-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat(eos_cli_config_gen): add certs method to cvauth in TerminAttr #2699
Conversation
cert_file: | ||
type: str | ||
description: | | ||
Client certificate file path | ||
e.g. "/persist/secure/ssl/terminattr/primary/certs/client.crt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this work with any other certificate path?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes but you need to know the path, in general it is /persist/secure/ssl/terminattr/<cvoptName>/certs/client.crt
where cvpoptName
is always primary
in normal configs (streaming to one cluster (single or multinode or CVaaS))
or the arbitrarily chose name by the customer when streaming to multiple CVP clusters (multiple multi-nodes, or multiple single nodes, or CVaaS tenants or a combination of all these)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah ok so rephrasing my question - would this work with any certs outside of this pattern:
/persist/secure/ssl/terminattr/<cvoptName>/certs/client.crt
?
basically /tmp/cert
-> I would assume not really given the mechanism to auto renew but maybe I am wrong :) otherwise we could add in the comment the pattern you mention above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No the difference with this method is that it no longer expects CV to sign any cert. It will just validate both ways towards their known CAs.
ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/daemon-terminattr.j2
Show resolved
Hide resolved
|
||
| CV Compression | CloudVision Servers | VRF | Authentication | Smash Excludes | Ingest Exclude | Bypass AAA | | ||
| -------------- | ------------------- | --- | -------------- | -------------- | -------------- | ---------- | | ||
| gzip | 10.10.10.8:9910,10.10.10.9:9910,10.10.10.10:9910 | mgt | - | ale,flexCounter,hardware,kni,pulse,strata | /Sysdb/cell/1/agent,/Sysdb/cell/2/agent | False | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so here it says authentication is -
- probably need doc update
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah yes, let me update that thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall - just one open comments regarding adding some guidelines for the certificate path in description but that's optional
Change Summary
Adding support for certs method (it's not widely used, but it's a possible CLI knob).
With TerminAttr there are a few secure authentication methods, we can either use
token
(on-prem) ortoken-secure
method which both will use a temporary token to get CV to sign the switch's CSR, send back the client cert and then use that cert from that point on (completely transparent config-wise) or manually set the certs path using thecerts
methodRelated Issue(s)
Fixes #2669
Component(s) name
arista.avd.eos_cli_config_gen
Proposed changes
added
cert_file
,ca_file
andkey_file
undercvauth
(for both single cluster and multi-clusters) and extendedcvauth.method
to havecerts
in addition totoken
,token-secure
andkey
How to test
normal scenario (one cluster):
result:
multi-cluster example:
result:
cvaas example (no ca.crt is needed as it's a public CA which is packaged in the OS)
result:
Checklist
User Checklist
Repository Checklist