gnmi_collector

[mankhakb]

Hi gnmi_collector Dev and Support Team, ++ @jxx-gg @gcsl

Query: Is gnmi_collector supports mTLS? If Yes then how to pass CA certs along with server cert and key. If No then is there any future plan to support mTLS

Requesting to please share some references and details.

Thanks Manish Khandelwal

[gcsl]

Can you clarify on which side of the connection you are referring? The gNMI collector acts as both a client to gNMI devices, and a server to gNMI clients. It is conceivable that a single collector could even authenticate against different devices with different mTLS credentials, including distinct CA cert pools.

The code published today does not include mTLS but the difference is a matter of replacing the defaultDialOpts with the corresponding credentials.NewClientTLS... variant on the client side or NewServerTLS... variant on the server side.

[mankhakb]

Hi @gcsl ,

Here for my use case GNMI collector acts as a client. But before the actual gnmi request sent from GNMI collector to GNMI device. Device and Collector establishes a secure gRPC dialout tunnel, Here GNMI collector act as a gRPC server for gRPC client at Device. For that I need to pass CA cert, Server Cert, Server Key. Here while running GNMI collector, options available to pass cert and key. But no option seen to pass CA cert.

Example: gnmi/cmd/gnmi_collector$ ./gnmi_collector -port 50058 -v 1 -tunnel_request "interfaces" -config_file test.cfg -cert_file ECDSA_256_SHA_256_server.crt -key_file ECDSA_256_SHA_256_server.key

Here no option seen to pass CA cert.