshServerOptionsOverrides`` parameter has been added. This
+    parameter can be used to override a part of sshd_config, which is defined
+    by the ``SshServerOptions``.