Alexei Kiritchenko

Alexei Kiritchenko

Solutions Architect, Cisco


SONiC Certificates Deployment Automation

2 minutes read

Introduction

Deploying certificates, especially in complex network environments like those running SONiC NOS, can be a daunting task. Manually handling certificate generation, distribution, and renewal across multiple devices is not only tedious and time-consuming but also highly susceptible to human error. Furthermore, manual processes simply do not scale effectively as your network grows. This is where automation becomes indispensable. By leveraging tools like Ansible, the entire certificate deployment lifecycle can be streamlined, ensuring consistency, reducing errors, and enabling efficient management of your network’s security infrastructure at scale.

Ansible

Ansible to be used in the lab for small automation tasks. Certificates deployment automation is explored in this section.

we keep ansible related playbook in ansible folder

mkdir ansible
cd ansible

Inventory file is inventories/hosts.yaml

mkdir inventories
touch inventories/hosts.yaml

Here you can find hosts.yaml example used for the lab: hosts.yaml

Playbook file is playbooks/tls_deployment.yaml

mkdir playbooks
touch playbooks/tls_deployment.yaml

TLS certificates deployment

We assume the environment is safe and we can securely transfer keys over the network. With this playbook all the certificates for the nodes will be generated by the server and next copied to the SONiC devices:

tls_deployment.yaml ansible playbook runs the following tasks:

  • Generates RootCA
  • Generates keys and CSR for SONiC hosts
  • Sign CSR with RootCA
  • copy certificates to SONiC nodes
  • restart gnmi contaner

Here you can find tls_deployment.yaml playbook used for the lab: tls_deployment.yaml

Deploying Certificates

ansible-playbook -i inventories/hosts.yaml playbooks/tls_deployment.yaml

Example output. The deployment is limited to c8 host only:

ansible-playbook -i inventories/hosts.yaml playbooks/tls_deployment.yaml

PLAY [TLS setup on local host] **************************************************************************

TASK [Gathering Facts] **********************************************************************************
ok: [localhost]

TASK [Create a folder for certificates on the local host] ***********************************************
changed: [localhost]

TASK [Generate a private key for the CA] ****************************************************************
changed: [localhost]

TASK [Generate Root CA CSR] *****************************************************************************
changed: [localhost]

TASK [Generate Root CA certificate] *********************************************************************
changed: [localhost]

PLAY [Generate private key and CSR for each node on the local host] *************************************

TASK [Gathering Facts] **********************************************************************************
ok: [c8]

TASK [Ensure the certificate directory exists] **********************************************************
ok: [c8 -> localhost]

TASK [Generate private key on localhost] ****************************************************************
changed: [c8 -> localhost]

TASK [Generate CSR on localhost] ************************************************************************
changed: [c8 -> localhost]

TASK [Sign CSR with RootCA] *****************************************************************************
changed: [c8 -> localhost]

TASK [Create a telemetry folder] ************************************************************************
changed: [c8]

TASK [Copy RootCA.crt to the target node] ***************************************************************
changed: [c8]

TASK [Copy keys to the target node] *********************************************************************
changed: [c8]

TASK [crt to the target node] ***************************************************************************
changed: [c8]

TASK [Restart Docker gnmi container] ********************************************************************
changed: [c8]

PLAY RECAP **********************************************************************************************
+ c8                         : ok=10   changed=8    unreachable=0    failed=0    skipped=0 rescued=0    ignored=0
+ localhost                  : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Test gNMI

Having certificates in place on the server, test gNMI getting its capabilities:

root@8ktme:/home/cisco/ansible# gnmic -a 1.18.1.8:50051 \
    --tls-ca "./certs/RootCA.crt" \
    --tls-cert "./certs/c8.sonic.cisco.com.crt" \
    --tls-key "./certs/c8.sonic.cisco.com.key" \
    -u cisco -p cisco123 \
    capabilities
    
gNMI version: 0.7.0
supported models:
  - openconfig-acl, OpenConfig working group, 1.0.2
  - openconfig-mclag, OpenConfig working group,
  - openconfig-acl, OpenConfig working group,
  - openconfig-sampling-sflow, OpenConfig working group,
  - openconfig-interfaces, OpenConfig working group,
  - openconfig-lldp, OpenConfig working group, 1.0.2
  - openconfig-platform, OpenConfig working group, 1.0.2
  - openconfig-system, OpenConfig working group, 1.0.2
  - ietf-yang-library, IETF NETCONF (Network Configuration) Working Group, 2016-06-21
  - sonic-db, SONiC, 0.1.0
supported encodings:
  - JSON
  - JSON_IETF
  - PROTO

gNMI Articles

  1. SONiC gNMI
  2. Self Signed Certificate for gNMI
  3. Building your own Public Key Infrastructure
  4. SONiC Certificates Deployment Automation
  5. Integrating Prometheus with SONiC

Leave a Comment