Feat(eos_cli_config_gen): add certs method to cvauth in TerminAttr

[noredistribution]

Change Summary

Adding support for certs method (it's not widely used, but it's a possible CLI knob).
With TerminAttr there are a few secure authentication methods, we can either use token (on-prem) or token-secure method which both will use a temporary token to get CV to sign the switch's CSR, send back the client cert and then use that cert from that point on (completely transparent config-wise) or manually set the certs path using the certs method

Related Issue(s)

Fixes #2669

Component(s) name

arista.avd.eos_cli_config_gen

Proposed changes

added cert_file, ca_file and key_file under cvauth (for both single cluster and multi-clusters) and extended cvauth.methodto have certs in addition to token, token-secure and key

How to test

normal scenario (one cluster):

daemon_terminattr:
  cvaddrs:
    - 10.10.10.8:9910
    - 10.10.10.9:9910
    - 10.10.10.10:9910
  cvauth:
    method: "certs"
    cert_file: "/persist/secure/ssl/terminattr/primary/certs/client.crt"
    key_file: "/persist/secure/ssl/terminattr/primary/keys/client.key"
    ca_file: "/persist/secure/ssl/terminattr/primary/certs/ca.crt"
  cvvrf: mgt
  smashexcludes: "ale,flexCounter,hardware,kni,pulse,strata"
  ingestexclude: "/Sysdb/cell/1/agent,/Sysdb/cell/2/agent"

result:

daemon TerminAttr
   exec /usr/bin/TerminAttr -cvaddr=10.10.10.8:9910,10.10.10.9:9910,10.10.10.10:9910 -cvauth=certs,/persist/secure/ssl/terminattr/primary/certs/client.crt,/persist/secure/ssl/terminattr/primary/keys/client.key,/persist/secure/ssl/terminattr/primary/certs/ca.crt -cvvrf=mgt -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
   no shutdown
!

multi-cluster example:

daemon_terminattr:
  clusters:
    DC1:
      cvaddrs:
        - 10.20.20.1:9910
      cvauth:
        method: "certs"
        cert_file: "/persist/secure/ssl/terminattr/DC1/certs/client.crt"
        key_file: "/persist/secure/ssl/terminattr/DC1/keys/client.key"
        ca_file: "/persist/secure/ssl/terminattr/DC1/certs/ca.crt"
      cvvrf: mgt
      cvsourceintf: Loopback10
    DC2:
      cvaddrs:
        - 10.30.30.1:9910
      cvauth:
        method: "certs"
        cert_file: "/persist/secure/ssl/terminattr/DC2/certs/client.crt"
        key_file: "/persist/secure/ssl/terminattr/DC2/keys/client.key"
        ca_file: "/persist/secure/ssl/terminattr/DC2/certs/ca.crt"
      cvvrf: mgt
      cvsourceintf: Vlan500
  smashexcludes: "ale,flexCounter,hardware,kni,pulse,strata"
  ingestexclude: "/Sysdb/cell/1/agent,/Sysdb/cell/2/agent"

result:

!
daemon TerminAttr
   exec /usr/bin/TerminAttr -cvopt DC1.addr=10.20.20.1:9910 -cvopt DC1.auth=certs,/persist/secure/ssl/terminattr/DC1/certs/client.crt,/persist/secure/ssl/terminattr/DC1/keys/client.key,/persist/secure/ssl/terminattr/DC1/certs/ca.crt -cvopt DC1.vrf=mgt -cvopt DC1.sourceintf=Loopback10 -cvopt DC2.addr=10.30.30.1:9910 -cvopt DC2.auth=certs,/persist/secure/ssl/terminattr/DC2/certs/client.crt,/persist/secure/ssl/terminattr/DC2/keys/client.key,/persist/secure/ssl/terminattr/DC2/certs/ca.crt -cvopt DC2.vrf=mgt -cvopt DC2.sourceintf=Vlan500 -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
   no shutdown
!

cvaas example (no ca.crt is needed as it's a public CA which is packaged in the OS)

daemon_terminattr:
  cvaddrs:
    - apiserver.arista.io:443
  cvauth:
    method: certs
    cert_file: /persist/secure/ssl/terminattr/primary/certs/client.crt
    key_file: /persist/secure/ssl/terminattr/primary/keys/client.key
  cvvrf: MGMT
  smashexcludes: ale,flexCounter,hardware,kni,pulse,strata

result:

!
daemon TerminAttr
   exec /usr/bin/TerminAttr -cvaddr=apiserver.arista.io:443 -cvauth=certs,/persist/secure/ssl/terminattr/primary/certs/client.crt,/persist/secure/ssl/terminattr/primary/keys/client.key -cvvrf=MGMT -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata
   no shutdown
!

Checklist

User Checklist

• N/A

Repository Checklist

• [x ] My code has been rebased from devel before I start
• [x ] I have read the CONTRIBUTING document.
• [ x] My change requires a change to the documentation and documentation have been updated accordingly.
• [x ] I have updated molecule CI testing accordingly. (check the box if not applicable)

[gmuloc]

Would this work with any other certificate path?

[noredistribution]

yes but you need to know the path, in general it is /persist/secure/ssl/terminattr/<cvoptName>/certs/client.crt
where cvpoptName is always primary in normal configs (streaming to one cluster (single or multinode or CVaaS))
or the arbitrarily chose name by the customer when streaming to multiple CVP clusters (multiple multi-nodes, or multiple single nodes, or CVaaS tenants or a combination of all these)

[gmuloc]

ah ok so rephrasing my question - would this work with any certs outside of this pattern:

/persist/secure/ssl/terminattr/<cvoptName>/certs/client.crt

?

basically /tmp/cert -> I would assume not really given the mechanism to auto renew but maybe I am wrong :) otherwise we could add in the comment the pattern you mention above?

[ClausHolbechArista]

No the difference with this method is that it no longer expects CV to sign any cert. It will just validate both ways towards their known CAs.

[gmuloc]

so here it says authentication is - - probably need doc update

[noredistribution]

ah yes, let me update that thanks

[gmuloc]

LGTM overall - just one open comments regarding adding some guidelines for the certificate path in description but that's optional