EDA grpc config for SR Linux nodes (#2368)

* added eda config blocks * use env var CLAB_EDA_MODE to change the TLS profile from clab-profile to EDA for EDA management * Revert "use env var CLAB_EDA_MODE to change the TLS profile from clab-profile to EDA for EDA management" This reverts commit 90dcbad. * add both env var based and default eda management configs
srl-labs · Jan 3, 2025 · 0d030b4 · 0d030b4
1 parent dc316b3
commit 0d030b4
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 3 deletions.
diff --git a/nodes/srl/eda.go b/nodes/srl/eda.go
@@ -0,0 +1,78 @@
+package srl
+
+// edaDiscoveryServerConfig contains configuration for the EDA discovery server.
+const edaDiscoveryServerConfig = `!!! EDA Discovery gRPC server
+set / system grpc-server eda-discovery services [ gnmi gnsi ]
+set / system grpc-server eda-discovery admin-state enable
+set / system grpc-server eda-discovery port 50052
+set / system grpc-server eda-discovery rate-limit 65535
+set / system grpc-server eda-discovery session-limit 1024
+set / system grpc-server eda-discovery metadata-authentication true
+set / system grpc-server eda-discovery default-tls-profile true
+set / system grpc-server eda-discovery network-instance mgmt
+
+!!! ACL rules allowing incoming tcp/50052 for the eda-discovery grpc server
+set / acl acl-filter cpm type ipv4 entry 355 description "Containerlab-added rule: Accept incoming gRPC over port 50052 for the eda-discovery gRPC server"
+set / acl acl-filter cpm type ipv4 entry 355 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 355 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 355 match transport destination-port value 50052
+set / acl acl-filter cpm type ipv4 entry 355 action accept
+
+set / acl acl-filter cpm type ipv6 entry 365 description "Containerlab-added rule: Accept incoming gRPC over port 50052 for the eda-discovery gRPC server"
+set / acl acl-filter cpm type ipv6 entry 365 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 365 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 365 match transport destination-port value 50052
+set / acl acl-filter cpm type ipv6 entry 365 action accept`
+
+// edaCustomMgmtServerConfig contains configuration for the EDA management servers
+// running over custom ports.
+const edaCustomMgmtServerConfig = `!!! EDA Management gRPC server
+set / system grpc-server eda-mgmt services [ gnmi gnoi gnsi ]
+set / system grpc-server eda-mgmt admin-state enable
+set / system grpc-server eda-mgmt port 57410
+set / system grpc-server eda-mgmt rate-limit 65535
+set / system grpc-server eda-mgmt session-limit 1024
+set / system grpc-server eda-mgmt metadata-authentication true
+set / system grpc-server eda-mgmt tls-profile EDA
+set / system grpc-server eda-mgmt network-instance mgmt
+
+!!! ACL rules allowing incoming tcp/57410 for the eda-discovery grpc server
+set / acl acl-filter cpm type ipv4 entry 356 description "Containerlab-added rule: Accept incoming gRPC over port 57410 for the eda-mgmt gRPC server"
+set / acl acl-filter cpm type ipv4 entry 356 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 356 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 356 match transport destination-port value 57410
+set / acl acl-filter cpm type ipv4 entry 356 action accept
+
+set / acl acl-filter cpm type ipv6 entry 366 description "Containerlab-added rule: Accept incoming gRPC over port 57410 for the eda-mgmt gRPC server"
+set / acl acl-filter cpm type ipv6 entry 366 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 366 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 366 match transport destination-port value 57410
+set / acl acl-filter cpm type ipv6 entry 366 action accept
+
+!!! EDA Management (insecure) gRPC server
+set / system grpc-server eda-insecure-mgmt services [ gnmi gnoi gnsi ]
+set / system grpc-server eda-insecure-mgmt admin-state enable
+set / system grpc-server eda-insecure-mgmt port 57411
+set / system grpc-server eda-insecure-mgmt rate-limit 65535
+set / system grpc-server eda-insecure-mgmt session-limit 1024
+set / system grpc-server eda-insecure-mgmt metadata-authentication true
+set / system grpc-server eda-mgmt network-instance mgmt
+
+!!! ACL rules allowing incoming tcp/57411 for the eda-discovery grpc server
+set / acl acl-filter cpm type ipv4 entry 357 description "Containerlab-added rule: Accept incoming gRPC over port 57411 for the eda-mgmt gRPC server"
+set / acl acl-filter cpm type ipv4 entry 357 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 357 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 357 match transport destination-port value 57411
+set / acl acl-filter cpm type ipv4 entry 357 action accept
+
+set / acl acl-filter cpm type ipv6 entry 367 description "Containerlab-added rule: Accept incoming gRPC over port 57411 for the eda-mgmt gRPC server"
+set / acl acl-filter cpm type ipv6 entry 367 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 367 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 367 match transport destination-port value 57411
+set / acl acl-filter cpm type ipv6 entry 367 action accept`
+
+// edaDefaultMgmtServerConfig is the configuration blob that sets EDA TLS profile
+// for the `mgmt` grpc server running over port 57400,
+// it is applied when CLAB_EDA_USE_DEFAULT_GRPC_SERVER is set.
+const edaDefaultMgmtServerConfig = `set / system grpc-server mgmt metadata-authentication true
+set / system grpc-server mgmt tls-profile EDA`
diff --git a/nodes/srl/srl.go b/nodes/srl/srl.go
@@ -535,6 +535,8 @@ type srlTemplateData struct {
 	ACLConfig string
 	// NetconfConfig is a string containing Netconf server configuration
 	NetconfConfig string
+	// EDAConfig is a string containing EDA configuration
+	EDAConfig string
 }
 
 // tplIFace template interface struct.

diff --git a/nodes/srl/srl_default_config.go.tpl b/nodes/srl/srl_default_config.go.tpl
@@ -13,6 +13,8 @@ set / system tls server-profile clab-profile authenticate-client false
 
 {{ .GRPCConfig }}
 
+{{ .EDAConfig }}
+
 {{- if .EnableGNMIUnixSockServices }}
 system gnmi-server unix-socket services [ gnmi gnoi ] admin-state enable
 {{- end }}

diff --git a/nodes/srl/version.go b/nodes/srl/version.go
@@ -2,6 +2,7 @@ package srl
 
 import (
 	"context"
+	"os"
 	"regexp"
 
 	log "github.com/sirupsen/logrus"
@@ -61,11 +62,11 @@ set / acl acl-filter cpm type ipv6 entry 188 match transport destination-port va
 set / acl acl-filter cpm type ipv6 entry 188 action accept`
 
 	// grpc contains the grpc server(s) configuration for srlinux versions >= 24.3.
-	// It consists of the gNMI, gNOI, gRIBI, and p4RT services enabled on the `mgmt`
+	// It consists of the gNMI, gNOI, gNSI, gRIBI, and p4RT services enabled on the `mgmt`
 	// grpc server instance with a custom TLS profile.
 	// And in addition to the TLS secured services, the `insecure-mgmt` server instance
 	// is created that provides the same services but without TLS.
-	grpcConfig = `set / system grpc-server mgmt services [ gnmi gnoi gribi p4rt ]
+	grpcConfig = `set / system grpc-server mgmt services [ gnmi gnoi gnsi gribi p4rt ]
 set / system grpc-server mgmt tls-profile clab-profile
 set / system grpc-server mgmt rate-limit 65000
 set / system grpc-server mgmt network-instance mgmt
@@ -74,7 +75,7 @@ set / system grpc-server mgmt unix-socket admin-state enable
 set / system grpc-server mgmt admin-state enable
 delete / system grpc-server mgmt default-tls-profile
 
-set / system grpc-server insecure-mgmt services [ gnmi gnoi gribi p4rt ]
+set / system grpc-server insecure-mgmt services [ gnmi gnoi gnsi gribi p4rt ]
 set / system grpc-server insecure-mgmt port 57401
 set / system grpc-server insecure-mgmt rate-limit 65000
 set / system grpc-server insecure-mgmt network-instance mgmt
@@ -189,4 +190,17 @@ func (n *srl) setVersionSpecificParams(tplData *srlTemplateData) {
 
 		tplData.GRPCConfig = grpcConfigPre24_3
 	}
+
+	// in srlinux >= v24.10+ we add EDA configuration.
+	if semver.Compare(v, "v24.10") >= 0 || n.swVersion.Major == "0" {
+		cfg := edaDiscoveryServerConfig
+
+		if os.Getenv("CLAB_EDA_USE_DEFAULT_GRPC_SERVER") != "" {
+			cfg = cfg + "\n" + edaDefaultMgmtServerConfig
+		} else {
+			cfg = cfg + "\n" + edaCustomMgmtServerConfig
+		}
+
+		tplData.EDAConfig = cfg
+	}
 }