Skip to content

Commit

Permalink
Add GNMI client cert cname check support. (sonic-net#18709)
Browse files Browse the repository at this point in the history 
Add GNMI client cert cname list to yang model.

#### Why I did it
Allow gnmi service authentication client cert by cname.

### How I did it
Add GNMI client cert cname list to yang model.

#### How to verify it
Pass all UT.

### Description for the changelog
Add GNMI client cert cname list to yang model.
  • Loading branch information
@liuh-80 @vvolam
liuh-80 authored and vvolam committed Sep 11, 2024
1 parent fb8c655 commit 1ad371f
Show file tree
Hide file tree
Showing 6 changed files with 68 additions and 0 deletions.
2 changes: 2 additions & 0 deletions dockers/docker-sonic-gnmi/gnmi-native.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ if [ -n "$CERTS" ]; then
if [ ! -z $CA_CRT ]; then
TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
fi

TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
elif [ -n "$X509" ]; then
SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
SERVER_KEY=$(echo $X509 | jq -r '.server_key')
Expand Down
3 changes: 3 additions & 0 deletions dockers/docker-sonic-telemetry/telemetry.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ if [ -n "$CERTS" ]; then
if [ ! -z $CA_CRT ]; then
TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
fi

# Reuse GNMI_CLIENT_CERT for telemetry service
TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
elif [ -n "$X509" ]; then
SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
SERVER_KEY=$(echo $X509 | jq -r '.server_key')
Expand Down
8 changes: 8 additions & 0 deletions src/sonic-yang-models/tests/files/sample_config_db.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1329,6 +1329,14 @@
"port": "50052"
}
},
"GNMI_CLIENT_CERT": {
"testcert1": {
"role": "RW"
},
"testcert2": {
"role": "RO"
}
},
"TUNNEL": {
"MuxTunnel0": {
"dscp_mode": "uniform",
Expand Down
7 changes: 7 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,12 @@
},
"GNMI_TABLE_WITH_VALID_CONFIG": {
"desc": "TABLE WITH VALID CONFIG."
},
"GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
"desc": "CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE failure.",
"eStrKey": "Mandatory"
},
"GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
"desc": "TABLE WITH VALID CONFIG."
}
}
27 changes: 27 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,5 +80,32 @@
}
}
}
},
"GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
"sonic-gnmi:sonic-gnmi": {
"sonic-gnmi:GNMI_CLIENT_CERT": {
"GNMI_CLIENT_CERT_LIST": [
{
"cert_cname": "testcert1"
}
]
}
}
},
"GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
"sonic-gnmi:sonic-gnmi": {
"sonic-gnmi:GNMI_CLIENT_CERT": {
"GNMI_CLIENT_CERT_LIST": [
{
"cert_cname": "testcert1",
"role": "RW"
},
{
"cert_cname": "testcert2",
"role": "RO"
}
]
}
}
}
}
21 changes: 21 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-gnmi.yang
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,28 @@ module sonic-gnmi {
}

}
}

container GNMI_CLIENT_CERT {
description "GNMI client cert list";

list GNMI_CLIENT_CERT_LIST {
max-elements 8;
key "cert_cname";

leaf cert_cname {
type string;
description
"client cert common name";
}

leaf role {
type string;
mandatory true;
description
"role of client cert common name";
}
}
}
}
}

0 comments on commit 1ad371f

Please sign in to comment.