From 23a561fe8e697ccff9feeaaddcb538f687db441f Mon Sep 17 00:00:00 2001
From: Tomer Haskalovitch <tomer.haska@ibm.com>
Date: Sat, 26 Jul 2025 23:13:24 +0300
Subject: [PATCH] mgr/dashboard: fix nvmeof mtls

Signed-off-by: Tomer Haskalovitch <tomer.haska@ibm.com>
(cherry picked from commit 4ce8b5210d698088d63da450492cdb5a45bbb78d)
---
 src/pybind/mgr/dashboard/services/nvmeof_client.py | 12 +++++-------
 src/pybind/mgr/dashboard/services/nvmeof_conf.py   | 11 +++++++++--
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/pybind/mgr/dashboard/services/nvmeof_client.py b/src/pybind/mgr/dashboard/services/nvmeof_client.py
index fb079cfca646..eb898795598b 100644
--- a/src/pybind/mgr/dashboard/services/nvmeof_client.py
+++ b/src/pybind/mgr/dashboard/services/nvmeof_client.py
@@ -6,7 +6,7 @@ from typing import Annotated, Any, Callable, Dict, Generator, List, \
     NamedTuple, Optional, Type, get_args, get_origin
 
 from ..exceptions import DashboardException
-from .nvmeof_conf import NvmeofGatewaysConfig
+from .nvmeof_conf import NvmeofGatewaysConfig, is_mtls_enabled
 
 logger = logging.getLogger("nvmeof_client")
 
@@ -63,16 +63,14 @@ else:
                 if matched_gateway:
                     self.gateway_addr = matched_gateway.get('service_url')
                     logger.debug("Gateway address set to: %s", self.gateway_addr)
-
-            root_ca_cert = NvmeofGatewaysConfig.get_root_ca_cert(service_name)
-            if root_ca_cert:
+            enable_auth = is_mtls_enabled(service_name)
+            if enable_auth:
                 client_key = NvmeofGatewaysConfig.get_client_key(service_name)
                 client_cert = NvmeofGatewaysConfig.get_client_cert(service_name)
-
-            if root_ca_cert and client_key and client_cert:
+                server_cert = NvmeofGatewaysConfig.get_server_cert(service_name)
                 logger.info('Securely connecting to: %s', self.gateway_addr)
                 credentials = grpc.ssl_channel_credentials(
-                    root_certificates=root_ca_cert,
+                    root_certificates=server_cert,
                     private_key=client_key,
                     certificate_chain=client_cert,
                 )
diff --git a/src/pybind/mgr/dashboard/services/nvmeof_conf.py b/src/pybind/mgr/dashboard/services/nvmeof_conf.py
index 6b89c586e99f..cf82222e019d 100644
--- a/src/pybind/mgr/dashboard/services/nvmeof_conf.py
+++ b/src/pybind/mgr/dashboard/services/nvmeof_conf.py
@@ -132,8 +132,7 @@ class NvmeofGatewaysConfig(object):
     @classmethod
     def get_root_ca_cert(cls, service_name: str):
         root_ca_cert = cls.from_cert_store('nvmeof_root_ca_cert', service_name)
-        # If root_ca_cert is not set, use server_cert as root_ca_cert
-        return root_ca_cert.encode() if root_ca_cert else cls.get_server_cert(service_name)
+        return root_ca_cert.encode() if root_ca_cert else None
 
     @classmethod
     def get_server_cert(cls, service_name: str):
@@ -209,3 +208,11 @@ def _get_default_service(gateways):
         service_name = gateway_keys[0]
         return service_name, gateways[service_name][0]['service_url']
     return None
+
+
+def is_mtls_enabled(service_name: str):
+    try:
+        orch = OrchClient.instance()
+        return orch.services.get(service_name)[0].spec.enable_auth
+    except OrchestratorError:
+        return False
-- 
2.47.3