Adding AAA TACACS Support #176
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||
|---|---|---|---|---|
| @@ -0,0 +1,119 @@ | ||||
| // SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors | ||||
| // SPDX-License-Identifier: Apache-2.0 | ||||
|
|
||||
| package v1alpha1 | ||||
|
|
||||
| import ( | ||||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||
|
|
||||
| "github.com/ironcore-dev/network-operator/api/core/v1alpha1" | ||||
| ) | ||||
|
|
||||
| // +kubebuilder:rbac:groups=nx.cisco.networking.metal.ironcore.dev,resources=aaaconfigs,verbs=get;list;watch | ||||
|
|
||||
| // AAAConfigSpec defines the desired state of AAAConfig | ||||
| type AAAConfigSpec struct { | ||||
| // LoginErrorEnable enables login error messages (NX-OS specific). | ||||
| // Maps to: aaa authentication login error-enable | ||||
|
Contributor
There was a problem hiding this comment. Please leave out cli commands from the API spec. The api is meant to convey intent and should not be understood as a cli wrapper. Additionally, cli commands can quickly get outdated with newer OS versions. Also applies to other fields in this spec. |
||||
| // +optional | ||||
| LoginErrorEnable bool `json:"loginErrorEnable,omitempty"` | ||||
|
|
||||
| // KeyEncryption specifies the default encryption type for TACACS+ keys. | ||||
| // +kubebuilder:validation:Enum=Type6;Type7;Clear | ||||
|
Contributor
There was a problem hiding this comment.
Suggested change
this is defined on the type and therefore not needed here. Also applies to the KeyEncryption. |
||||
| // +kubebuilder:default=Type7 | ||||
| KeyEncryption TACACSKeyEncryption `json:"keyEncryption,omitempty"` | ||||
|
|
||||
| // RADIUSKeyEncryption specifies the default encryption type for RADIUS server keys. | ||||
| // +kubebuilder:validation:Enum=Type6;Type7;Clear | ||||
| // +kubebuilder:default=Type7 | ||||
| RADIUSKeyEncryption RADIUSKeyEncryption `json:"radiusKeyEncryption,omitempty"` | ||||
|
|
||||
| // ConsoleAuthentication defines NX-OS console-specific authentication methods. | ||||
| // Maps to: aaa authentication login console <methods> | ||||
| // +optional | ||||
| ConsoleAuthentication *NXOSMethodList `json:"consoleAuthentication,omitempty"` | ||||
|
|
||||
| // ConfigCommandsAuthorization defines NX-OS config-commands authorization methods. | ||||
| // Maps to: aaa authorization config-commands default <methods> | ||||
| // +optional | ||||
| ConfigCommandsAuthorization *NXOSMethodList `json:"configCommandsAuthorization,omitempty"` | ||||
| } | ||||
|
|
||||
| // TACACSKeyEncryption defines the encryption type for TACACS+ server keys. | ||||
| // +kubebuilder:validation:Enum=Type6;Type7;Clear | ||||
| type TACACSKeyEncryption string | ||||
|
|
||||
| const ( | ||||
| // TACACSKeyEncryptionType6 uses AES encryption (more secure). | ||||
| TACACSKeyEncryptionType6 TACACSKeyEncryption = "Type6" | ||||
| // TACACSKeyEncryptionType7 uses Cisco Type 7 encryption (reversible). | ||||
| TACACSKeyEncryptionType7 TACACSKeyEncryption = "Type7" | ||||
| // TACACSKeyEncryptionClear sends the key in cleartext. | ||||
| TACACSKeyEncryptionClear TACACSKeyEncryption = "Clear" | ||||
| ) | ||||
|
|
||||
| // RADIUSKeyEncryption defines the encryption type for RADIUS server keys. | ||||
| // +kubebuilder:validation:Enum=Type6;Type7;Clear | ||||
| type RADIUSKeyEncryption string | ||||
|
|
||||
| const ( | ||||
| // RADIUSKeyEncryptionType6 uses AES encryption (more secure). | ||||
| RADIUSKeyEncryptionType6 RADIUSKeyEncryption = "Type6" | ||||
| // RADIUSKeyEncryptionType7 uses Cisco Type 7 encryption (reversible). | ||||
| RADIUSKeyEncryptionType7 RADIUSKeyEncryption = "Type7" | ||||
| // RADIUSKeyEncryptionClear sends the key in cleartext. | ||||
| RADIUSKeyEncryptionClear RADIUSKeyEncryption = "Clear" | ||||
| ) | ||||
|
|
||||
| // NXOSMethodList defines an ordered list of AAA methods for NX-OS specific contexts. | ||||
| type NXOSMethodList struct { | ||||
| // Methods is the ordered list of methods. | ||||
| // +required | ||||
| // +listType=atomic | ||||
| // +kubebuilder:validation:MinItems=1 | ||||
| // +kubebuilder:validation:MaxItems=4 | ||||
| Methods []NXOSMethod `json:"methods"` | ||||
| } | ||||
|
|
||||
| // NXOSMethod represents a single AAA method in an NX-OS context. | ||||
| type NXOSMethod struct { | ||||
| // Type is the method type. | ||||
| // +required | ||||
| // +kubebuilder:validation:Enum=Group;Local;None | ||||
| Type string `json:"type"` | ||||
|
|
||||
| // GroupName is the server group name when Type is Group. | ||||
| // +optional | ||||
| // +kubebuilder:validation:MaxLength=63 | ||||
| GroupName string `json:"groupName,omitempty"` | ||||
| } | ||||
|
|
||||
| // +kubebuilder:object:root=true | ||||
| // +kubebuilder:resource:path=aaaconfigs | ||||
| // +kubebuilder:resource:singular=aaaconfig | ||||
| // +kubebuilder:resource:shortName=nxaaa | ||||
|
|
||||
| // AAAConfig is the Schema for the aaaconfigs API | ||||
| type AAAConfig struct { | ||||
| metav1.TypeMeta `json:",inline"` | ||||
| metav1.ObjectMeta `json:"metadata,omitempty"` | ||||
|
|
||||
| // Specification of the desired state of the resource. | ||||
| // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status | ||||
| // +required | ||||
| Spec AAAConfigSpec `json:"spec"` | ||||
| } | ||||
|
|
||||
| // +kubebuilder:object:root=true | ||||
|
|
||||
| // AAAConfigList contains a list of AAAConfig | ||||
| type AAAConfigList struct { | ||||
| metav1.TypeMeta `json:",inline"` | ||||
| metav1.ListMeta `json:"metadata,omitempty"` | ||||
| Items []AAAConfig `json:"items"` | ||||
| } | ||||
|
|
||||
| func init() { | ||||
| v1alpha1.RegisterAAADependency(GroupVersion.WithKind("AAAConfig")) | ||||
| SchemeBuilder.Register(&AAAConfig{}, &AAAConfigList{}) | ||||
| } | ||||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NX-OS specific is clear from the api group. As such I would leave it out here and in the rest of this file.