Add GNMI client cert cname check support. (#18709) (#20792)

Add GNMI client cert cname list to yang model.

#### Why I did it
Allow gnmi service authentication client cert by cname.

### How I did it
Add GNMI client cert cname list to yang model.

#### How to verify it
Pass all UT.

### Description for the changelog
Add GNMI client cert cname list to yang model.

Author: liuh-80

dockers/docker-sonic-gnmi/gnmi-native.sh

@@ -33,6 +33,8 @@ if [ -n "$CERTS" ]; then
     if [ ! -z $CA_CRT ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
+
+    TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
 elif [ -n "$X509" ]; then
     SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
     SERVER_KEY=$(echo $X509 | jq -r '.server_key')

dockers/docker-sonic-telemetry/telemetry.sh

@@ -34,6 +34,9 @@ if [ -n "$CERTS" ]; then
     if [ ! -z $CA_CRT ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
+
+    # Reuse GNMI_CLIENT_CERT for telemetry service
+    TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
 elif [ -n "$X509" ]; then
     SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
     SERVER_KEY=$(echo $X509 | jq -r '.server_key')

src/sonic-yang-models/tests/files/sample_config_db.json

@@ -1263,6 +1263,14 @@
                 "port": "50052"
             }
         },
+        "GNMI_CLIENT_CERT": {
+            "testcert1": {
+                "role": "RW"
+            },
+            "testcert2": {
+                "role": "RO"
+            }
+        },
         "TUNNEL": {
             "MuxTunnel0": {
                 "dscp_mode": "uniform",

src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json

@@ -13,5 +13,12 @@
     },
     "GNMI_TABLE_WITH_VALID_CONFIG": {
         "desc": "TABLE WITH VALID CONFIG."
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
+        "desc": "CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE failure.",
+        "eStrKey": "Mandatory"
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
+        "desc": "TABLE WITH VALID CONFIG."
     }
 }

src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json

@@ -62,5 +62,32 @@
                 }
             }
         }
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
+        "sonic-gnmi:sonic-gnmi": {
+            "sonic-gnmi:GNMI_CLIENT_CERT": {
+                "GNMI_CLIENT_CERT_LIST": [
+                {
+                    "cert_cname": "testcert1"
+                }
+                ]
+            }
+        }
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
+        "sonic-gnmi:sonic-gnmi": {
+            "sonic-gnmi:GNMI_CLIENT_CERT": {
+                "GNMI_CLIENT_CERT_LIST": [
+                {
+                    "cert_cname": "testcert1",
+                    "role": "RW"
+                },
+                {
+                    "cert_cname": "testcert2",
+                    "role": "RO"
+                }
+                ]
+            }
+        }
     }
 }

src/sonic-yang-models/yang-models/sonic-gnmi.yang

@@ -72,7 +72,28 @@ module sonic-gnmi {
                 }
 
             }
+        }
+
+        container GNMI_CLIENT_CERT {
+            description "GNMI client cert list";
 
+            list GNMI_CLIENT_CERT_LIST {
+                max-elements 8;
+                key "cert_cname";
+
+                leaf cert_cname {
+                    type string;
+                    description
+                        "client cert common name";
+                }
+
+                leaf role {
+                    type string;
+                    mandatory true;
+                    description
+                        "role of client cert common name";
+                }
+            }
         }
     }
 }