ArbitCode
diff --git a/‎doc/cephadm/services/nfs.rst‎
Lines changed: 79 additions & 0 deletions b/‎doc/cephadm/services/nfs.rst‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎doc/mgr/nfs.rst‎
Lines changed: 3 additions & 3 deletions b/‎doc/mgr/nfs.rst‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/cephadm/cephadmlib/daemons/nfs.py‎
Lines changed: 15 additions & 2 deletions b/‎src/cephadm/cephadmlib/daemons/nfs.py‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎src/pybind/mgr/cephadm/agent.py‎
Lines changed: 7 additions & 7 deletions b/‎src/pybind/mgr/cephadm/agent.py‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎src/pybind/mgr/cephadm/cert_mgr.py‎
Lines changed: 20 additions & 9 deletions b/‎src/pybind/mgr/cephadm/cert_mgr.py‎
Lines changed: 20 additions & 9 deletions
diff --git a/‎src/pybind/mgr/cephadm/module.py‎
Lines changed: 3 additions & 3 deletions b/‎src/pybind/mgr/cephadm/module.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/pybind/mgr/cephadm/serve.py‎
Lines changed: 5 additions & 1 deletion b/‎src/pybind/mgr/cephadm/serve.py‎
Lines changed: 5 additions & 1 deletion
@@ -79,6 +79,85 @@ address is not present and ``monitoring_networks`` is specified, an IP address
 that matches one of the specified networks will be used. If neither condition
 is met, the default binding will happen on all available network interfaces.
 
+TLS/SSL Example
+---------------
+
+Here's an example NFS service specification with TLS/SSL configuration:
+
+.. code-block:: yaml
+
+    service_type: nfs
+    service_id: mynfs
+    placement:
+      hosts:
+      - ceph-node-0
+    spec:
+      port: 12345
+      ssl: true
+      certificate_source: inline|reference|cephadm-signed
+      ssl_cert: |
+        -----BEGIN CERTIFICATE-----
+        (PEM cert contents here)
+        -----END CERTIFICATE-----
+      ssl_key: |
+        -----BEGIN PRIVATE KEY-----
+        (PEM key contents here)
+        -----END PRIVATE KEY-----
+      ssl_ca_cert:
+        -----BEGIN PRIVATE KEY-----
+        (PEM key contents here)
+        -----END PRIVATE KEY-----
+      tls_ktls: true
+      tls_debug: true
+      tls_min_version: TLSv1.3
+      tls_ciphers: AES-256
+
+This example configures an NFS service with TLS encryption enabled using
+inline certificates.
+
+TLS/SSL Parameters
+~~~~~~~~~~~~~~~~~~
+
+The following parameters can be used to configure TLS/SSL encryption for the NFS service:
+
+* ``ssl`` (boolean): Enable or disable SSL/TLS encryption. Default is ``false``.
+
+* ``certificate_source`` (string): Specifies the source of the TLS certificates.
+  Options include:
+
+  - ``cephadm-signed``: Use certificates signed by cephadm's internal CA
+  - ``inline``: Provide certificates directly in the specification using ``ssl_cert``, ``ssl_key``, and ``ssl_ca_cert`` fields
+  - ``reference``: Users can register their own certificate and key with certmgr and
+    set the ``certificate_source`` to ``reference`` in the spec.
+
+* ``ssl_cert`` (string): The SSL certificate in PEM format. Required when using
+  ``inline`` certificate source.
+
+* ``ssl_key`` (string): The SSL private key in PEM format. Required when using
+  ``inline`` certificate source.
+
+* ``ssl_ca_cert`` (string): The SSL CA certificate in PEM format. Required when
+  using ``inline`` certificate source.
+
+* ``custom_sans`` (list): List of custom Subject Alternative Names (SANs) to
+  include in the certificate.
+
+* ``tls_ktls`` (boolean): Enable kernel TLS (kTLS) for improved performance when
+  available. Default is ``false``.
+
+* ``tls_debug`` (boolean): Enable TLS debugging output. Useful for troubleshooting
+  TLS issues. Default is ``false``.
+
+* ``tls_min_version`` (string): Specify the minimum TLS version to accept.
+  Examples: TLSv1.3, TLSv1.2
+
+* ``tls_ciphers`` (string): Specify allowed cipher suites for TLS connections.
+  Example: :-CIPHER-ALL:+AES-256-GCM
+
+.. note:: When ``ssl`` is enabled, a ``certificate_source`` must be specified.
+   If using ``inline`` certificates, all three certificate fields (``ssl_cert``,
+   ``ssl_key``, ``ssl_ca_cert``) must be provided.
+
 The specification can then be applied by running the following command:
 
 .. prompt:: bash #
 
@@ -182,7 +182,7 @@ In order to modify cluster parameters (for example, the port or the placement),
 use the orchestrator interface to update the NFS service spec. The safest way
 to do that is to export the current spec, modify it, and then re-apply it. For
 example, to modify the ``nfs.foo`` service, run commands of the following
-forms: 
+forms:
 
 .. prompt:: bash #
 
@@ -318,7 +318,7 @@ value is ``no_root_squash``. See the `NFS-Ganesha Export Sample`_ for
 permissible values.
 
 ``<sectype>`` specifies which authentication methods will be used when
-connecting to the export. Valid values include "krb5p", "krb5i", "krb5", "sys",
+connecting to the export. Valid values include "krb5p", "krb5i", "krb5", "sys", "tls", "mtls"
 and "none". More than one value can be supplied. The flag may be specified
 multiple times (example: ``--sectype=krb5p --sectype=krb5i``) or multiple
 values may be separated by a comma (example: ``--sectype krb5p,krb5i``). The
@@ -350,7 +350,7 @@ There are two kinds of RGW exports:
 
 RGW bucket export
 ^^^^^^^^^^^^^^^^^
-  
+
 To export a *bucket*:
 
 .. prompt:: bash #
 
@@ -177,10 +177,23 @@ def create_daemon_dirs(self, data_dir, uid, gid):
 
         # create the ganesha conf dir
         config_dir = os.path.join(data_dir, 'etc/ganesha')
+        tls_dir = os.path.join(data_dir, 'etc/ganesha/tls')
         makedirs(config_dir, uid, gid, 0o755)
-
+        makedirs(tls_dir, uid, gid, 0o755)
+
+        config_files = {
+            fname: content
+            for fname, content in self.files.items()
+            if fname in ['ganesha.conf', 'idmap.conf']
+        }
+        tls_files = {
+            fname: content
+            for fname, content in self.files.items()
+            if fname.startswith('tls')
+        }
         # populate files from the config-json
-        populate_files(config_dir, self.files, uid, gid)
+        populate_files(config_dir, config_files, uid, gid)
+        populate_files(tls_dir, tls_files, uid, gid)
 
         # write the RGW keyring
         if self.rgw:
 
@@ -24,7 +24,7 @@ class Server:  # type: ignore
 import tempfile
 from cephadm.services.service_registry import service_registry
 from cephadm.services.cephadmservice import CephadmAgent
-from cephadm.tlsobject_types import CertKeyPair
+from cephadm.tlsobject_types import TLSCredentials
 
 from urllib.error import HTTPError, URLError
 from typing import Any, Dict, List, Set, TYPE_CHECKING, Optional, MutableMapping, IO
@@ -77,13 +77,13 @@ def configure_tls(self, server: Server) -> None:
         verify_tls_files(self.cert_file.name, self.key_file.name)
         server.ssl_certificate, server.ssl_private_key = self.cert_file.name, self.key_file.name
 
-    def _get_agent_certificates(self) -> CertKeyPair:
+    def _get_agent_certificates(self) -> TLSCredentials:
         host = self.mgr.get_hostname()
-        tls_pair = self.mgr.cert_mgr.get_self_signed_cert_key_pair(CephadmAgent.TYPE, host)
-        if not tls_pair:
-            tls_pair = self.mgr.cert_mgr.generate_cert(host, self.mgr.get_mgr_ip(), duration_in_days=CEPHADM_AGENT_CERT_DURATION)
-            self.mgr.cert_mgr.save_self_signed_cert_key_pair(CephadmAgent.TYPE, tls_pair, host=host)
-        return tls_pair
+        tls_creds = self.mgr.cert_mgr.get_self_signed_tls_credentials(CephadmAgent.TYPE, host)
+        if not tls_creds:
+            tls_creds = self.mgr.cert_mgr.generate_cert(host, self.mgr.get_mgr_ip(), duration_in_days=CEPHADM_AGENT_CERT_DURATION)
+            self.mgr.cert_mgr.save_self_signed_cert_key_pair(CephadmAgent.TYPE, tls_creds, host=host)
+        return tls_creds
 
     def find_free_port(self) -> None:
         max_port = self.server_port + 150
 
@@ -6,7 +6,7 @@
 from cephadm.ssl_cert_utils import SSLCerts, SSLConfigException
 from mgr_util import verify_tls, certificate_days_to_expire, ServerConfigException
 from cephadm.ssl_cert_utils import get_certificate_info, get_private_key_info
-from cephadm.tlsobject_types import Cert, PrivKey, TLSObjectScope, TLSObjectException, CertKeyPair
+from cephadm.tlsobject_types import Cert, PrivKey, TLSObjectScope, TLSObjectException, TLSCredentials
 from cephadm.tlsobject_store import TLSObjectStore
 
 if TYPE_CHECKING:
@@ -245,7 +245,14 @@ def register_self_signed_cert_key_pair(self, service_name: str, label: Optional[
         self.cert_store.register_object_name(self.self_signed_cert(service_name, label), TLSObjectScope.HOST)
         self.key_store.register_object_name(self.self_signed_key(service_name, label), TLSObjectScope.HOST)
 
-    def register_cert_key_pair(self, consumer: str, cert_name: str, key_name: str, scope: TLSObjectScope) -> None:
+    def register_cert_key_pair(
+        self,
+        consumer: str,
+        cert_name: str,
+        key_name: str,
+        scope: TLSObjectScope,
+        ca_cert_name: Optional[str] = None
+    ) -> None:
         """
         Registers a certificate/key for a given consumer under a specific scope.
 
@@ -256,6 +263,8 @@ def register_cert_key_pair(self, consumer: str, cert_name: str, key_name: str, s
         """
         self.register_cert(consumer, cert_name, scope)
         self.register_key(consumer, key_name, scope)
+        if ca_cert_name:
+            self.register_cert(consumer, ca_cert_name, scope)
 
     def register_cert(self, consumer: str, cert_name: str, scope: TLSObjectScope) -> None:
         self._register_tls_object(consumer, cert_name, scope, "certs")
@@ -305,9 +314,10 @@ def generate_cert(
         node_ip: Union[str, List[str]],
         custom_san_list: Optional[List[str]] = None,
         duration_in_days: Optional[int] = None,
-    ) -> CertKeyPair:
+    ) -> TLSCredentials:
         cert, key = self.ssl_certs.generate_cert(host_fqdn, node_ip, custom_san_list=custom_san_list, duration_in_days=duration_in_days)
-        return CertKeyPair(cert=cert, key=key)
+        ca_cert = self.mgr.cert_mgr.get_root_ca()
+        return TLSCredentials(cert=cert, key=key, ca_cert=ca_cert)
 
     def cert_exists(self, cert_name: str, service_name: Optional[str] = None, host: Optional[str] = None) -> bool:
         cert_obj = self.cert_store.get_tlsobject(cert_name, service_name, host)
@@ -325,24 +335,25 @@ def get_key(self, key_name: str, service_name: Optional[str] = None, host: Optio
         key_obj = cast(PrivKey, self.key_store.get_tlsobject(key_name, service_name, host))
         return key_obj.key if key_obj else None
 
-    def get_self_signed_cert_key_pair(self, service_name: str, hostname: str, label: Optional[str] = None) -> CertKeyPair:
+    def get_self_signed_tls_credentials(self, service_name: str, hostname: str, label: Optional[str] = None) -> TLSCredentials:
         cert_obj = cast(Cert, self.cert_store.get_tlsobject(self.self_signed_cert(service_name, label), host=hostname))
         key_obj = cast(PrivKey, self.key_store.get_tlsobject(self.self_signed_key(service_name, label), host=hostname))
         cert = cert_obj.cert if cert_obj else ''
         key = key_obj.key if key_obj else ''
-        return CertKeyPair(cert=cert, key=key)
+        ca_cert = self.mgr.cert_mgr.get_root_ca()
+        return TLSCredentials(cert=cert, key=key, ca_cert=ca_cert)
 
     def save_cert(self, cert_name: str, cert: str, service_name: Optional[str] = None, host: Optional[str] = None, user_made: bool = False, editable: bool = False) -> None:
         self.cert_store.save_tlsobject(cert_name, cert, service_name, host, user_made, editable)
 
     def save_key(self, key_name: str, key: str, service_name: Optional[str] = None, host: Optional[str] = None, user_made: bool = False, editable: bool = False) -> None:
         self.key_store.save_tlsobject(key_name, key, service_name, host, user_made, editable)
 
-    def save_self_signed_cert_key_pair(self, service_name: str, tls_pair: CertKeyPair, host: str, label: Optional[str] = None) -> None:
+    def save_self_signed_cert_key_pair(self, service_name: str, tls_creds: TLSCredentials, host: str, label: Optional[str] = None) -> None:
         ss_cert_name = self.self_signed_cert(service_name, label)
         ss_key_name = self.self_signed_key(service_name, label)
-        self.cert_store.save_tlsobject(ss_cert_name, tls_pair.cert, host=host, user_made=False)
-        self.key_store.save_tlsobject(ss_key_name, tls_pair.key, host=host, user_made=False)
+        self.cert_store.save_tlsobject(ss_cert_name, tls_creds.cert, host=host, user_made=False)
+        self.key_store.save_tlsobject(ss_key_name, tls_creds.key, host=host, user_made=False)
 
     def rm_cert(self, cert_name: str, service_name: Optional[str] = None, host: Optional[str] = None) -> bool:
         return self.cert_store.rm_tlsobject(cert_name, service_name, host)
 
@@ -735,7 +735,7 @@ def _init_cert_mgr(self) -> None:
             if svc.allows_user_certificates:
                 if svc.SCOPE == TLSObjectScope.UNKNOWN:
                     OrchestratorError(f"Service {svc.TYPE} requieres certificates but it has not defined its svc.SCOPE field.")
-                self.cert_mgr.register_cert_key_pair(svc.TYPE, svc.cert_name, svc.key_name, svc.SCOPE)
+                self.cert_mgr.register_cert_key_pair(svc.TYPE, svc.cert_name, svc.key_name, svc.SCOPE, svc.ca_cert_name)
 
         self.cert_mgr.register_cert_key_pair('nvmeof', 'nvmeof_client_cert', 'nvmeof_client_key', TLSObjectScope.SERVICE)
         self.cert_mgr.register_cert('nvmeof', 'nvmeof_root_ca_cert', TLSObjectScope.SERVICE)
@@ -3282,8 +3282,8 @@ def generate_certificates(self, module_name: str) -> Optional[Dict[str, str]]:
         if module_name == 'dashboard':
             host_fqdns.append('dashboard_servers')
 
-        cert, key = self.cert_mgr.generate_cert(host_fqdns, self.get_mgr_ip())
-        return {'cert': cert, 'key': key}
+        tls_creds = self.cert_mgr.generate_cert(host_fqdns, self.get_mgr_ip())
+        return {'cert': tls_creds.cert, 'key': tls_creds.key}
 
     @handle_orch_error
     def set_prometheus_access_info(self, user: str, password: str) -> str:
 
@@ -1156,7 +1156,11 @@ def _check_daemons(self) -> None:
                     # the daemon is written, which we rewrite on redeploy, but not
                     # on reconfig.
                     action = 'redeploy'
-
+                elif dd.daemon_type == 'nfs':
+                    # check what has changed, based on that decide action
+                    only_kmip_updated = all(s.startswith('kmip') for s in list(sym_diff))
+                    if not only_kmip_updated:
+                        action = 'redeploy'
             elif spec is not None and hasattr(spec, 'extra_container_args') and dd.extra_container_args != spec.extra_container_args:
                 self.log.debug(
                     f'{dd.name()} container cli args {dd.extra_container_args} -> {spec.extra_container_args}')