-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ycabled] add secure channel support for grpc dualtor active-active connectivity #275
Conversation
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
This pull request introduces 1 alert when merging e6a09fc into 005ec30 - view on LGTM.com new alerts:
|
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
type = grpc_config_dict.get("type", None) | ||
level = grpc_config_dict.get("auth_level", None) | ||
|
||
(status, fvs) = grpc_config[asic_index].get("certs") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if the type is insecure
and the certs
is not defined:
{
'config': {
'type': 'insecure'
}
}
}
In this case status
will be False
, and goes to LINE#489, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed, logic takes default to be insecure if no config defined
for _ in range(retries): | ||
|
||
if type == "secure": | ||
credential = get_grpc_credentials(type, kvp) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be
credential = get_grpc_credentials(type, kvp) | |
credential = get_grpc_credentials(level, kvp) |
Right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing out, fixed.
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
…onnectivity (#275) Signed-off-by: vaibhav-dahiya vdahiya@microsoft.com This PR adds support for creating a secure channel for gRPC between SOC and SONiC. the certs and configurations are defined in config DB config': { 'type': 'secure', 'auth_level': 'server', 'log_level': 'info' }, 'certs': { 'client_crt': path', 'client_key': 'path 'ca_crt': 'path, 'grpc_ssl_credential': 'target override' } Using this config parameter we can have secure/insecure as well as mutual/server level authentication between SoC and SONiC. This PR leverages the cert API's in gRPC lib and certs created to create a TLS based handshake if required to setup gRPC channel Description Motivation and Context Required for secure gRPC support between SONiC and SoC How Has This Been Tested? Unit-Tests and running the changes on the testbed
Update sonic-platform-daemons submodule pointer to include the following: * Xcvrd changes to support 400G ZR configuration ([sonic-net#270](sonic-net/sonic-platform-daemons#270)) * [ycabled] add secure channel support for grpc dualtor active-active connectivity ([sonic-net#275](sonic-net/sonic-platform-daemons#275)) Signed-off-by: dprital <drorp@nvidia.com>
Signed-off-by: vaibhav-dahiya vdahiya@microsoft.com
This PR adds support for creating a secure channel for gRPC between SOC and SONiC.
the certs and configurations are defined in config DB
Using this config parameter we can have secure/insecure as well as mutual/server level authentication between SoC and SONiC.
This PR leverages the cert API's in gRPC lib and certs created to create a TLS based handshake if required to setup gRPC channel
Description
Motivation and Context
Required for secure gRPC support between SONiC and SoC
How Has This Been Tested?
Unit-Tests and running the changes on the testbed
Additional Information (Optional)