[202503][Cherrypick PR] Address fixes to make sure t2 topology deploy works both with and without macsec_enabled (#17530) (#361)

manual cherry-pick of PR -
sonic-net/sonic-mgmt#17530

Author: tjchadaga

ansible/config_sonic_basedon_testbed.yml

@@ -613,6 +613,26 @@
           hwsku: "{{ hwsku }}"
         become: true
 
+      - name: Copy macsec profile json to dut
+        copy: src=../tests/common/macsec/profile.json
+              dest=/tmp/profile.json
+        become: true
+        when: "('t2' in topo) and (enable_macsec is defined)"
+
+      - name: Copy golden_config_db_t2 template to DUT
+        copy: src=templates/golden_config_db_t2.j2
+              dest=/tmp/golden_config_db_t2.j2
+        become: true
+        when: "('t2' in topo) and (enable_macsec is defined)"
+
+      - name: Generate golden_config_db.json for t2
+        generate_golden_config_db:
+          topo_name: "{{ topo }}"
+          macsec_profile: "{{ macsec_profile }}"
+          num_asics: "{{ num_asics }}"
+        become: true
+        when: "('t2' in topo) and (enable_macsec is defined)"
+
       - name: Use minigraph case
         block:
         - name: execute cli "config load_minigraph --override_config -y" to apply new minigraph

ansible/library/generate_golden_config_db.py

@@ -274,6 +274,10 @@ def generate(self):
             module_msg = module_msg + " for smartswitch"
         elif self.topo_name in ["ft2-64"]:
             config = self.generate_ft2_golden_config_db()
+        elif "t2" in self.topo_name and self.macsec_profile:
+            config = self.generate_t2_golden_config_db()
+            self.module.run_command("sudo rm -f {}".format(MACSEC_PROFILE_PATH))
+            self.module.run_command("sudo rm -f {}".format(GOLDEN_CONFIG_TEMPLATE_PATH))
         elif self.hwsku and is_full_lossy_hwsku(self.hwsku):
             module_msg = module_msg + " for full lossy hwsku"
             config = self.generate_full_lossy_golden_config_db()

ansible/library/get_macsec_profile.py

@@ -0,0 +1,53 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+import json
+from ansible.module_utils.basic import AnsibleModule
+
+
+def convert_to_eos(cipher_name):
+    # Set the cipher suite as 256 xpn by default
+    eos_cipher_name = 'aes256-gcm-xpn'
+
+    if cipher_name == 'GCM-AES-XPN-256':
+        eos_cipher_name = 'aes256-gcm-xpn'
+    elif cipher_name == 'GCM-AES-128':
+        eos_cipher_name = 'aes128-gcm'
+    elif cipher_name == 'GCM-AES-256':
+        eos_cipher_name = 'aes256-gcm'
+    elif cipher_name == 'GCM-AES-XPN-128':
+        eos_cipher_name = 'aes128-gcm-xpn'
+
+    return eos_cipher_name
+
+
+# This API support EoS based templates now
+def get_macsec_profile(module, macsec_profile, vm_type):
+    with open('/tmp/profile.json') as f:
+        macsec_profiles = json.load(f)
+
+        profile = macsec_profiles.get(macsec_profile)
+        if profile:
+            profile['macsec_profile'] = macsec_profile
+
+            # Currently handling ceos, add more cases for vsonic etc
+            if vm_type == 'ceos':
+                # Get the cipher suite in eos terminology
+                eos_cipher_suite_name = convert_to_eos(profile['cipher_suite'])
+                profile['cipher_suite'] = eos_cipher_suite_name
+
+    return profile
+
+
+def main():
+    module = AnsibleModule(argument_spec=dict(
+                           macsec_profile=dict(required=True, type='str'),
+                           vm_type=dict(required=True, type='str')))
+
+    macsec_profile = module.params['macsec_profile']
+    vm_type = module.params['vm_type']
+    module.exit_json(profile=get_macsec_profile(module, macsec_profile, vm_type), changed=False)
+
+
+if __name__ == "__main__":
+    main()

ansible/roles/eos/tasks/ceos_config.yml

@@ -32,6 +32,28 @@
     state: directory
   delegate_to: "{{ VM_host[0] }}"
 
+- name: Copy macsec profile json to dut
+  copy: src=../../../../tests/common/macsec/profile.json
+        dest=/tmp/profile.json
+  become: true
+  when: "'t2' == base_topo and enable_macsec is defined"
+  delegate_to: "{{ VM_host[0] }}"
+
+- name: Get the macsec profile data from profile_name
+  get_macsec_profile:
+    macsec_profile: "{{ macsec_profile }}"
+    vm_type: "{{ vm_type }}"
+  register: profile_raw
+  become: true
+  when: "'t2' == base_topo and enable_macsec is defined"
+  delegate_to: "{{ VM_host[0] }}"
+
+- name: Flatten profile data into a flat structure
+  set_fact:
+    profile: "{{ profile_raw.profile }}"
+  when: "'t2' == base_topo and enable_macsec is defined"
+  delegate_to: "{{ VM_host[0] }}"
+
 - name: update startup-config
   become: yes
   template: src="{{ base_topo }}-{{ props.swrole }}.j2"

ansible/templates/minigraph_link_meta.j2

@@ -39,7 +39,7 @@
       </a:LinkMetadata>
 {% endfor %}
 {% endif %}
-{% if macsec_card is defined and macsec_card == True and 't2' in topo %}
+{% if macsec_card is defined and enable_macsec is defined and macsec_card == True and 't2' in topo %}
 {% for index in range(vms_number) %}
 {% set vm_intfs=vm_topo_config['vm'][vms[index]]['intfs'][dut_index|int]|sort %}
 {% set dut_intfs=vm_topo_config['vm'][vms[index]]['interface_indexes'][dut_index|int]|sort %}

ansible/templates/minigraph_meta.j2

@@ -233,7 +233,7 @@
             <a:Value>{{ switch_type }}</a:Value>
          </a:DeviceProperty>
 {% endif %}
-{% if macsec_card is defined and macsec_card == True and 't2' in topo %}
+{% if macsec_card is defined and enable_macsec is defined and macsec_card == True and 't2' in topo %}
     <a:DeviceProperty>
       <a:Name>MacSecProfile</a:Name>
       <a:Value>PrimaryKey="MACSEC_PROFILE" FallbackKey="macsec-profile2" MacsecPolicy=""</a:Value>