Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat(eos_cli_config_gen): Added support for fips_restrictions under management security #4845

Open
wants to merge 9 commits into
base: devel
Choose a base branch
from
Open

Feat(eos_cli_config_gen): Added support for fips_restrictions under management security #4845

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0db041d
added support for fips_restrictions under management security
KrasenKolev Dec 28, 2024
9e6e48c
reordered management-security template
KrasenKolev Dec 31, 2024
86c19c6
Update python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/m…
KrasenKolev Jan 3, 2025
c8b3be9
updated documentation management-security template with new column to…
KrasenKolev Jan 3, 2025
efdfe47
updated the FIPS header and used directly the boolean
KrasenKolev Jan 6, 2025
4593538
Update python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation…
KrasenKolev Jan 7, 2025
8e6b84b
Merge branch 'devel' into devel
ClausHolbechArista Jan 7, 2025
a222781
results after modifying the template to use boolean and default to '-…
KrasenKolev Jan 7, 2025
f714aa2
molecule cv-pathfinder example
KrasenKolev Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,9 +240,9 @@ aaa authorization exec default local

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |

### SSL profile STUN-DTLS Certificates Summary

Expand Down
6 changes: 3 additions & 3 deletions ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,9 +240,9 @@ aaa authorization exec default local

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |

### SSL profile STUN-DTLS Certificates Summary

Expand Down
6 changes: 3 additions & 3 deletions ...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,9 @@ aaa authorization exec default local

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |

### SSL profile STUN-DTLS Certificates Summary

Expand Down
6 changes: 3 additions & 3 deletions ...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,9 @@ aaa authorization exec default local

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |

### SSL profile STUN-DTLS Certificates Summary

Expand Down
6 changes: 3 additions & 3 deletions ...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,9 +236,9 @@ aaa authorization exec default local

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |

### SSL profile STUN-DTLS Certificates Summary

Expand Down
6 changes: 3 additions & 3 deletions ...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,9 +238,9 @@ aaa authorization exec default local

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |

### SSL profile STUN-DTLS Certificates Summary

Expand Down
6 changes: 3 additions & 3 deletions ...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,9 +238,9 @@ aaa authorization exec default local

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |

### SSL profile STUN-DTLS Certificates Summary

Expand Down
26 changes: 14 additions & 12 deletions ...llections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1452,18 +1452,18 @@ address locking

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl<br>intermediate.crl |
| cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - |
| SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - |
| test1-chain-cert | - | - | - | - | - |
| test1-trust-cert | - | - | - | - | - |
| test2-chain-cert | - | - | - | - | - |
| test2-trust-cert | - | - | - | - | - |
| tls-single-version-profile-as-float | 1.0 | - | - | - | - |
| tls-single-version-profile-as-string | 1.1 | - | - | - | - |
| tls-versions-profile | 1.0 1.1 | - | - | - | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl<br>intermediate.crl | False |
| cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - | False |
| SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - | True |
| test1-chain-cert | - | - | - | - | - | - |
| test1-trust-cert | - | - | - | - | - | - |
| test2-chain-cert | - | - | - | - | - | - |
| test2-trust-cert | - | - | - | - | - | - |
| tls-single-version-profile-as-float | 1.0 | - | - | - | - | - |
| tls-single-version-profile-as-string | 1.1 | - | - | - | - | - |
| tls-versions-profile | 1.0 1.1 | - | - | - | - | True |

### SSL profile test1-chain-cert Certificates Summary

Expand Down Expand Up @@ -1556,6 +1556,7 @@ management security
!
ssl profile SSL_PROFILE
tls versions 1.1 1.2
fips restrictions
certificate SSL_CERT key SSL_KEY
!
ssl profile test1-chain-cert
Expand Down Expand Up @@ -1584,6 +1585,7 @@ management security
!
ssl profile tls-versions-profile
tls versions 1.0 1.1
fips restrictions
```

## Prompt Device Configuration
Expand Down
6 changes: 3 additions & 3 deletions ...llections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,9 +335,9 @@ aaa accounting exec default none

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384<br>v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384<br>v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - | - |

### Management Security Device Configuration

Expand Down
2 changes: 2 additions & 0 deletions ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1354,6 +1354,7 @@ management security
!
ssl profile SSL_PROFILE
tls versions 1.1 1.2
fips restrictions
certificate SSL_CERT key SSL_KEY
!
ssl profile test1-chain-cert
Expand Down Expand Up @@ -1382,6 +1383,7 @@ management security
!
ssl profile tls-versions-profile
tls versions 1.0 1.1
fips restrictions
!
radius-server deadtime 10
radius-server attribute 32 include-in-access-req hostname
Expand Down
4 changes: 4 additions & 0 deletions .../arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,19 @@ management_security:
sequential: 7
ssl_profiles:
- name: SSL_PROFILE
fips_restrictions: true
tls_versions: 1.1 1.2
certificate:
file: SSL_CERT
key: SSL_KEY
- name: tls-versions-profile
fips_restrictions: true
tls_versions: "1.0 1.1"
- name: cipher-list-profile
fips_restrictions: false
cipher_list: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
- name: certificate-profile
fips_restrictions: false
certificate:
file: eAPI.crt
key: eAPI.key
Expand Down
4 changes: 4 additions & 0 deletions ...lections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@

### Management Security SSL Profiles

| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
{% set ssl_profiles_certs = [] %}
{% for ssl_profile in management_security.ssl_profiles | arista.avd.natural_sort %}
{% set crls = "-" %}
Expand All @@ -53,7 +53,7 @@
{% elif ssl_profile.cipher_list is arista.avd.defined %}
{% set ciphers = [ssl_profile.cipher_list] %}
{% endif %}
| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('<br>') }} | {{ crls }} |
| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('<br>') }} | {{ crls }} | {{ ssl_profile.fips_restrictions | arista.avd.default('-') }} |
{% set tmp_cert = {} %}
{% if ssl_profile.trust_certificate is arista.avd.defined %}
{% set tmp_cert = {'trust_certificate': ssl_profile.trust_certificate} %}
Expand Down
3 changes: 3 additions & 0 deletions python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ management security
{% if ssl_profile.tls_versions is arista.avd.defined %}
tls versions {{ ssl_profile.tls_versions }}
{% endif %}
{% if ssl_profile.fips_restrictions is arista.avd.defined(true) %}
fips restrictions
{% endif %}
Vibhu-gslab marked this conversation as resolved.
Show resolved Hide resolved
{% if ssl_profile.ciphers.v1_0 is arista.avd.defined %}
cipher v1.0 {{ ssl_profile.ciphers.v1_0 }}
{% elif ssl_profile.cipher_list is arista.avd.defined %}
Expand Down
5 changes: 5 additions & 0 deletions python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,9 @@ keys:
keys:
name:
type: str
fips_restrictions:
type: bool
description: Use FIPS compliant algorithms.
tls_versions:
type: str
description: |
Expand Down
Loading