From caf61e802e1dafc2174972d1d969279673e86a14 Mon Sep 17 00:00:00 2001 From: Gil Bregman Date: Thu, 26 Mar 2026 17:48:03 +0200 Subject: [PATCH] mgr/cephadm: Add KMIP server support for NVMeoF gateway Fixes: https://tracker.ceph.com/issues/75739 Signed-off-by: Gil Bregman (cherry picked from commit 744e93938357cfcb48d755a35b66e95a2f97f59b) Signed-off-by: Gil Bregman --- src/cephadm/cephadmlib/daemons/nvmeof.py | 3 +++ .../cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 | 5 +++++ src/pybind/mgr/cephadm/tests/test_services.py | 3 +++ src/python-common/ceph/deployment/service_spec.py | 3 +++ 4 files changed, 14 insertions(+) diff --git a/src/cephadm/cephadmlib/daemons/nvmeof.py b/src/cephadm/cephadmlib/daemons/nvmeof.py index 761211087c82..e0236329b900 100644 --- a/src/cephadm/cephadmlib/daemons/nvmeof.py +++ b/src/cephadm/cephadmlib/daemons/nvmeof.py @@ -2,6 +2,7 @@ import logging import os from typing import Dict, List, Optional, Tuple, Union +from pathlib import Path from ..container_daemon_form import ContainerDaemonForm, daemon_to_container from ..container_types import CephContainer @@ -81,6 +82,8 @@ class CephNvmeof(ContainerDaemonForm): mounts[log_dir] = '/var/log/ceph:z' if mtls_dir: mounts[mtls_dir] = '/src/mtls:z' + if Path('/etc/kmip').is_dir(): + mounts['/etc/kmip'] = '/src/certs/kmip:z' return mounts def _get_huge_pages_mounts(self, files: Dict[str, str]) -> Dict[str, str]: diff --git a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 index 9b7100052718..70efddddcd7f 100644 --- a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 +++ b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 @@ -80,6 +80,11 @@ server_cert = /server.cert client_cert = /client.cert root_ca_cert = /root.ca.cert +{% if spec.kmip_cert_dir %} +[kmip] +cert_dir = {{ spec.kmip_cert_dir }} +{% endif %} + [spdk] tgt_path = {{ spec.tgt_path }} rpc_socket_dir = {{ spec.rpc_socket_dir }} diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py index 7e3b1f2a3837..befbd404f099 100644 --- a/src/pybind/mgr/cephadm/tests/test_services.py +++ b/src/pybind/mgr/cephadm/tests/test_services.py @@ -429,6 +429,9 @@ server_cert = /server.cert client_cert = /client.cert root_ca_cert = /root.ca.cert +[kmip] +cert_dir = ./certs/kmip/{{server_name}} + [spdk] tgt_path = /usr/local/bin/nvmf_tgt rpc_socket_dir = /var/tmp/ diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py index 98dc90054337..c4b6c9289f08 100644 --- a/src/python-common/ceph/deployment/service_spec.py +++ b/src/python-common/ceph/deployment/service_spec.py @@ -1465,6 +1465,7 @@ class NvmeofServiceSpec(ServiceSpec): monitor_timeout: Optional[float] = 1.0, enable_monitor_client: bool = True, monitor_client_log_file_dir: Optional[str] = '', + kmip_cert_dir: Optional[str] = './certs/kmip/{server_name}', placement: Optional[PlacementSpec] = None, unmanaged: bool = False, preview_only: bool = False, @@ -1668,6 +1669,8 @@ class NvmeofServiceSpec(ServiceSpec): self.enable_monitor_client = enable_monitor_client #: ``monitor_client_log_file_dir`` the monitor client log output file file directory self.monitor_client_log_file_dir = monitor_client_log_file_dir + #: ``kmip_cert_dir`` directory for KMIP servers keys and certificates + self.kmip_cert_dir = kmip_cert_dir def get_port_start(self) -> List[int]: return [self.port, 4420, self.discovery_port, self.prometheus_port] -- 2.47.3