Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ycabled] add secure channel support for grpc dualtor active-active connectivity #275

Merged
merged 8 commits into from
Jul 22, 2022

Conversation

vdahiya12
Copy link
Contributor

@vdahiya12 vdahiya12 commented Jul 21, 2022

Signed-off-by: vaibhav-dahiya [email protected]
This PR adds support for creating a secure channel for gRPC between SOC and SONiC.
the certs and configurations are defined in config DB

config': {
            'type': 'secure',
            'auth_level': 'server',
            'log_level': 'info'
        },
        'certs': {
            'client_crt': path',
            'client_key': 'path
            'ca_crt': 'path,
            'grpc_ssl_credential': 'target override'
        }

Using this config parameter we can have secure/insecure as well as mutual/server level authentication between SoC and SONiC.
This PR leverages the cert API's in gRPC lib and certs created to create a TLS based handshake if required to setup gRPC channel

Description

Motivation and Context

Required for secure gRPC support between SONiC and SoC

How Has This Been Tested?

Unit-Tests and running the changes on the testbed

Additional Information (Optional)

@lgtm-com
Copy link

lgtm-com bot commented Jul 21, 2022

This pull request introduces 1 alert when merging e6a09fc into 005ec30 - view on LGTM.com

new alerts:

  • 1 for Syntax error

Signed-off-by: vaibhav-dahiya <[email protected]>
@vdahiya12 vdahiya12 changed the title [ycabled] add secure channel support for grpc dualtor connectivity [ycabled] add secure channel support for grpc dualtor active-active connectivity Jul 22, 2022
@vdahiya12 vdahiya12 requested a review from lolyu July 22, 2022 00:39
Signed-off-by: vaibhav-dahiya <[email protected]>
Signed-off-by: vaibhav-dahiya <[email protected]>
Signed-off-by: vaibhav-dahiya <[email protected]>
type = grpc_config_dict.get("type", None)
level = grpc_config_dict.get("auth_level", None)

(status, fvs) = grpc_config[asic_index].get("certs")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if the type is insecure and the certs is not defined:

{
        'config': {
            'type': 'insecure'
        }
    }
}

In this case status will be False, and goes to LINE#489, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed, logic takes default to be insecure if no config defined

for _ in range(retries):

if type == "secure":
credential = get_grpc_credentials(type, kvp)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be

Suggested change
credential = get_grpc_credentials(type, kvp)
credential = get_grpc_credentials(level, kvp)

Right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing out, fixed.

Signed-off-by: vaibhav-dahiya <[email protected]>
Signed-off-by: vaibhav-dahiya <[email protected]>
@vdahiya12 vdahiya12 merged commit e3b03d4 into sonic-net:master Jul 22, 2022
yxieca pushed a commit that referenced this pull request Jul 22, 2022
…onnectivity (#275)

Signed-off-by: vaibhav-dahiya [email protected]
This PR adds support for creating a secure channel for gRPC between SOC and SONiC.
the certs and configurations are defined in config DB

config': {
            'type': 'secure',
            'auth_level': 'server',
            'log_level': 'info'
        },
        'certs': {
            'client_crt': path',
            'client_key': 'path
            'ca_crt': 'path,
            'grpc_ssl_credential': 'target override'
        }
Using this config parameter we can have secure/insecure as well as mutual/server level authentication between SoC and SONiC.
This PR leverages the cert API's in gRPC lib and certs created to create a TLS based handshake if required to setup gRPC channel

Description
Motivation and Context
Required for secure gRPC support between SONiC and SoC

How Has This Been Tested?
Unit-Tests and running the changes on the testbed
dprital added a commit to dprital/sonic-buildimage that referenced this pull request Aug 9, 2022
Update sonic-platform-daemons submodule pointer to include the following:
* Xcvrd changes to support 400G ZR configuration ([sonic-net#270](sonic-net/sonic-platform-daemons#270))
* [ycabled] add secure channel support for grpc dualtor active-active connectivity  ([sonic-net#275](sonic-net/sonic-platform-daemons#275))

Signed-off-by: dprital <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants