Storing Secrets and Information for NAPALM usage

[jameskirsop]

Environment

• Python version: 3.7
• NetBox version: 2.8.5

Proposed Functionality

NB. This is an extension of the work that was proposed (and completed) in #2113 and is written in response to #4975.

When a request is made to NAPALM, if there are secrets with the following names attached to the device being queried, they are inserted into the parameters sent (as per #2113) so that additional information can be supplied to the request:

• X-NAPALM-Username
• X-NAPALM-Password
• X-NAPALM-ssh_config_file

Indeed, it could be useful if all of the Napalm optional arguments could be passed in the headers, but that is outside the scope of this Feature Request.

In code, this functionality would work similarly to the way the header injection works for direct API requests.

I'd suggest that the following order of precedence is implemented for the API (lowest to highest):

1. Netbox wide NAPALM configuration settings
2. NAPALM settings pulled from per-device secrets
3. NAPALM settings sent as header information to the API on a per-request basis

This would mean that the existing functionality would continue to work, while allowing the functionality described above.

Use Case

As an MSP, we use Netbox to manage information of not just our own internal network, but our customer's also. Many of these customers have a host which we can SSH to, to access their internal networks (as an illustration, we have Zabbix proxies running on these hosts to collect monitoring data for each customer and send it back). Similarly, many of these customer networks are not directly accessible from the host running Netbox, but are accessible from that host via using SSH to proxy requests and commands.

Allowing support for the insertion of X-NAPALM- headers into the requests sent via the Netbox UI to the REST API (and then to NAPALM) would allow us to get information of our customer's devices shown under the Status and LLDP Neighbour tabs, which does not currently work. Having this information (particularly the LLDP Neighbour details) would greatly help us keep our network configuration and documentation accurate.

I've already confirmed that specifying a username, password and SSH file is all we need to achieve this (we can deploy SSH keys for secure and password-less access via a configuration management tool) so that NAPALM can connect. I've been able to use NAPALM at the Python CLI to connect from our 'central' host directly to a customer device through an SSH proxy using the following:

driver = napalm.get_network_driver("junos")
device = driver(
    hostname="10.1.0.34",
    username="MyUserName",
    password="MyGreatAndSecurePassword",
    optional_args={
        "ssh_config_file": './test_sshconfig',
    },
)

Database Changes

I don't believe there would be a requirement for any database changes.

External Dependencies

Also unaware that there's additional libraries needed.

[jameskirsop]

I've forked and created a branch that addresses this feature request for review. It's a pretty minor change in context of the amount of code written. Would appreciate feedback from maintainers before creating a PR.

One hesitation I have is many of the optional_args probably don't need to be stored as Secrets, however for the sake of keeping the x-napalm- headers in the one location it makes sense to store them all as secrets against a device.

[jeremystretch]

Blocked by #4346. Will revisit this once the secrets framework as a whole has been re-evaluated.