Deprecate SshServerOptionsOverrides

It's very confusing to provide one parameter with a default and then add another to override it. This would allow merging of the SshServerOptions as expected. Change-Id: I2e460c9f3e71c22c94ccb722db63ed31af73f450 (cherry picked from commit e174fd82cf)
2022-05-31 16:51:53 +05:30 · 2022-05-31 16:51:53 +05:30 · f40e503712
commit f40e503712
parent 2684005779
4 changed files with 44 additions and 43 deletions
--- a/deployment/sshd/sshd-baremetal-ansible.yaml
+++ b/deployment/sshd/sshd-baremetal-ansible.yaml
@ -36,31 +36,8 @@ parameters:
    description: Configures /etc/motd text
    type: string
  SshServerOptions:
-    default:
-      HostKey:
-        - '/etc/ssh/ssh_host_rsa_key'
-        - '/etc/ssh/ssh_host_ecdsa_key'
-        - '/etc/ssh/ssh_host_ed25519_key'
-      SyslogFacility: 'AUTHPRIV'
-      AuthorizedKeysFile: '.ssh/authorized_keys'
-      ChallengeResponseAuthentication: 'no'
-      GSSAPIAuthentication: 'no'
-      GSSAPICleanupCredentials: 'no'
-      UsePAM: 'yes'
-      UseDNS: 'no'
-      X11Forwarding: 'yes'
-      AcceptEnv:
-        - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
-        - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
-        - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
-        - 'XMODIFIERS'
-      Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
-    description: Mapping of sshd_config values
-    type: json
-  SshServerOptionsOverrides:
    default: {}
-    description: Mapping of sshd_config values to override definitions in
-                 SshServerOptions
+    description: Mapping of sshd_config values
    type: json
  PasswordAuthentication:
    default: 'no'
@ -70,6 +47,23 @@ parameters:
    default: false
    description: Set this to true to open up ssh access from all sources.
    type: boolean
+  # DEPRECATED: the following options are deprecated and are currently maintained
+  # for backwards compatibility.
+  SshServerOptionsOverrides:
+    default: {}
+    description: Mapping of sshd_config values to override definitions in
+                 SshServerOptions
+    type: json
+
+parameter_groups:
+- label: deprecated
+  description: |
+   The following parameters are deprecated and will be removed. They should not
+   be relied on for new deployments. If you have concerns regarding deprecated
+   parameters, please contact the TripleO development team on IRC or the
+   OpenStack mailing list.
+  parameters:
+  - SshServerOptionsOverrides

 conditions:
  ssh_firewall_allow_all: {equals: [{get_param: SshFirewallAllowAll}, true]}
--- a/deployment/sshd/sshd-baremetal-puppet.yaml
+++ b/deployment/sshd/sshd-baremetal-puppet.yaml
@ -36,25 +36,7 @@ parameters:
    description: Configures /etc/motd text
    type: string
  SshServerOptions:
-    default:
-      HostKey:
-        - '/etc/ssh/ssh_host_rsa_key'
-        - '/etc/ssh/ssh_host_ecdsa_key'
-        - '/etc/ssh/ssh_host_ed25519_key'
-      SyslogFacility: 'AUTHPRIV'
-      AuthorizedKeysFile: '.ssh/authorized_keys'
-      ChallengeResponseAuthentication: 'no'
-      GSSAPIAuthentication: 'no'
-      GSSAPICleanupCredentials: 'no'
-      UsePAM: 'yes'
-      UseDNS: 'no'
-      X11Forwarding: 'yes'
-      AcceptEnv:
-        - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
-        - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
-        - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
-        - 'XMODIFIERS'
-      Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
+    default: {}
    description: Mapping of sshd_config values
    type: json
  SshServerOptionsOverrides:
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -347,6 +347,7 @@ resource_registry:
 parameter_merge_strategies:
  ServiceNetMap: merge
  VipSubnetMap: merge
+  SshServerOptions: merge
 {% for role in roles %}
  {{role.name}}Parameters: merge
 {% endfor %}
@ -454,3 +455,22 @@ parameter_defaults:
 {%- endfor %}
    redis: {{ _service_nets.get('internal_api', 'ctlplane') }}_subnet
    ovn_dbs: {{ _service_nets.get('internal_api', 'ctlplane') }}_subnet
+  SshServerOptions:
+    HostKey:
+      - '/etc/ssh/ssh_host_rsa_key'
+      - '/etc/ssh/ssh_host_ecdsa_key'
+      - '/etc/ssh/ssh_host_ed25519_key'
+    SyslogFacility: 'AUTHPRIV'
+    AuthorizedKeysFile: '.ssh/authorized_keys'
+    ChallengeResponseAuthentication: 'no'
+    GSSAPIAuthentication: 'no'
+    GSSAPICleanupCredentials: 'no'
+    UsePAM: 'yes'
+    UseDNS: 'no'
+    X11Forwarding: 'yes'
+    AcceptEnv:
+      - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
+      - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
+      - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
+      - 'XMODIFIERS'
+    Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
--- a/releasenotes/notes/deprecate-SshServerOptionsOverrides-parameter-40820bd943e20018.yaml
+++ b/releasenotes/notes/deprecate-SshServerOptionsOverrides-parameter-40820bd943e20018.yaml
@ -0,0 +1,5 @@
+---
+deprecations:
+  - |
+    The parameter SshServerOptionsOverrides has been deprecated since Ussuri.
+    Use SshServerOptions to override partial sshd_config.