Cut(eos_cli_config_gen): Removing 'null' as valid value of esp integr…

…ity and encryption from ip-security module (aristanetworks#4336)
jrecchia1029 · Aug 14, 2024 · c013b53 · c013b53
1 parent 47f69ef
commit c013b53
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 8 deletions.
diff --git a/ansible_collections/arista/avd/docs/porting-guides/5.x.x.md b/ansible_collections/arista/avd/docs/porting-guides/5.x.x.md
@@ -240,6 +240,23 @@ As of AVD 5.0.0 the automatic conversion from both of the previous models has be
               route_map: static-to-bgp
     ```
 
+### `ip_security.sa_policies[].esp.integrity` and `.encryption` "null" option has been replaced with "disabled"
+
+In AVD 4.0.0 we had "null" as a valid value for esp integrity and encryption to apply the null security profile and encryption under the ip-security configuration.
+
+As of AVD 5.0.0 "null" option for esp integrity and encryption has been replaced with "disabled" to apply the null security profile and encryption under the ip-security configuration.
+
+```diff
+ ip_security:
+   sa_policies:
+     name: Disabled
+     esp:
+-      integrity: "null"
+-      encryption: "null"
++      integrity: disabled
++      encryption: disabled
+```
+
 ### Removal of deprecated data models
 
 The following data model keys have been removed from `eos_cli_config_gen` in v5.0.0.

diff --git a/ansible_collections/arista/avd/docs/release-notes/5.x.x.md b/ansible_collections/arista/avd/docs/release-notes/5.x.x.md
@@ -70,6 +70,10 @@ As of AVD 5.0.0 the automatic conversion from both of the previous models has be
 
 See the [porting guide](../porting-guides/5.x.x.md#no-auto-conversion-of-old-data-model-for-router_bgpredistribute_routes-and-router_bgpvrfsredistribute_routes) for details.
 
+#### `ip_security.sa_policies[].esp.integrity` and `.encryption` "null" option has been replaced with "disabled"
+
+See the [porting guide](../porting-guides/5.x.x.md#ip_securitysa_policiesespintegrity-and-encryption-null-option-has-been-replaced-with-disabled) for details.
+
 #### Removal of schema in JSON format
 
 The `eos_cli_config_gen.jsonschema.json` is no longer generated. This schema was not being used and had never been complete.

diff --git a/...ons/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md b/...ons/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md
@@ -59,6 +59,9 @@ interface Management1
 | SA-1 | - | aes128 | - | 14 |
 | SA-2 | - | aes128 | 42 gigabytes | 14 |
 | SA-3 | disabled | disabled | 8 hours | 17 |
+| SA-4 | md5 | 3des | - | - |
+| SA-5 | sha512 | - | - | - |
+| SA-6 | sha384 | - | - | - |
 
 ### IPSec profiles
 
@@ -109,6 +112,16 @@ ip security
       sa lifetime 8 hours
       pfs dh-group 17
    !
+   sa policy SA-4
+      esp integrity md5
+      esp encryption 3des
+   !
+   sa policy SA-5
+      esp integrity sha512
+   !
+   sa policy SA-6
+      esp integrity sha384
+   !
    profile Profile-1
       ike-policy IKE-1
       sa-policy SA-1

diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg
@@ -38,6 +38,16 @@ ip security
       sa lifetime 8 hours
       pfs dh-group 17
    !
+   sa policy SA-4
+      esp integrity md5
+      esp encryption 3des
+   !
+   sa policy SA-5
+      esp integrity sha512
+   !
+   sa policy SA-6
+      esp integrity sha384
+   !
    profile Profile-1
       ike-policy IKE-1
       sa-policy SA-1

diff --git a/...le_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml b/...le_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml
@@ -33,6 +33,16 @@ ip_security:
         value: 8
         # default unit is hours
       pfs_dh_group: 17
+    - name: SA-4
+      esp:
+        integrity: md5
+        encryption: 3des
+    - name: SA-5
+      esp:
+        integrity: sha512
+    - name: SA-6
+      esp:
+        integrity: sha384
   profiles:
     - name: Profile-1
       ike_policy: IKE-1

diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/ip_security.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/ip_security.schema.yml
@@ -89,7 +89,9 @@ keys:
                     - disabled
                     - sha1
                     - sha256
-                    - "null"  # TODO: AVD 5.0.0
+                    - sha384
+                    - sha512
+                    - md5
                 encryption:
                   type: str
                   valid_values:
@@ -99,7 +101,7 @@ keys:
                     - aes128gcm64
                     - aes256
                     - aes256gcm128
-                    - "null"  # TODO: AVD 5.0.0
+                    - 3des
             pfs_dh_group:
               type: int
               convert_types: