T7432: RPKI VRF Support

yzguy · yzguy · commit 12dc26440cd9 · 2025-05-08T23:55:30.000-04:00
diff --git a/data/templates/frr/rpki.frr.j2 b/data/templates/frr/rpki.frr.j2
@@ -1,8 +1,8 @@
-!
+{% macro rpki_config(rpki) %}
 {# as FRR does not support deleting the entire rpki section we leave it in place even when it's empty #}
 rpki
-{% if cache is vyos_defined %}
-{%     for peer, peer_config in cache.items() %}
+{% if rpki.cache is vyos_defined %}
+{%     for peer, peer_config in rpki.cache.items() %}
 {#         port is mandatory and preference uses a default value #}
 {%         if peer_config.ssh.username is vyos_defined %}
  rpki cache ssh {{ peer | replace('_', '-') }} {{ peer_config.port }} {{ peer_config.ssh.username }} {{ peer_config.ssh.private_key_file }} {{ peer_config.ssh.public_key_file }}{{ ' source ' ~ peer_config.source_address if peer_config.source_address is vyos_defined }} preference {{ peer_config.preference }}
@@ -11,14 +11,23 @@ rpki
 {%         endif %}
 {%     endfor %}
 {% endif %}
-{% if expire_interval is vyos_defined %}
- rpki expire_interval {{ expire_interval }}
+{% if rpki.expire_interval is vyos_defined %}
+ rpki expire_interval {{ rpki.expire_interval }}
 {% endif %}
-{% if polling_period is vyos_defined %}
- rpki polling_period {{ polling_period }}
+{% if rpki.polling_period is vyos_defined %}
+ rpki polling_period {{ rpki.polling_period }}
 {% endif %}
-{% if retry_interval is vyos_defined %}
- rpki retry_interval {{ retry_interval }}
+{% if rpki.retry_interval is vyos_defined %}
+ rpki retry_interval {{ rpki.retry_interval }}
 {% endif %}
 exit
+{%- endmacro -%}
+!
+{% if rpki.vrf is vyos_defined %}
+vrf {{ rpki.vrf }}
+ {{ rpki_config(rpki) | indent(width=1) }}
+exit-vrf
+{% else %}
+{{ rpki_config(rpki) }}
+{% endif %}
 !
diff --git a/data/templates/frr/zebra.vrf.route-map.frr.j2 b/data/templates/frr/zebra.vrf.route-map.frr.j2
@@ -21,6 +21,28 @@ vrf {{ vrf }}
  ipv6 protocol {{ protocol_name }} route-map {{ protocol_config.route_map }}
 {%             endfor %}
 {%         endif %}
+{# as FRR does not support deleting the entire rpki section we leave it in place even when it's empty #}
+ rpki
+{%         if vrf_config.protocols.rpki is vyos_defined %}
+{%             for peer, peer_config in vrf_config.protocols.rpki.cache.items() %}
+{#                 port is mandatory and preference uses a default value #}
+{%                 if peer_config.ssh.username is vyos_defined %}
+  rpki cache ssh {{ peer | replace('_', '-') }} {{ peer_config.port }} {{ peer_config.ssh.username }} {{ peer_config.ssh.private_key_file }} {{ peer_config.ssh.public_key_file }}{{ ' source ' ~ peer_config.source_address if peer_config.source_address is vyos_defined }} preference {{ peer_config.preference }}
+{%                 else %}
+  rpki cache tcp {{ peer | replace('_', '-') }} {{ peer_config.port }}{{ ' source ' ~ peer_config.source_address if peer_config.source_address is vyos_defined }} preference {{ peer_config.preference }}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%         if vrf_config.protocols.rpki.expire_interval is vyos_defined %}
+  rpki expire_interval {{ vrf_config.protocols.rpki.expire_interval }}
+{%         endif %}
+{%         if vrf_config.protocols.rpki.polling_period is vyos_defined %}
+  rpki polling_period {{ vrf_config.protocols.rpki.polling_period }}
+{%         endif %}
+{%         if vrf_config.protocols.rpki.retry_interval is vyos_defined %}
+  rpki retry_interval {{ vrf_config.protocols.rpki.retry_interval }}
+{%         endif %}
+ exit
 {%         if vrf_config.vni is vyos_defined %}
  vni {{ vrf_config.vni }}
 {%         endif %}
diff --git a/interface-definitions/include/rpki/protocol-common-config.xml.i b/interface-definitions/include/rpki/protocol-common-config.xml.i
@@ -0,0 +1,87 @@
+<!-- include start from rpki/protocol-common-config.xml.i -->
+<tagNode name="cache">
+  <properties>
+    <help>RPKI cache server address</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IP address of RPKI server</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv6</format>
+      <description>IPv6 address of RPKI server</description>
+    </valueHelp>
+    <valueHelp>
+      <format>hostname</format>
+      <description>Fully qualified domain name of RPKI server</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-address"/>
+      <validator name="fqdn"/>
+    </constraint>
+  </properties>
+  <children>
+    #include <include/port-number.xml.i>
+    <leafNode name="preference">
+      <properties>
+        <help>Preference of the cache server</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Preference of the cache server</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/source-address-ipv4.xml.i>
+    <node name="ssh">
+      <properties>
+        <help>RPKI SSH connection settings</help>
+      </properties>
+      <children>
+        #include <include/pki/openssh-key.xml.i>
+        #include <include/generic-username.xml.i>
+      </children>
+    </node>
+  </children>
+</tagNode>
+<leafNode name="expire-interval">
+  <properties>
+    <help>Interval to wait before expiring the cache</help>
+    <valueHelp>
+      <format>u32:600-172800</format>
+      <description>Interval in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 600-172800"/>
+    </constraint>
+  </properties>
+  <defaultValue>7200</defaultValue>
+</leafNode>
+<leafNode name="polling-period">
+  <properties>
+    <help>Cache polling interval</help>
+    <valueHelp>
+      <format>u32:1-86400</format>
+      <description>Interval in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-86400"/>
+    </constraint>
+  </properties>
+  <defaultValue>300</defaultValue>
+</leafNode>
+<leafNode name="retry-interval">
+  <properties>
+    <help>Retry interval to connect to the cache server</help>
+    <valueHelp>
+      <format>u32:1-7200</format>
+      <description>Interval in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-7200"/>
+    </constraint>
+  </properties>
+  <defaultValue>600</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/protocols_rpki.xml.in b/interface-definitions/protocols_rpki.xml.in
@@ -8,91 +8,7 @@
           <priority>819</priority>
         </properties>
         <children>
-          <tagNode name="cache">
-            <properties>
-              <help>RPKI cache server address</help>
-              <valueHelp>
-                <format>ipv4</format>
-                <description>IP address of RPKI server</description>
-              </valueHelp>
-              <valueHelp>
-                <format>ipv6</format>
-                <description>IPv6 address of RPKI server</description>
-              </valueHelp>
-              <valueHelp>
-                <format>hostname</format>
-                <description>Fully qualified domain name of RPKI server</description>
-              </valueHelp>
-              <constraint>
-                <validator name="ip-address"/>
-                <validator name="fqdn"/>
-              </constraint>
-            </properties>
-            <children>
-              #include <include/port-number.xml.i>
-              <leafNode name="preference">
-                <properties>
-                  <help>Preference of the cache server</help>
-                  <valueHelp>
-                    <format>u32:1-255</format>
-                    <description>Preference of the cache server</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 1-255"/>
-                  </constraint>
-                </properties>
-              </leafNode>
-              #include <include/source-address-ipv4.xml.i>
-              <node name="ssh">
-                <properties>
-                  <help>RPKI SSH connection settings</help>
-                </properties>
-                <children>
-                  #include <include/pki/openssh-key.xml.i>
-                  #include <include/generic-username.xml.i>
-                </children>
-              </node>
-            </children>
-          </tagNode>
-          <leafNode name="expire-interval">
-            <properties>
-              <help>Interval to wait before expiring the cache</help>
-              <valueHelp>
-                <format>u32:600-172800</format>
-                <description>Interval in seconds</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 600-172800"/>
-              </constraint>
-            </properties>
-            <defaultValue>7200</defaultValue>
-          </leafNode>
-          <leafNode name="polling-period">
-            <properties>
-              <help>Cache polling interval</help>
-              <valueHelp>
-                <format>u32:1-86400</format>
-                <description>Interval in seconds</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 1-86400"/>
-              </constraint>
-            </properties>
-            <defaultValue>300</defaultValue>
-          </leafNode>
-          <leafNode name="retry-interval">
-            <properties>
-              <help>Retry interval to connect to the cache server</help>
-              <valueHelp>
-                <format>u32:1-7200</format>
-                <description>Interval in seconds</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 1-7200"/>
-              </constraint>
-            </properties>
-            <defaultValue>600</defaultValue>
-          </leafNode>
+          #include <include/rpki/protocol-common-config.xml.i>
         </children>
       </node>
     </children>
diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in
@@ -95,6 +95,15 @@
                   #include <include/ospfv3/protocol-common-config.xml.i>
                 </children>
               </node>
+              <node name="rpki" owner="${vyos_conf_scripts_dir}/protocols_rpki.py $VAR(../../@)">
+                <properties>
+                  <help>Resource Public Key Infrastructure (RPKI)</help>
+                  <priority>820</priority>
+                </properties>
+                <children>
+                  #include <include/rpki/protocol-common-config.xml.i>
+                </children>
+              </node>
               <node name="static" owner="${vyos_conf_scripts_dir}/protocols_static.py $VAR(../../@)">
                 <properties>
                   <help>Static Routing</help>
diff --git a/op-mode-definitions/include/rpki/vrf.xml.i b/op-mode-definitions/include/rpki/vrf.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from rpki/vrf.xml.i -->
+<tagNode name="vrf">
+  <properties>
+    <help>Virtual Routing and Forwarding (VRF)</help>
+    <completionHelp>
+      <path>vrf name</path>
+    </completionHelp>
+  </properties>
+  <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+</tagNode>
+<!-- include end -->
diff --git a/op-mode-definitions/rpki.xml.in b/op-mode-definitions/rpki.xml.in
@@ -15,19 +15,28 @@
                </completionHelp>
              </properties>
              <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+             <children>
+             #include <include/rpki/vrf.xml.i>
+             </children>
           </tagNode>
-          <leafNode name="cache-connection">
+          <node name="cache-connection">
             <properties>
               <help>Show RPKI cache connections</help>
             </properties>
-            <command>vtysh -c "show rpki cache-connection"</command>
-          </leafNode>
-          <leafNode name="cache-server">
+            <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+             <children>
+             #include <include/rpki/vrf.xml.i>
+             </children>
+          </node>
+          <node name="cache-server">
              <properties>
                <help>Show RPKI cache servers information</help>
              </properties>
-             <command>vtysh -c "show rpki cache-server"</command>
-          </leafNode>
+             <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+             <children>
+             #include <include/rpki/vrf.xml.i>
+             </children>
+          </node>
           <tagNode name="prefix">
              <properties>
                <help>Lookup IP prefix and optionally ASN in prefix table</help>
@@ -45,27 +54,53 @@
                   </completionHelp>
                 </properties>
                 <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $(echo $@ | sed -e "s/as-number //g")</command>
+                <children>
+                  <tagNode name="vrf">
+                    <properties>
+                      <help>Virtual Routing and Forwarding (VRF)</help>
+                      <completionHelp>
+                        <path>vrf name</path>
+                      </completionHelp>
+                    </properties>
+                    <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $(echo $@ | sed -e "s/as-number //g")</command>
+                  </tagNode>
+                </children>
               </tagNode>
+              #include <include/rpki/vrf.xml.i>
              </children>
           </tagNode>
-          <leafNode name="prefix-table">
+          <node name="prefix-table">
              <properties>
                <help>Show RPKI-validated prefixes</help>
              </properties>
-             <command>vtysh -c "show rpki prefix-table"</command>
-          </leafNode>
+             <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+             <children>
+             #include <include/rpki/vrf.xml.i>
+             </children>
+          </node>
         </children>
       </node>
     </children>
   </node>
   <node name="reset">
     <children>
-      <leafNode name="rpki">
+      <node name="rpki">
         <properties>
           <help>Reset RPKI</help>
         </properties>
         <command>vtysh -c "rpki reset"</command>
-      </leafNode>
+        <children>
+          <tagNode name="vrf">
+            <properties>
+              <help>Reset RPKI in VRF</help>
+              <completionHelp>
+                <path>vrf name</path>
+              </completionHelp>
+            </properties>
+            <command>vtysh -c "rpki reset vrf $4"</command>
+          </tagNode>
+        </children>
+      </node>
     </children>
   </node>
 </interfaceDefinition>
diff --git a/python/vyos/frrender.py b/python/vyos/frrender.py
diff --git a/src/conf_mode/protocols_rpki.py b/src/conf_mode/protocols_rpki.py
