diff --git a/.gitmodules b/.gitmodules index 9013bdb67021..fda1fb4aa955 100644 --- a/.gitmodules +++ b/.gitmodules @@ -105,7 +105,8 @@ url = https://github.com/sonic-net/sonic-host-services [submodule "src/sonic-gnmi"] path = src/sonic-gnmi - url = https://github.com/sonic-net/sonic-gnmi.git + url = https://github.com/liuh-80/sonic-gnmi.git + branch = dev/liuh/disable-crl-cert-access [submodule "src/sonic-genl-packet"] path = src/sonic-genl-packet url = https://github.com/sonic-net/sonic-genl-packet diff --git a/dockers/docker-sonic-gnmi/gnmi-native.sh b/dockers/docker-sonic-gnmi/gnmi-native.sh index e9f15810a226..afd645c7164e 100755 --- a/dockers/docker-sonic-gnmi/gnmi-native.sh +++ b/dockers/docker-sonic-gnmi/gnmi-native.sh @@ -72,6 +72,18 @@ else TELEMETRY_ARGS+=" -v=2" fi +if [ -nz "$GNMI" ]; then + ENABLE_CRL=$(echo $GNMI | jq -r '.enable_crl') + if [ $ENABLE_CRL == "true" ]; then + TELEMETRY_ARGS+=" --enable_crl" + fi + + CRL_EXPIRE_DURATION=$(echo $GNMI | jq -r '.crl_expire_duration') + if [ -n $CRL_EXPIRE_DURATION ]; then + TELEMETRY_ARGS+=" --crl_expire_duration $CRL_EXPIRE_DURATION" + fi +fi + # Enable ZMQ for SmartSwitch LOCALHOST_SUBTYPE=`sonic-db-cli CONFIG_DB hget "DEVICE_METADATA|localhost" "subtype"` if [[ x"${LOCALHOST_SUBTYPE}" == x"SmartSwitch" ]]; then diff --git a/dockers/docker-sonic-telemetry/telemetry.sh b/dockers/docker-sonic-telemetry/telemetry.sh index d1c9216d4195..29ea00ea5ce0 100755 --- a/dockers/docker-sonic-telemetry/telemetry.sh +++ b/dockers/docker-sonic-telemetry/telemetry.sh @@ -74,6 +74,18 @@ else TELEMETRY_ARGS+=" -v=2" fi +if [ -nz "$GNMI" ]; then + ENABLE_CRL=$(echo $GNMI | jq -r '.enable_crl') + if [ $ENABLE_CRL == "true" ]; then + TELEMETRY_ARGS+=" --enable_crl" + fi + + CRL_EXPIRE_DURATION=$(echo $GNMI | jq -r '.crl_expire_duration') + if [ -n $CRL_EXPIRE_DURATION ]; then + TELEMETRY_ARGS+=" --crl_expire_duration $CRL_EXPIRE_DURATION" + fi +fi + # gNMI save-on-set behavior is disabled by default. # Save-on-set can be turned on by setting the "TELEMETRY|gnmi|save_on_set" # to "true". diff --git a/src/sonic-gnmi b/src/sonic-gnmi index 0f5c591c225b..d3e46f8a22ee 160000 --- a/src/sonic-gnmi +++ b/src/sonic-gnmi @@ -1 +1 @@ -Subproject commit 0f5c591c225b54b4721c76dcafddc507e3472871 +Subproject commit d3e46f8a22ee932876f8ac7993b246d8c32d67a4 diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 1ed8940f826c..a32b65bf0b80 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -1290,7 +1290,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "50051" + "port": "50051", + "enable_crl": "false", + "crl_expire_duration": "86400" } }, "TELEMETRY_CLIENT": { @@ -1327,7 +1329,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "50052" + "port": "50052", + "enable_crl": "false", + "crl_expire_duration": "86400" } }, "GNMI_CLIENT_CERT": { diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json index cdad6fe31f53..0c8327a8991a 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json @@ -10,7 +10,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "50052" + "port": "50052", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -26,7 +28,9 @@ "gnmi": { "client_auth": "up", "log_level": "2", - "port": "50052" + "port": "50052", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -42,7 +46,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "abc" + "port": "abc", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -59,7 +65,9 @@ "client_auth": "true", "log_level": "2", "port": "50051", - "save_on_set": "wrong" + "save_on_set": "wrong", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -76,7 +84,9 @@ "client_auth": "true", "log_level": "2", "port": "50052", - "save_on_set": "false" + "save_on_set": "false", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json index 18e708262e74..2d3bd08f5d20 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json @@ -10,7 +10,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "50051" + "port": "50051", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -26,7 +28,9 @@ "gnmi": { "client_auth": "up", "log_level": "2", - "port": "50051" + "port": "50051", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -42,7 +46,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "abc" + "port": "abc", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -59,7 +65,9 @@ "client_auth": "true", "log_level": "2", "port": "50051", - "save_on_set": "wrong" + "save_on_set": "wrong", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -76,7 +84,9 @@ "client_auth": "true", "log_level": "2", "port": "50051", - "save_on_set": "false" + "save_on_set": "false", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } diff --git a/src/sonic-yang-models/yang-models/sonic-gnmi.yang b/src/sonic-yang-models/yang-models/sonic-gnmi.yang index f7c4fef33c53..d33ea35083dd 100644 --- a/src/sonic-yang-models/yang-models/sonic-gnmi.yang +++ b/src/sonic-yang-models/yang-models/sonic-gnmi.yang @@ -76,6 +76,15 @@ module sonic-gnmi { description "Flag for enabling save on set."; } + leaf enable_crl { + type boolean; + description "Flag for enable certificate revocation list."; + } + + leaf crl_expire_duration { + type uint32; + description "Certificate revocation list cache expire duration."; + } } } diff --git a/src/sonic-yang-models/yang-models/sonic-telemetry.yang b/src/sonic-yang-models/yang-models/sonic-telemetry.yang index 5cbdf2bd9330..239f23666dda 100644 --- a/src/sonic-yang-models/yang-models/sonic-telemetry.yang +++ b/src/sonic-yang-models/yang-models/sonic-telemetry.yang @@ -76,6 +76,15 @@ module sonic-telemetry { description "Flag for enabling save on set."; } + leaf enable_crl { + type boolean; + description "Flag for enable certificate revocation list."; + } + + leaf crl_expire_duration { + type uint32; + description "Certificate revocation list cache expire duration."; + } } }