From: Gil Bregman <gbregman@il.ibm.com>
Date: Thu, 2 Jan 2025 21:08:00 +0000 (+0200)
Subject: mgr/cephadm/nvmeof: Add key verification field to NVMeOF configuration
X-Git-Tag: v20.0.0~462^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F61217%2Fhead;p=ceph.git

mgr/cephadm/nvmeof: Add key verification field to NVMeOF configuration
Fixes https://tracker.ceph.com/issues/69413

Signed-off-by: Gil Bregman <gbregman@il.ibm.com>
---

diff --git a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
index 0b84ee1bfab8..37f2db527329 100644
--- a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
+++ b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
@@ -18,6 +18,7 @@ prometheus_exporter_ssl = False
 prometheus_port = {{ spec.prometheus_port }}
 prometheus_stats_interval = {{ spec.prometheus_stats_interval }}
 verify_nqns = {{ spec.verify_nqns }}
+verify_keys = {{ spec.verify_keys }}
 omap_file_lock_duration = {{ spec.omap_file_lock_duration }}
 omap_file_lock_retries = {{ spec.omap_file_lock_retries }}
 omap_file_lock_retry_sleep_interval = {{ spec.omap_file_lock_retry_sleep_interval }}
diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
index 6e117921ab3b..0d89657ac8c6 100644
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -408,6 +408,7 @@ prometheus_exporter_ssl = False
 prometheus_port = 10008
 prometheus_stats_interval = 10
 verify_nqns = True
+verify_keys = True
 omap_file_lock_duration = 20
 omap_file_lock_retries = 30
 omap_file_lock_retry_sleep_interval = 1.0
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 9fdecb303464..8a2a38b86ee1 100644
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -1351,6 +1351,7 @@ class NvmeofServiceSpec(ServiceSpec):
                  prometheus_stats_interval: Optional[int] = 10,
                  bdevs_per_cluster: Optional[int] = 32,
                  verify_nqns: Optional[bool] = True,
+                 verify_keys: Optional[bool] = True,
                  allowed_consecutive_spdk_ping_failures: Optional[int] = 1,
                  spdk_ping_interval_in_seconds: Optional[float] = 2.0,
                  ping_spdk_under_lock: Optional[bool] = False,
@@ -1450,6 +1451,8 @@ class NvmeofServiceSpec(ServiceSpec):
         self.prometheus_stats_interval = prometheus_stats_interval
         #: ``verify_nqns`` enables verification of subsystem and host NQNs for validity
         self.verify_nqns = verify_nqns
+        #: ``verify_keys`` enables verification of PSJ and DHCHAP keys in the gateway
+        self.verify_keys = verify_keys
         #: ``omap_file_lock_duration`` number of seconds before automatically unlock OMAP file lock
         self.omap_file_lock_duration = omap_file_lock_duration
         #: ``omap_file_lock_retries`` number of retries to lock OMAP file before giving up
@@ -1622,6 +1625,7 @@ class NvmeofServiceSpec(ServiceSpec):
         verify_boolean(self.enable_key_encryption, "Enable key encryption")
         verify_boolean(self.enable_prometheus_exporter, "Enable Prometheus exporter")
         verify_boolean(self.verify_nqns, "Verify NQNs")
+        verify_boolean(self.verify_keys, "Verify Keys")
         verify_boolean(self.log_files_enabled, "Log files enabled")
         verify_boolean(self.log_files_rotation_enabled, "Log files rotation enabled")
         verify_boolean(self.verbose_log_messages, "Verbose log messages")