When OSP 18 is deployed on an OCP cluster with FIPS enabled some services need to be deployed with some specific configuration options.

In TripleO/Director a FIPS deployment would use a YAML file making 4 different parameter_defaults changes:

1. Set ISCSI Chap algorithms to specifically disallow MD5

IscsidCHAPAlgorithms: 'SHA3-256,SHA256,SHA1'

2. Set SnmpdReadonlyUserAuthType to not be 'MD5'

SnmpdReadonlyUserAuthType: 'SHA'

3.Add RabbitAdditionalErlArgs for FIPS

 RabbitFIPS: true

4. Override gcomm_cipher for FIPS

MysqlGaleraSSLCipher: 'ECDHE-RSA-AES256-GCM-SHA384'

In OSP18 we need to do the equivalent for the Control Plane and the Data Plane, though this Epic will only track the Control Plane work.

Since the FIPS mode must be configured as a day 1 operation in the OCP installation the data plane operators need to check the FIPS mode of the cluster and make necessary adjustments automatically.

Of the 4 changes that were done in TripleO/Director there are 2 that will not be performed by the operators for the Control Plane:

1. The iSCSId configuration on the Control Plane is not controlled by OSP operators, so it needs to be configured by a human operator on the OCP cluster. This should be properly documented though.

2. SNMP configuration will no longer be generated for Compute/EDPM nodes, so there's no need to configure them.  This should also be documented.