sonic-net · saravanan-i · Dec 22, 2022 · Sep 19, 2023 · Sep 19, 2023 · Sep 19, 2023
diff --git a/dockers/docker-sonic-telemetry/telemetry.sh b/dockers/docker-sonic-telemetry/telemetry.sh
@@ -2,6 +2,10 @@
 
 EXIT_TELEMETRY_VARS_FILE_NOT_FOUND=1
 INCORRECT_TELEMETRY_VALUE = 2
+EXIT_TELEMETRY_SERVER_CERT_FILE_NOT_FOUND=2
+EXIT_TELEMETRY_SERVER_KEY_FILE_NOT_FOUND=3
+EXIT_TELEMETRY_CA_CERT_FILE_NOT_FOUND=4
+
 TELEMETRY_VARS_FILE=/usr/share/sonic/templates/telemetry_vars.j2
 
 if [ ! -f "$TELEMETRY_VARS_FILE" ]; then
@@ -23,48 +27,70 @@ export CVL_SCHEMA_PATH=/usr/sbin/schema
 if [ -n "$CERTS" ]; then
     SERVER_CRT=$(echo $CERTS | jq -r '.server_crt')
     SERVER_KEY=$(echo $CERTS | jq -r '.server_key')
-    if [ -z $SERVER_CRT  ] || [ -z $SERVER_KEY  ]; then
+    if [ -z $SERVER_CRT ] || [ $SERVER_CRT == "null" ] || [ -z $SERVER_KEY ] || [ $SERVER_KEY == "null" ]; then
         TELEMETRY_ARGS+=" --insecure"
     else
         TELEMETRY_ARGS+=" --server_crt $SERVER_CRT --server_key $SERVER_KEY "
     fi
 
     CA_CRT=$(echo $CERTS | jq -r '.ca_crt')
-    if [ ! -z $CA_CRT ]; then
+    if [ ! -z $CA_CRT ] && [ $CA_CRT != "null" ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
+
 elif [ -n "$X509" ]; then
     SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
     SERVER_KEY=$(echo $X509 | jq -r '.server_key')
-    if [ -z $SERVER_CRT  ] || [ -z $SERVER_KEY  ]; then
+    if [ -z $SERVER_CRT ] || [ $SERVER_CRT == "null" ] || [ -z $SERVER_KEY ] || [ $SERVER_KEY == "null" ]; then
         TELEMETRY_ARGS+=" --insecure"
     else
         TELEMETRY_ARGS+=" --server_crt $SERVER_CRT --server_key $SERVER_KEY "
     fi
 
     CA_CRT=$(echo $X509 | jq -r '.ca_crt')
-    if [ ! -z $CA_CRT ]; then
+    if [ ! -z $CA_CRT ] && [ $CA_CRT != "null" ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
+
 else
-    TELEMETRY_ARGS+=" --noTLS"
+    TELEMETRY_ARGS+=" --insecure"
+fi
+
+# Check whether server certificate file exists or not
+if [[ $TELEMETRY_ARGS == *"server_crt"* ]] && [ ! -f "$SERVER_CRT" ]; then
+    echo "Telemetry server certificate file not found"
+    exit $EXIT_TELEMETRY_SERVER_CERT_FILE_NOT_FOUND
+fi
+
+# Check whether server key file exists or not
+if [[ $TELEMETRY_ARGS == *"server_key"* ]] && [ ! -f "$SERVER_KEY" ]; then
+    echo "Telemetry server key file not found"
+    exit $EXIT_TELEMETRY_SERVER_KEY_FILE_NOT_FOUND
+fi
+
+# Check whether CA certificate file exists or not
+if [[ $TELEMETRY_ARGS == *"ca_crt"* ]] && [ ! -f "$CA_CRT" ]; then
+    echo "Telemetry CA certificate file not found"
+    exit $EXIT_TELEMETRY_CA_CERT_FILE_NOT_FOUND
 fi
 
 # If no configuration entry exists for TELEMETRY, create one default port
-if [ -z "$GNMI" ]; then
-    PORT=8080
+PORT=$(echo $GNMI | jq -r '.port')
+if [ -z $PORT ] || [ $PORT == "null" ]; then
+    TELEMETRY_ARGS+=" --port 8080"
 else
-    PORT=$(echo $GNMI | jq -r '.port')
+    TELEMETRY_ARGS+=" --port $PORT"
 fi
-TELEMETRY_ARGS+=" --port $PORT"
 
 CLIENT_AUTH=$(echo $GNMI | jq -r '.client_auth')
-if [ -z $CLIENT_AUTH ] || [ $CLIENT_AUTH == "false" ]; then
+if [ -z $CLIENT_AUTH ] || [ $CLIENT_AUTH == "null" ] || [ $CLIENT_AUTH == "false" ]; then
     TELEMETRY_ARGS+=" --allow_no_client_auth"
+else
+    TELEMETRY_ARGS+=" --client_auth $CLIENT_AUTH"
 fi
 
 LOG_LEVEL=$(echo $GNMI | jq -r '.log_level')
-if [[ $LOG_LEVEL =~ ^[0-9]+$ ]]; then
+if [ ! -z $LOG_LEVEL ] && [ $LOG_LEVEL != "null" ] && [[ $LOG_LEVEL =~ ^[0-9]+$ ]]; then
     TELEMETRY_ARGS+=" -v=$LOG_LEVEL"
 else
     TELEMETRY_ARGS+=" -v=2"

@@ -3,9 +3,8 @@
         "desc": "TABLE_WITH_INCORRECT_CERT failure.",
         "eStrKey": "Pattern"
     },
-    "TELEMETRY_TABLE_WITH_INCORRECT_CLIENT_AUTH": {
-        "desc": "TABLE_WITH_INCORRECT_CLIENT_AUTH failure",
-        "eStrKey": "InvalidValue"
+    "TELEMETRY_TABLE_WITH_CORRECT_CLIENT_AUTH": {
+        "desc": "TABLE_WITH_CORRECT_CLIENT_AUTH"
     },
     "TELEMETRY_TABLE_WITH_INCORRECT_PORT": {
         "desc": "TABLE_WITH_INCORRECT_PORT failure.",

@@ -8,14 +8,14 @@
                     "server_key": "123"
                 },
                 "gnmi": {
-                    "client_auth": "true",
+                    "client_auth": "cert",
                     "log_level": "2",
                     "port": "50051"
                 }
             }
         }
     },
-    "TELEMETRY_TABLE_WITH_INCORRECT_CLIENT_AUTH": {
+    "TELEMETRY_TABLE_WITH_CORRECT_CLIENT_AUTH": {
         "sonic-telemetry:sonic-telemetry": {
             "sonic-telemetry:TELEMETRY": {
                 "certs": {
@@ -24,7 +24,7 @@
                     "server_key": "/etc/sonic/telemetry/streamingtelemetryserver.key"
                 },
                 "gnmi": {
-                    "client_auth": "up",
+                    "client_auth": "jwt",
                     "log_level": "2",
                     "port": "50051"
                 }
@@ -40,7 +40,7 @@
                     "server_key": "/etc/sonic/telemetry/streamingtelemetryserver.key"
                 },
                 "gnmi": {
-                    "client_auth": "true",
+                    "client_auth": "password",
                     "log_level": "2",
                     "port": "abc"
                 }
@@ -56,7 +56,7 @@
                     "server_key": "/etc/sonic/telemetry/streamingtelemetryserver.key"
                 },
                 "gnmi": {
-                    "client_auth": "true",
+                    "client_auth": "cert,password,jwt",
                     "log_level": "2",
                     "port": "50051"
                 }

@@ -2,7 +2,7 @@ module sonic-telemetry {
 
     yang-version 1.1;
 
-    namespace "http://github.com/sonic-net/sonic-telemetry";
+    namespace "http://github.com/Azure/sonic-telemetry";
     prefix telemetry;
 
     import ietf-inet-types {
@@ -21,6 +21,10 @@ module sonic-telemetry {
         description "First Revision";
     }
 
+    revision 2023-07-25 {
+        description "Changed client_auth to allow valid authentication methods";
+    }
+
     container sonic-telemetry {
 
         container TELEMETRY {
@@ -55,8 +59,8 @@ module sonic-telemetry {
             container gnmi {
 
                 leaf client_auth {
-                    type boolean;
-                    description "Flag for requiring client auth.";
+                    type string;
+                    description "Client Authentication mode.";
                 }
 
                 leaf log_level {