Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat(eos_cli_config_gen): Extend CLI model for ip_security #3312

Merged
merged 12 commits into from
Nov 10, 2023
Merged

Feat(eos_cli_config_gen): Extend CLI model for ip_security #3312

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
c4c4f26
update templates and schemas
gusmb Oct 31, 2023
8adeb28
refresh molecule
gusmb Oct 31, 2023
0c3e479
update docs
gusmb Oct 31, 2023
c1ca94a
update schemas
gusmb Nov 8, 2023
9838b60
update eos template
gusmb Nov 8, 2023
2286652
refresh molecule
gusmb Nov 8, 2023
22542f3
refresh molecule
gusmb Nov 8, 2023
b05d8bb
Apply suggestions from code review
ClausHolbechArista Nov 9, 2023
b089573
Rebuild schemas after review changes
ClausHolbechArista Nov 9, 2023
f0b38b6
Remove disabled from ike encryption
ClausHolbechArista Nov 10, 2023
b357ea8
Doc: Fix space issue in documentation template (piggybacking)
gmuloc Nov 10, 2023
07568ce
Doc: Fix control F mistake
gmuloc Nov 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions ...ons/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
- [Management Interfaces](#management-interfaces)
- [IP Security](#ip-security)
- [IKE policies](#ike-policies)
- [Security Association policies](#security-association-policies)
- [IPSec profiles](#ipsec-profiles)
- [Key controller](#key-controller)
- [IP Security Configuration](#ip-security-configuration)
Expand Down Expand Up @@ -42,10 +43,18 @@ interface Management1

### IKE policies

| Policy name | Local ID |
| ----------- | -------- |
| IKE-1 | 192.168.100.1 |
| IKE-2 | - |
| Policy name | IKE lifetime | Encryption | DH group | Local ID |
| ----------- | ------------ | ---------- | -------- | -------- |
| IKE-1 | 24 | aes256 | 20 | 192.168.100.1 |
| IKE-2 | - | - | - | - |

### Security Association policies

| Policy name | ESP Integrity | ESP Encryption | PFS DH Group |
| ----------- | ------------- | -------------- | ------------ |
| SA-1 | - | aes128 | 14 |
| SA-2 | - | aes128 | 14 |
| SA-3 | disabled | disabled | 17 |

### IPSec profiles

Expand All @@ -68,6 +77,9 @@ ip security
!
ike policy IKE-1
local-id 192.168.100.1
ike-lifetime 24
encryption aes256
dh-group 20
!
ike policy IKE-2
!
Expand All @@ -80,6 +92,7 @@ ip security
pfs dh-group 14
!
sa policy SA-3
esp integrity null
esp encryption null
pfs dh-group 17
!
Expand Down
4 changes: 4 additions & 0 deletions ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ ip security
!
ike policy IKE-1
local-id 192.168.100.1
ike-lifetime 24
encryption aes256
dh-group 20
!
ike policy IKE-2
!
Expand All @@ -23,6 +26,7 @@ ip security
pfs dh-group 14
!
sa policy SA-3
esp integrity null
esp encryption null
pfs dh-group 17
!
Expand Down
7 changes: 5 additions & 2 deletions ...le_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ ip_security:
ike_policies:
- name: IKE-1
local_id: 192.168.100.1
ike_lifetime: 24
encryption: aes256
dh_group: 20
- name: IKE-2
sa_policies:
- name: SA-1
Expand All @@ -15,8 +18,8 @@ ip_security:
pfs_dh_group: 14
- name: SA-3
esp:
integrity: "null"
encryption: "null"
integrity: disabled
encryption: disabled
pfs_dh_group: 17
profiles:
- name: Profile-1
Expand Down
12 changes: 9 additions & 3 deletions ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,14 @@
| [<samp>&nbsp;&nbsp;ike_policies</samp>](## "ip_security.ike_policies") | List, items: Dictionary | | | | Internet Security Association and Key Mgmt Protocol. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;- name</samp>](## "ip_security.ike_policies.[].name") | String | Required, Unique | | | Policy name. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;local_id</samp>](## "ip_security.ike_policies.[].local_id") | String | | | | Local IKE Identification.<br>Can be an IPv4 or an IPv6 address.<br> |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ike_lifetime</samp>](## "ip_security.ike_policies.[].ike_lifetime") | Integer | | | Min: 1<br>Max: 24 | IKE lifetime in hours. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;encryption</samp>](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:<br>- 3des<br>- aes128<br>- aes256 | IKE encryption algorithm. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;dh_group</samp>](## "ip_security.ike_policies.[].dh_group") | Integer | | | Valid Values:<br>- 1<br>- 2<br>- 5<br>- 14<br>- 15<br>- 16<br>- 17<br>- 20<br>- 21<br>- 24 | Diffie-Hellman group for the key exchange. |
| [<samp>&nbsp;&nbsp;sa_policies</samp>](## "ip_security.sa_policies") | List, items: Dictionary | | | | Security Association policies. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;- name</samp>](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;- name</samp>](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0 |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;esp</samp>](## "ip_security.sa_policies.[].esp") | Dictionary | | | | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;integrity</samp>](## "ip_security.sa_policies.[].esp.integrity") | String | | | Valid Values:<br>- null<br>- sha1<br>- sha256 | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;encryption</samp>](## "ip_security.sa_policies.[].esp.encryption") | String | | | Valid Values:<br>- null<br>- aes128<br>- aes128gcm128<br>- aes128gcm64<br>- aes256<br>- aes256gcm256 | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;integrity</samp>](## "ip_security.sa_policies.[].esp.integrity") | String | | | Valid Values:<br>- disabled<br>- sha1<br>- sha256<br>- null | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;encryption</samp>](## "ip_security.sa_policies.[].esp.encryption") | String | | | Valid Values:<br>- disabled<br>- aes128<br>- aes128gcm128<br>- aes128gcm64<br>- aes256<br>- aes256gcm256<br>- null | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;pfs_dh_group</samp>](## "ip_security.sa_policies.[].pfs_dh_group") | Integer | | | Valid Values:<br>- 1<br>- 2<br>- 5<br>- 14<br>- 15<br>- 16<br>- 17<br>- 20<br>- 21<br>- 24 | |
| [<samp>&nbsp;&nbsp;profiles</samp>](## "ip_security.profiles") | List, items: Dictionary | | | | IPSec profiles. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;- name</samp>](## "ip_security.profiles.[].name") | String | Required, Unique | | | Name of the IPsec profile. |
Expand All @@ -38,6 +41,9 @@
ike_policies:
- name: <str>
local_id: <str>
ike_lifetime: <int>
encryption: <str>
dh_group: <int>
sa_policies:
- name: <str>
esp:
Expand Down
46 changes: 41 additions & 5 deletions ...ollections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6597,6 +6597,40 @@
"type": "string",
"description": "Local IKE Identification.\nCan be an IPv4 or an IPv6 address.\n",
"title": "Local ID"
},
"ike_lifetime": {
"type": "integer",
"minimum": 1,
"maximum": 24,
"description": "IKE lifetime in hours.",
"title": "Ike Lifetime"
},
"encryption": {
"type": "string",
"enum": [
"3des",
"aes128",
"aes256"
],
"description": "IKE encryption algorithm.",
"title": "Encryption"
},
"dh_group": {
"type": "integer",
"enum": [
1,
2,
5,
14,
15,
16,
17,
20,
21,
24
],
"description": "Diffie-Hellman group for the key exchange.",
"title": "Dh Group"
}
},
"additionalProperties": false,
Expand All @@ -6617,7 +6651,7 @@
"properties": {
"name": {
"type": "string",
"description": "Name of the SA policy.",
"description": "Name of the SA policy. The \"null\" value is deprecated and will be removed in AVD 5.0.0",
"title": "Name"
},
"esp": {
Expand All @@ -6626,21 +6660,23 @@
"integrity": {
"type": "string",
"enum": [
"null",
"disabled",
"sha1",
"sha256"
"sha256",
"null"
],
"title": "Integrity"
},
"encryption": {
"type": "string",
"enum": [
"null",
"disabled",
"aes128",
"aes128gcm128",
"aes128gcm64",
"aes256",
"aes256gcm256"
"aes256gcm256",
"null"
],
"title": "Encryption"
}
Expand Down
39 changes: 36 additions & 3 deletions ...ble_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3789,6 +3789,36 @@ keys:
Can be an IPv4 or an IPv6 address.

'
ike_lifetime:
type: int
convert_types:
- str
min: 1
max: 24
description: IKE lifetime in hours.
encryption:
type: str
valid_values:
- 3des
- aes128
- aes256
description: IKE encryption algorithm.
dh_group:
type: int
convert_types:
- str
valid_values:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 20
- 21
- 24
description: Diffie-Hellman group for the key exchange.
sa_policies:
type: list
description: Security Association policies.
Expand All @@ -3798,25 +3828,28 @@ keys:
keys:
name:
type: str
description: Name of the SA policy.
description: Name of the SA policy. The "null" value is deprecated and
will be removed in AVD 5.0.0
esp:
type: dict
keys:
integrity:
type: str
valid_values:
- 'null'
- disabled
- sha1
- sha256
- 'null'
encryption:
type: str
valid_values:
- 'null'
- disabled
- aes128
- aes128gcm128
- aes128gcm64
- aes256
- aes256gcm256
- 'null'
pfs_dh_group:
type: int
convert_types:
Expand Down
28 changes: 25 additions & 3 deletions ...tions/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,26 @@ keys:
description: |
Local IKE Identification.
Can be an IPv4 or an IPv6 address.
ike_lifetime:
type: int
convert_types:
- str
min: 1
max: 24
description: IKE lifetime in hours.
encryption:
type: str
valid_values:
- 3des
- aes128
- aes256
description: IKE encryption algorithm.
dh_group:
type: int
convert_types:
- str
valid_values: [1, 2, 5, 14, 15, 16, 17, 20, 21, 24]
description: Diffie-Hellman group for the key exchange.
sa_policies:
type: list
description: Security Association policies.
Expand All @@ -33,25 +53,27 @@ keys:
keys:
name:
type: str
description: Name of the SA policy.
description: Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0
esp:
type: dict
keys:
integrity:
type: str
valid_values:
- "null"
- disabled
- sha1
- sha256
- "null" # TODO: AVD 5.0.0
encryption:
type: str
valid_values:
- "null"
- disabled
- aes128
- aes128gcm128
- aes128gcm64
- aes256
- aes256gcm256
- "null" # TODO: AVD 5.0.0
pfs_dh_group:
type: int
convert_types:
Expand Down
8 changes: 4 additions & 4 deletions ...le_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@

### IKE policies

| Policy name | Local ID |
| ----------- | -------- |
| Policy name | IKE lifetime | Encryption | DH group | Local ID |
| ----------- | ------------ | ---------- | -------- | -------- |
{% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %}
| {{ ike_policy.name }} | {{ ike_policy.local_id | arista.avd.default("-") }} |
| {{ ike_policy.name }} | {{ ike_policy.ike_lifetime | arista.avd.default("-") }} | {{ ike_policy.encryption | arista.avd.default("-") }} | {{ ike_policy.dh_group | arista.avd.default("-") }} | {{ ike_policy.local_id | arista.avd.default("-") }} |
{% endfor %}
{% endif %}
{% if ip_security.ike_policie is arista.avd.defined %}
{% if ip_security.sa_policies is arista.avd.defined %}

### Security Association policies

Expand Down
21 changes: 19 additions & 2 deletions ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,32 @@ ip security
{% if ike_policy.local_id is arista.avd.defined %}
local-id {{ ike_policy.local_id }}
{% endif %}
{% if ike_policy.ike_lifetime is arista.avd.defined %}
ike-lifetime {{ ike_policy.ike_lifetime }}
{% endif %}
{% if ike_policy.encryption is arista.avd.defined %}
encryption {{ ike_policy.encryption }}
{% endif %}
{% if ike_policy.dh_group is arista.avd.defined %}
dh-group {{ ike_policy.dh_group }}
{% endif %}
{% endfor %}
{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %}
!
sa policy {{ sa_policy.name }}
{% if sa_policy.esp.intergrity is arista.avd.defined %}
esp intergrity {{ sa_policy.esp.intergrity }}
{% if sa_policy.esp.integrity is arista.avd.defined %}
{% if sa_policy.esp.integrity == "disabled" %}
esp integrity null
{% else %}
esp integrity {{ sa_policy.esp.integrity }}
{% endif %}
{% endif %}
{% if sa_policy.esp.encryption is arista.avd.defined %}
{% if sa_policy.esp.encryption == "disabled" %}
esp encryption null
{% else %}
esp encryption {{ sa_policy.esp.encryption }}
{% endif %}
{% endif %}
{% if sa_policy.pfs_dh_group is arista.avd.defined %}
pfs dh-group {{ sa_policy.pfs_dh_group }}
Expand Down