Skip to content

Commit

Permalink
Add cert revocation list support to GNMI service. (#19536)
Browse files Browse the repository at this point in the history 
Add GNMI CRL support.

Why I did it
Allow gnmi service revoke client cert with CRL

How I did it
Add GNMI CRL config to yang model.

How to verify it
Pass all UT.
Verified with new sonic-mgmt test case.
  • Loading branch information
@liuh-80
liuh-80 authored Nov 22, 2024
1 parent cf61844 commit 886500a
Show file tree
Hide file tree
Showing 7 changed files with 78 additions and 12 deletions.
12 changes: 12 additions & 0 deletions dockers/docker-sonic-gnmi/gnmi-native.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,18 @@ else
TELEMETRY_ARGS+=" -v=2"
fi

if [ -nz "$GNMI" ]; then
ENABLE_CRL=$(echo $GNMI | jq -r '.enable_crl')
if [ $ENABLE_CRL == "true" ]; then
TELEMETRY_ARGS+=" --enable_crl"
fi

CRL_EXPIRE_DURATION=$(echo $GNMI | jq -r '.crl_expire_duration')
if [ -n $CRL_EXPIRE_DURATION ]; then
TELEMETRY_ARGS+=" --crl_expire_duration $CRL_EXPIRE_DURATION"
fi
fi

# Enable ZMQ for SmartSwitch
LOCALHOST_SUBTYPE=`sonic-db-cli CONFIG_DB hget "DEVICE_METADATA|localhost" "subtype"`
if [[ x"${LOCALHOST_SUBTYPE}" == x"SmartSwitch" ]]; then
Expand Down
12 changes: 12 additions & 0 deletions dockers/docker-sonic-telemetry/telemetry.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,18 @@ else
TELEMETRY_ARGS+=" -v=2"
fi

if [ -nz "$GNMI" ]; then
ENABLE_CRL=$(echo $GNMI | jq -r '.enable_crl')
if [ $ENABLE_CRL == "true" ]; then
TELEMETRY_ARGS+=" --enable_crl"
fi

CRL_EXPIRE_DURATION=$(echo $GNMI | jq -r '.crl_expire_duration')
if [ -n $CRL_EXPIRE_DURATION ]; then
TELEMETRY_ARGS+=" --crl_expire_duration $CRL_EXPIRE_DURATION"
fi
fi

# gNMI save-on-set behavior is disabled by default.
# Save-on-set can be turned on by setting the "TELEMETRY|gnmi|save_on_set"
# to "true".
Expand Down
8 changes: 6 additions & 2 deletions src/sonic-yang-models/tests/files/sample_config_db.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1331,7 +1331,9 @@
"gnmi": {
"client_auth": "true",
"log_level": "2",
"port": "50051"
"port": "50051",
"enable_crl": "false",
"crl_expire_duration": "86400"
}
},
"TELEMETRY_CLIENT": {
Expand Down Expand Up @@ -1368,7 +1370,9 @@
"gnmi": {
"client_auth": "true",
"log_level": "2",
"port": "50052"
"port": "50052",
"enable_crl": "false",
"crl_expire_duration": "86400"
}
},
"GNMI_CLIENT_CERT": {
Expand Down
20 changes: 15 additions & 5 deletions src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@
"gnmi": {
"client_auth": "true",
"log_level": "2",
"port": "50052"
"port": "50052",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand All @@ -26,7 +28,9 @@
"gnmi": {
"client_auth": "up",
"log_level": "2",
"port": "50052"
"port": "50052",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand All @@ -42,7 +46,9 @@
"gnmi": {
"client_auth": "true",
"log_level": "2",
"port": "abc"
"port": "abc",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand All @@ -59,7 +65,9 @@
"client_auth": "true",
"log_level": "2",
"port": "50051",
"save_on_set": "wrong"
"save_on_set": "wrong",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand All @@ -76,7 +84,9 @@
"client_auth": "true",
"log_level": "2",
"port": "50052",
"save_on_set": "false"
"save_on_set": "false",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand Down
20 changes: 15 additions & 5 deletions src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@
"gnmi": {
"client_auth": "true",
"log_level": "2",
"port": "50051"
"port": "50051",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand All @@ -26,7 +28,9 @@
"gnmi": {
"client_auth": "up",
"log_level": "2",
"port": "50051"
"port": "50051",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand All @@ -42,7 +46,9 @@
"gnmi": {
"client_auth": "true",
"log_level": "2",
"port": "abc"
"port": "abc",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand All @@ -59,7 +65,9 @@
"client_auth": "true",
"log_level": "2",
"port": "50051",
"save_on_set": "wrong"
"save_on_set": "wrong",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand All @@ -76,7 +84,9 @@
"client_auth": "true",
"log_level": "2",
"port": "50051",
"save_on_set": "false"
"save_on_set": "false",
"enable_crl": "true",
"crl_expire_duration": "86400"
}
}
}
Expand Down
9 changes: 9 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-gnmi.yang
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,15 @@ module sonic-gnmi {
description "Flag for enabling save on set.";
}

leaf enable_crl {
type boolean;
description "Flag for enable certificate revocation list.";
}

leaf crl_expire_duration {
type uint32;
description "Certificate revocation list cache expire duration.";
}
}
}

Expand Down
9 changes: 9 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-telemetry.yang
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,15 @@ module sonic-telemetry {
description "Flag for enabling save on set.";
}

leaf enable_crl {
type boolean;
description "Flag for enable certificate revocation list.";
}

leaf crl_expire_duration {
type uint32;
description "Certificate revocation list cache expire duration.";
}
}

}
Expand Down

0 comments on commit 886500a

Please sign in to comment.