Adding AAA TACACS Support

.gitignore

@@ -32,3 +32,4 @@ charts/**/*.tgz
 *.swp
 *.swo
 *~
+config/samples/test-aaa-qa.yaml

PROJECT

@@ -289,4 +289,20 @@ resources:
   kind: DHCPRelay
   path: github.com/ironcore-dev/network-operator/api/core/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: networking.metal.ironcore.dev
+  kind: AAA
+  path: github.com/ironcore-dev/network-operator/api/core/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: cisco.networking.metal.ironcore.dev
+  group: nx
+  kind: AAAConfig
+  path: github.com/ironcore-dev/network-operator/api/cisco/nx/v1alpha1
+  version: v1alpha1
 version: "3"

Tiltfile

@@ -139,6 +139,12 @@ k8s_resource(new_name='lldp', objects=['leaf1-lldp:lldp'], trigger_mode=TRIGGER_
 k8s_yaml('./config/samples/v1alpha1_dhcprelay.yaml')
 k8s_resource(new_name='dhcprelay', objects=['dhcprelay:dhcprelay'], resource_deps=['eth1-1'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
+k8s_yaml('./config/samples/v1alpha1_aaa.yaml')
+k8s_resource(new_name='aaa', objects=['aaa-tacacs:aaa'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# Uncomment the following lines for NX-OS specific AAA config
+# k8s_yaml('./config/samples/cisco/nx/v1alpha1_aaaconfig.yaml')
+# k8s_resource(new_name='aaaconfig', objects=['aaa-tacacs-nxos:aaaconfig'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+
 print('🚀 network-operator development environment')
 print('👉 Edit the code inside the api/, cmd/, or internal/ directories')
 print('👉 Tilt will automatically rebuild and redeploy when changes are detected')

api/cisco/nx/v1alpha1/aaaconfig_types.go

@@ -0,0 +1,101 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/ironcore-dev/network-operator/api/core/v1alpha1"
+)
+
+// +kubebuilder:rbac:groups=nx.cisco.networking.metal.ironcore.dev,resources=aaaconfigs,verbs=get;list;watch
+
+// AAAConfigSpec defines the desired state of AAAConfig
+type AAAConfigSpec struct {
+	// LoginErrorEnable enables login error messages.
+	// +optional
+	LoginErrorEnable bool `json:"loginErrorEnable,omitempty"`
+
+	// KeyEncryption specifies the default encryption type for TACACS+ keys.
+	// +kubebuilder:default=Type7
+	KeyEncryption TACACSKeyEncryption `json:"keyEncryption,omitempty"`
+
+	// RADIUSKeyEncryption specifies the default encryption type for RADIUS server keys.
+	// +kubebuilder:default=Type7
+	RADIUSKeyEncryption RADIUSKeyEncryption `json:"radiusKeyEncryption,omitempty"`
+
+	// ConsoleAuthentication defines console-specific authentication methods.
+	// +optional
+	ConsoleAuthentication *AAAMethodList `json:"consoleAuthentication,omitempty"`
+
+	// ConfigCommandsAuthorization defines config-commands authorization methods.
+	// +optional
+	ConfigCommandsAuthorization *AAAMethodList `json:"configCommandsAuthorization,omitempty"`
+}
+
+// TACACSKeyEncryption defines the encryption type for TACACS+ server keys.
+// +kubebuilder:validation:Enum=Type6;Type7;Clear
+type TACACSKeyEncryption string
+
+const (
+	// TACACSKeyEncryptionType6 uses AES encryption (more secure).
+	TACACSKeyEncryptionType6 TACACSKeyEncryption = "Type6"
+	// TACACSKeyEncryptionType7 uses Cisco Type 7 encryption (reversible).
+	TACACSKeyEncryptionType7 TACACSKeyEncryption = "Type7"
+	// TACACSKeyEncryptionClear sends the key in cleartext.
+	TACACSKeyEncryptionClear TACACSKeyEncryption = "Clear"
+)
+
+// RADIUSKeyEncryption defines the encryption type for RADIUS server keys.
+// +kubebuilder:validation:Enum=Type6;Type7;Clear
+type RADIUSKeyEncryption string
+
+const (
+	// RADIUSKeyEncryptionType6 uses AES encryption (more secure).
+	RADIUSKeyEncryptionType6 RADIUSKeyEncryption = "Type6"
+	// RADIUSKeyEncryptionType7 uses Cisco Type 7 encryption (reversible).
+	RADIUSKeyEncryptionType7 RADIUSKeyEncryption = "Type7"
+	// RADIUSKeyEncryptionClear sends the key in cleartext.
+	RADIUSKeyEncryptionClear RADIUSKeyEncryption = "Clear"
+)
+
+// AAAMethodList defines an ordered list of AAA methods.
+type AAAMethodList struct {
+	// Methods is the ordered list of methods.
+	// +required
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=4
+	Methods []v1alpha1.AAAMethod `json:"methods"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=aaaconfigs
+// +kubebuilder:resource:singular=aaaconfig
+// +kubebuilder:resource:shortName=nxaaa
+
+// AAAConfig is the Schema for the aaaconfigs API
+type AAAConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Specification of the desired state of the resource.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +required
+	Spec AAAConfigSpec `json:"spec"`
+}
+
+// +kubebuilder:object:root=true
+
+// AAAConfigList contains a list of AAAConfig
+type AAAConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AAAConfig `json:"items"`
+}
+
+func init() {
+	v1alpha1.RegisterAAADependency(GroupVersion.WithKind("AAAConfig"))
+	SchemeBuilder.Register(&AAAConfig{}, &AAAConfigList{})
+}