added eda config blocks

srl-labs · Dec 30, 2024 · 06945e1 · 06945e1
1 parent 01859ff
commit 06945e1
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 3 deletions.
diff --git a/nodes/srl/eda.go b/nodes/srl/eda.go
@@ -0,0 +1,72 @@
+package srl
+
+// edaConfig contains configuration for the EDA onboarding.
+// It includes the eda-discovery grpc server and the eda-mgmt secured grpc server
+// along with the ACL rules allowing communication over the ports assigned to these servers.
+const edaConfig = `!!! EDA Discovery gRPC server
+set / system grpc-server eda-discovery services [ gnmi gnsi ]
+set / system grpc-server eda-discovery admin-state enable
+set / system grpc-server eda-discovery port 50052
+set / system grpc-server eda-discovery rate-limit 65535
+set / system grpc-server eda-discovery session-limit 1024
+set / system grpc-server eda-discovery metadata-authentication true
+set / system grpc-server eda-discovery default-tls-profile true
+set / system grpc-server eda-discovery network-instance mgmt
+
+# ACL rules allowing incoming tcp/50052 for the eda-discovery grpc server
+set / acl acl-filter cpm type ipv4 entry 355 description "Containerlab-added rule: Accept incoming gRPC over port 50052 for the eda-discovery gRPC server"
+set / acl acl-filter cpm type ipv4 entry 355 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 355 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 355 match transport destination-port value 50052
+set / acl acl-filter cpm type ipv4 entry 355 action accept
+
+set / acl acl-filter cpm type ipv6 entry 365 description "Containerlab-added rule: Accept incoming gRPC over port 50052 for the eda-discovery gRPC server"
+set / acl acl-filter cpm type ipv6 entry 365 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 365 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 365 match transport destination-port value 50052
+set / acl acl-filter cpm type ipv6 entry 365 action accept
+
+!!! EDA Management gRPC server
+set / system grpc-server eda-mgmt services [ gnmi gnoi gnsi ]
+set / system grpc-server eda-mgmt admin-state enable
+set / system grpc-server eda-mgmt port 57410
+set / system grpc-server eda-mgmt rate-limit 65535
+set / system grpc-server eda-mgmt session-limit 1024
+set / system grpc-server eda-mgmt metadata-authentication true
+set / system grpc-server eda-mgmt tls-profile EDA
+set / system grpc-server eda-mgmt network-instance mgmt
+
+# ACL rules allowing incoming tcp/57410 for the eda-discovery grpc server
+set / acl acl-filter cpm type ipv4 entry 356 description "Containerlab-added rule: Accept incoming gRPC over port 57410 for the eda-mgmt gRPC server"
+set / acl acl-filter cpm type ipv4 entry 356 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 356 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 356 match transport destination-port value 57410
+set / acl acl-filter cpm type ipv4 entry 356 action accept
+
+set / acl acl-filter cpm type ipv6 entry 366 description "Containerlab-added rule: Accept incoming gRPC over port 57410 for the eda-mgmt gRPC server"
+set / acl acl-filter cpm type ipv6 entry 366 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 366 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 366 match transport destination-port value 57410
+set / acl acl-filter cpm type ipv6 entry 366 action accept
+
+!!! EDA Management (insecure) gRPC server
+set / system grpc-server eda-insecure-mgmt services [ gnmi gnoi gnsi ]
+set / system grpc-server eda-insecure-mgmt admin-state enable
+set / system grpc-server eda-insecure-mgmt port 57411
+set / system grpc-server eda-insecure-mgmt rate-limit 65535
+set / system grpc-server eda-insecure-mgmt session-limit 1024
+set / system grpc-server eda-insecure-mgmt metadata-authentication true
+set / system grpc-server eda-mgmt network-instance mgmt
+
+# ACL rules allowing incoming tcp/57411 for the eda-discovery grpc server
+set / acl acl-filter cpm type ipv4 entry 357 description "Containerlab-added rule: Accept incoming gRPC over port 57411 for the eda-mgmt gRPC server"
+set / acl acl-filter cpm type ipv4 entry 357 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 357 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 357 match transport destination-port value 57411
+set / acl acl-filter cpm type ipv4 entry 357 action accept
+
+set / acl acl-filter cpm type ipv6 entry 367 description "Containerlab-added rule: Accept incoming gRPC over port 57411 for the eda-mgmt gRPC server"
+set / acl acl-filter cpm type ipv6 entry 367 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 367 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 367 match transport destination-port value 57411
+set / acl acl-filter cpm type ipv6 entry 367 action accept`
diff --git a/nodes/srl/srl.go b/nodes/srl/srl.go
@@ -535,6 +535,8 @@ type srlTemplateData struct {
 	ACLConfig string
 	// NetconfConfig is a string containing Netconf server configuration
 	NetconfConfig string
+	// EDAConfig is a string containing EDA configuration
+	EDAConfig string
 }
 
 // tplIFace template interface struct.

diff --git a/nodes/srl/srl_default_config.go.tpl b/nodes/srl/srl_default_config.go.tpl
@@ -13,6 +13,8 @@ set / system tls server-profile clab-profile authenticate-client false
 
 {{ .GRPCConfig }}
 
+{{ .EDAConfig }}
+
 {{- if .EnableGNMIUnixSockServices }}
 system gnmi-server unix-socket services [ gnmi gnoi ] admin-state enable
 {{- end }}

diff --git a/nodes/srl/version.go b/nodes/srl/version.go
@@ -61,11 +61,11 @@ set / acl acl-filter cpm type ipv6 entry 188 match transport destination-port va
 set / acl acl-filter cpm type ipv6 entry 188 action accept`
 
 	// grpc contains the grpc server(s) configuration for srlinux versions >= 24.3.
-	// It consists of the gNMI, gNOI, gRIBI, and p4RT services enabled on the `mgmt`
+	// It consists of the gNMI, gNOI, gNSI, gRIBI, and p4RT services enabled on the `mgmt`
 	// grpc server instance with a custom TLS profile.
 	// And in addition to the TLS secured services, the `insecure-mgmt` server instance
 	// is created that provides the same services but without TLS.
-	grpcConfig = `set / system grpc-server mgmt services [ gnmi gnoi gribi p4rt ]
+	grpcConfig = `set / system grpc-server mgmt services [ gnmi gnoi gnsi gribi p4rt ]
 set / system grpc-server mgmt tls-profile clab-profile
 set / system grpc-server mgmt rate-limit 65000
 set / system grpc-server mgmt network-instance mgmt
@@ -74,7 +74,7 @@ set / system grpc-server mgmt unix-socket admin-state enable
 set / system grpc-server mgmt admin-state enable
 delete / system grpc-server mgmt default-tls-profile
 
-set / system grpc-server insecure-mgmt services [ gnmi gnoi gribi p4rt ]
+set / system grpc-server insecure-mgmt services [ gnmi gnoi gnsi gribi p4rt ]
 set / system grpc-server insecure-mgmt port 57401
 set / system grpc-server insecure-mgmt rate-limit 65000
 set / system grpc-server insecure-mgmt network-instance mgmt
@@ -189,4 +189,9 @@ func (n *srl) setVersionSpecificParams(tplData *srlTemplateData) {
 
 		tplData.GRPCConfig = grpcConfigPre24_3
 	}
+
+	// in srlinux >= v24.10+ we add EDA configuration.
+	if semver.Compare(v, "v24.10") >= 0 || n.swVersion.Major == "0" {
+		tplData.EDAConfig = edaConfig
+	}
 }