mgr/dashboard: fix nvmeof mtls

Tomer Haskalovitch · Tomer Haskalovitch · commit 4ce8b5210d69 · 2025-08-06T12:22:31.000+03:00
Signed-off-by: Tomer Haskalovitch &lt;tomer.haska@ibm.com&gt;
diff --git a/src/pybind/mgr/dashboard/services/nvmeof_client.py b/src/pybind/mgr/dashboard/services/nvmeof_client.py
@@ -6,7 +6,7 @@
     NamedTuple, Optional, Type, get_args, get_origin
 
 from ..exceptions import DashboardException
-from .nvmeof_conf import NvmeofGatewaysConfig
+from .nvmeof_conf import NvmeofGatewaysConfig, is_mtls_enabled
 
 logger = logging.getLogger("nvmeof_client")
 
@@ -63,16 +63,14 @@ def __init__(self, gw_group: Optional[str] = None, traddr: Optional[str] = None)
                 if matched_gateway:
                     self.gateway_addr = matched_gateway.get('service_url')
                     logger.debug("Gateway address set to: %s", self.gateway_addr)
-
-            root_ca_cert = NvmeofGatewaysConfig.get_root_ca_cert(service_name)
-            if root_ca_cert:
+            enable_auth = is_mtls_enabled(service_name)
+            if enable_auth:
                 client_key = NvmeofGatewaysConfig.get_client_key(service_name)
                 client_cert = NvmeofGatewaysConfig.get_client_cert(service_name)
-
-            if root_ca_cert and client_key and client_cert:
+                server_cert = NvmeofGatewaysConfig.get_server_cert(service_name)
                 logger.info('Securely connecting to: %s', self.gateway_addr)
                 credentials = grpc.ssl_channel_credentials(
-                    root_certificates=root_ca_cert,
+                    root_certificates=server_cert,
                     private_key=client_key,
                     certificate_chain=client_cert,
                 )
diff --git a/src/pybind/mgr/dashboard/services/nvmeof_conf.py b/src/pybind/mgr/dashboard/services/nvmeof_conf.py
@@ -132,8 +132,7 @@ def get_client_key(cls, service_name: str):
     @classmethod
     def get_root_ca_cert(cls, service_name: str):
         root_ca_cert = cls.from_cert_store('nvmeof_root_ca_cert', service_name)
-        # If root_ca_cert is not set, use server_cert as root_ca_cert
-        return root_ca_cert.encode() if root_ca_cert else cls.get_server_cert(service_name)
+        return root_ca_cert.encode() if root_ca_cert else None
 
     @classmethod
     def get_server_cert(cls, service_name: str):
@@ -209,3 +208,11 @@ def _get_default_service(gateways):
         service_name = gateway_keys[0]
         return service_name, gateways[service_name][0]['service_url']
     return None
+
+
+def is_mtls_enabled(service_name: str):
+    try:
+        orch = OrchClient.instance()
+        return orch.services.get(service_name)[0].spec.enable_auth
+    except OrchestratorError:
+        return False
