From: Redouane Kachach <rkachach@ibm.com>
Date: Thu, 15 Jan 2026 11:05:42 +0000 (+0100)
Subject: qa/cephadm: adding new nvmeof test cases to cover mtls auth
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=88006e76f00d4c6beef04e0dfb96ad26a3484d75;p=ceph-ci.git

qa/cephadm: adding new nvmeof test cases to cover mtls auth

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
---

diff --git a/qa/suites/orch/cephadm/workunits/task/test_nvmeof_basic_mtls_disabled.yaml b/qa/suites/orch/cephadm/workunits/task/test_nvmeof_basic_mtls_disabled.yaml
new file mode 100644
index 00000000000..797650d283b
--- /dev/null
+++ b/qa/suites/orch/cephadm/workunits/task/test_nvmeof_basic_mtls_disabled.yaml
@@ -0,0 +1,67 @@
+overrides:
+  ceph:
+    log-ignorelist:
+      - CEPHADM_FAILED_DAEMON
+    log-only-match:
+      - CEPHADM_
+roles:
+- - host.a
+  - mon.a
+  - mgr.a
+  - osd.0
+- - host.b
+  - mon.b
+  - mgr.b
+  - osd.1
+- - host.c
+  - mon.c
+  - osd.2
+
+tasks:
+- install:
+- cephadm:
+
+# Deploy a single nvmeof gateway (simple smoke test)
+- cephadm.shell:
+    host.c:
+      - |
+        set -ex
+
+        # 1) Create an RBD pool for nvmeof config/state
+        ceph osd pool create foo 64 64 replicated
+        ceph osd pool application enable foo rbd
+
+        # 2) Create a minimal nvmeof spec (no TLS/auth yet)
+        cat << 'EOT' > /tmp/nvmeof.spec
+        service_type: nvmeof
+        service_id: foo
+        placement:
+          hosts:
+            - host.c
+        spec:
+          pool: foo
+          group: nvmeof-test
+          # keep it minimal: enable_auth=false, ssl=false by default
+          port: 5500
+          transports: tcp
+        EOT
+
+        # 3) Apply spec
+        ceph orch apply -i /tmp/nvmeof.spec
+
+- cephadm.wait_for_service:
+    service: nvmeof.foo
+
+# Basic CLI verification (exercise nvmeof CLI + confirm daemons exist)
+- cephadm.shell:
+    host.a:
+      - |
+        set -ex
+
+        echo "=== nvmeof daemons ==="
+        ceph orch ps --daemon-type nvmeof -f json-pretty
+
+        echo "=== nvmeof gateway info (group) ==="
+        ceph nvmeof gateway info nvmeof-test
+
+        echo "=== done ==="
diff --git a/qa/suites/orch/cephadm/workunits/task/test_nvmeof_mtls_enabled_cephadm_signed_certs.yaml b/qa/suites/orch/cephadm/workunits/task/test_nvmeof_mtls_enabled_cephadm_signed_certs.yaml
new file mode 100644
index 00000000000..c3da96a3c06
--- /dev/null
+++ b/qa/suites/orch/cephadm/workunits/task/test_nvmeof_mtls_enabled_cephadm_signed_certs.yaml
@@ -0,0 +1,70 @@
+overrides:
+  ceph:
+    log-ignorelist:
+      - CEPHADM_FAILED_DAEMON
+    log-only-match:
+      - CEPHADM_
+roles:
+- - host.a
+  - mon.a
+  - mgr.a
+  - osd.0
+- - host.b
+  - mon.b
+  - mgr.b
+  - osd.1
+- - host.c
+  - mon.c
+  - osd.2
+
+tasks:
+- install:
+- cephadm:
+
+# Deploy nvmeof using cephadm-signed certs (ssl=true + enable_auth=true, no inline certs)
+- cephadm.shell:
+    host.c:
+      - |
+        set -ex
+
+        # 1) Create pool used by nvmeof
+        ceph osd pool create nvmeof 64 64 replicated
+        ceph osd pool application enable nvmeof rbd
+
+        # 2) Apply minimal nvmeof spec that relies on cephadm-signed certificates
+        # (supported case: ssl:true + enable_auth:true without inline cert material)
+        cat << 'EOF' > /tmp/nvmeof.yaml
+        service_type: nvmeof
+        service_id: nvmeof.group1
+        placement:
+          hosts:
+            - host.c
+        spec:
+          group: group1
+          pool: nvmeof
+          ssl: true
+          enable_auth: true
+        EOF
+
+        ceph orch apply -i /tmp/nvmeof.yaml
+
+- cephadm.wait_for_service:
+    service: nvmeof.nvmeof.group1
+
+# Basic verification of the CLI path + daemon presence
+- cephadm.shell:
+    host.a:
+      - |
+        set -ex
+
+        echo "=== nvmeof daemons ==="
+        ceph orch ps --daemon-type nvmeof -f json-pretty
+
+        echo "=== nvmeof gateway info (group) ==="
+        ceph nvmeof gateway info group1
+
+        # Show the applied spec back
+        echo "=== orch ls (nvmeof) ==="
+        ceph orch ls --service_type nvmeof -f json-pretty
+
+        echo "=== done ==="
diff --git a/qa/suites/orch/cephadm/workunits/task/test_nvmeof_mtls_enabled_inline_certs.yaml b/qa/suites/orch/cephadm/workunits/task/test_nvmeof_mtls_enabled_inline_certs.yaml
new file mode 100644
index 00000000000..48f8db20303
--- /dev/null
+++ b/qa/suites/orch/cephadm/workunits/task/test_nvmeof_mtls_enabled_inline_certs.yaml
@@ -0,0 +1,142 @@
+overrides:
+  ceph:
+    log-ignorelist:
+      - CEPHADM_FAILED_DAEMON
+    log-only-match:
+      - CEPHADM_
+roles:
+- - host.a
+  - mon.a
+  - mgr.a
+  - osd.0
+- - host.b
+  - mon.b
+  - mgr.b
+  - osd.1
+- - host.c
+  - mon.c
+  - osd.2
+
+tasks:
+- install:
+- cephadm:
+
+# Deploy nvmeof using INLINE embedded certs (server/client + root CA)
+- cephadm.shell:
+    host.c:
+      - |
+        set -ex
+
+        DEPLOY_HOST=${HOSTNAME}
+
+        # 1) Create pool used by nvmeof
+        ceph osd pool create nvmeof 64 64 replicated
+        ceph osd pool application enable nvmeof rbd
+
+        # 2) Generate a minimal CA + server/client certs (inline cert source)
+        mkdir -p /tmp/nvmeof-inline-certs
+        cd /tmp/nvmeof-inline-certs
+
+        # Get the IP address clients will use: ask Ceph for DEPLOY_HOST addr
+        SERVER_IP="$(ceph orch host ls -f json | jq -r --arg H "$DEPLOY_HOST" '.[] | select(.hostname==$H) | .addr')"
+        if [ -z "$SERVER_IP" ] || [ "$SERVER_IP" = "null" ]; then
+          echo "ERROR: Could not resolve addr for $DEPLOY_HOST from 'ceph orch host ls'."
+          ceph orch host ls -f json-pretty || true
+          exit 1
+        fi
+        echo "Using SERVER_IP=$SERVER_IP for certificate SAN (host=$DEPLOY_HOST)"
+
+        # Root CA
+        openssl req -x509 -newkey rsa:4096 -nodes \
+          -keyout ca.key -out ca.crt -days 30 -sha256 \
+          -subj "/CN=nvmeof-test-root-ca"
+
+        # Server key + CSR
+        # CN is not used for modern verification; SANs are what matters.
+        openssl req -newkey rsa:4096 -nodes \
+          -keyout server.key -out server.csr \
+          -subj "/CN=${DEPLOY_HOST}"
+
+        # Server cert with SANs (host name + IP used by clients)
+        cat > server.ext <<EOF
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment
+extendedKeyUsage=serverAuth
+subjectAltName=DNS:${DEPLOY_HOST},IP:${SERVER_IP}
+EOF
+
+        openssl x509 -req -in server.csr \
+          -CA ca.crt -CAkey ca.key -CAcreateserial \
+          -out server.crt -days 30 -sha256 \
+          -extfile server.ext
+
+        # Client key + CSR
+        openssl req -newkey rsa:4096 -nodes \
+          -keyout client.key -out client.csr \
+          -subj "/CN=nvmeof-test-client"
+
+        # Client cert
+        cat > client.ext <<EOF
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment
+extendedKeyUsage=clientAuth
+EOF
+
+        openssl x509 -req -in client.csr \
+          -CA ca.crt -CAkey ca.key -CAcreateserial \
+          -out client.crt -days 30 -sha256 \
+          -extfile client.ext
+
+        # Show SANs (helps when debugging name mismatch)
+        openssl x509 -in server.crt -noout -text | awk '/Subject Alternative Name/{flag=1;next}/X509v3/{flag=0}flag' || true
+
+        # 3) Write nvmeof spec and embed cert material (certificate_source: inline)
+        cat <<'EOT' > /tmp/nvmeof-inline.yaml
+service_type: nvmeof
+service_id: nvmeof2.group
+placement:
+  hosts:
+    - ${HOSTNAME}
+spec:
+  group: group
+  pool: nvmeof
+  ssl: true
+  enable_auth: true
+  certificate_source: inline
+EOT
+
+        echo "  server_key: |" >> /tmp/nvmeof-inline.yaml
+        while read -r LINE; do echo "$LINE" | sed -e "s/^/    /"; done < server.key >> /tmp/nvmeof-inline.yaml
+        echo "  server_cert: |" >> /tmp/nvmeof-inline.yaml
+        while read -r LINE; do echo "$LINE" | sed -e "s/^/    /"; done < server.crt >> /tmp/nvmeof-inline.yaml
+
+        echo "  client_key: |" >> /tmp/nvmeof-inline.yaml
+        while read -r LINE; do echo "$LINE" | sed -e "s/^/    /"; done < client.key >> /tmp/nvmeof-inline.yaml
+        echo "  client_cert: |" >> /tmp/nvmeof-inline.yaml
+        while read -r LINE; do echo "$LINE" | sed -e "s/^/    /"; done < client.crt >> /tmp/nvmeof-inline.yaml
+
+        echo "  root_ca_cert: |" >> /tmp/nvmeof-inline.yaml
+        while read -r LINE; do echo "$LINE" | sed -e "s/^/    /"; done < ca.crt >> /tmp/nvmeof-inline.yaml
+
+        # 4) Apply spec
+        ceph orch apply -i /tmp/nvmeof-inline.yaml
+
+- cephadm.wait_for_service:
+    service: nvmeof.nvmeof2.group
+
+# Basic verification of the CLI path + daemon presence
+- cephadm.shell:
+    host.a:
+      - |
+        set -ex
+
+        echo "=== nvmeof daemons ==="
+        ceph orch ps --daemon-type nvmeof -f json-pretty
+
+        echo "=== test CLI: get nvmeof gateway info (group) ==="
+        ceph nvmeof gateway info group
+
+        echo "=== orch ls (nvmeof) ==="
+        ceph orch ls --service_type nvmeof -f json-pretty
+
+        echo "=== done ==="