From af4d2383873ca77d621b3306c0bde8485a1e5629 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 1 Mar 2021 17:56:13 -0500
Subject: [PATCH] Add parameter to set iscsid CHAP algorithms

By default, iscsid uses md5 for CHAP negotiation.  This will not
work for FIPS enabled systems.  Add a parameter to allow the
algorithm list to be set explicitly.

Co-Authored-By: Alan Bishop <abishop@redhat.com>
Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/778081
Change-Id: If0eedff9515f25740ac026e8d356d007da11a19d
---
 deployment/iscsid/iscsid-container-puppet.yaml | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/deployment/iscsid/iscsid-container-puppet.yaml b/deployment/iscsid/iscsid-container-puppet.yaml
index c35ee162e8..863d492720 100644
--- a/deployment/iscsid/iscsid-container-puppet.yaml
+++ b/deployment/iscsid/iscsid-container-puppet.yaml
@@ -61,6 +61,11 @@ parameters:
     type: comma_delimited_list
     tags:
       - role_specific
+  IscsidCHAPAlgorithms:
+    default: 'SHA3-256,SHA256,SHA1,MD5'
+    description: A comma separated list of algorithms to be used for the CHAP
+                 algorithm.
+    type: string
 
 resources:
 
@@ -88,7 +93,8 @@ outputs:
     description: Role data for the Iscsid role.
     value:
       service_name: iscsid
-      config_settings: {}
+      config_settings:
+        tripleo::profile::base::iscsid::chap_algs: {get_param: IscsidCHAPAlgorithms}
       service_config_settings: {}
       deploy_steps_tasks:
       - name: Run lvmfilter role
@@ -110,12 +116,16 @@ outputs:
           # However, overcloud nodes must have a unique IQN. Allow full
           # (write) access to /etc/iscsi so that puppet ensures the IQN
           # is unique and is reset once, and only once.
-          - /etc/iscsi:/etc/iscsi:z
+          # NOTE(abishop) The host directory is mounted at /tmp/iscsi.host
+          # to allow puppet to manage its own files, but still be able to
+          # sync with the host. See I89023603147e21d5c211041f70fc2c988d5f4de1
+          # for details.
+          - /etc/iscsi:/tmp/iscsi.host:z
       kolla_config:
         /var/lib/kolla/config_files/iscsid.json:
           command: /usr/sbin/iscsid -f
           config_files:
-            - source: "/var/lib/kolla/config_files/src-iscsid/*"
+            - source: "/var/lib/kolla/config_files/src-iscsid/"
               dest: "/etc/iscsi/"
               merge: true
               preserve_properties: true
@@ -138,7 +148,7 @@ outputs:
                   - /run/:/run/
                   - /sys:/sys
                   - /lib/modules:/lib/modules:ro
-                  - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
+                  - /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
                   - /etc/target:/etc/target:z
                   - /var/lib/iscsi:/var/lib/iscsi:z
             environment: