-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement mTLS support for the monitor gRPC server
Signed-off-by: Alexander Indenbaum <[email protected]>
- Loading branch information
Showing
10 changed files
with
144 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
# | ||
# Copyright (c) 2021 International Business Machines | ||
# All rights reserved. | ||
# | ||
# SPDX-License-Identifier: LGPL-3.0-or-later | ||
# | ||
# Authors: [email protected], [email protected] | ||
# | ||
|
||
[gateway] | ||
name = | ||
group = | ||
addr = 192.168.13.3 | ||
port = 5500 | ||
enable_auth = True | ||
state_update_notify = True | ||
state_update_interval_sec = 5 | ||
enable_spdk_discovery_controller = False | ||
#omap_file_lock_duration = 20 | ||
#omap_file_lock_retries = 30 | ||
#omap_file_lock_retry_sleep_interval = 1.0 | ||
#omap_file_update_reloads = 10 | ||
#enable_prometheus_exporter = True | ||
#prometheus_exporter_ssl = True | ||
#prometheus_port = 10008 | ||
#prometheus_bdev_pools = rbd | ||
#prometheus_stats_interval = 10 | ||
#verify_nqns = True | ||
#allowed_consecutive_spdk_ping_failures = 1 | ||
#spdk_ping_interval_in_seconds = 2.0 | ||
#ping_spdk_under_lock = False | ||
|
||
[gateway-logs] | ||
log_level=debug | ||
#log_files_enabled = True | ||
#log_files_rotation_enabled = True | ||
#verbose_log_messages = True | ||
#max_log_file_size_in_mb=10 | ||
#max_log_files_count=20 | ||
#max_log_directory_backups=10 | ||
# | ||
# Notice that if you change the log directory the log files will only be visible inside the container | ||
# | ||
#log_directory = /var/log/ceph/ | ||
|
||
[discovery] | ||
addr = 0.0.0.0 | ||
port = 8009 | ||
|
||
[ceph] | ||
pool = rbd | ||
config_file = /etc/ceph/ceph.conf | ||
|
||
[mtls] | ||
server_key = /etc/ceph/server.key | ||
client_key = /etc/ceph/client.key | ||
server_cert = /etc/ceph/server.crt | ||
client_cert = /etc/ceph/client.crt | ||
|
||
[spdk] | ||
bdevs_per_cluster = 32 | ||
tgt_path = /usr/local/bin/nvmf_tgt | ||
#rpc_socket_dir = /var/tmp/ | ||
#rpc_socket_name = spdk.sock | ||
#tgt_cmd_extra_args = --env-context="--no-huge -m1024" --iova-mode=va | ||
timeout = 60.0 | ||
log_level = WARNING | ||
|
||
# Example value: -m 0x3 -L all | ||
# tgt_cmd_extra_args = | ||
|
||
# transports = tcp | ||
|
||
# Example value: {"max_queue_depth" : 16, "max_io_size" : 4194304, "io_unit_size" : 1048576, "zcopy" : false} | ||
transport_tcp_options = {"in_capsule_data_size" : 8192, "max_io_qpairs_per_ctrlr" : 7} | ||
|
||
[monitor] | ||
#timeout = 1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
sanity.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
set -xe | ||
|
||
GW1_NAME=$(docker ps --format '{{.ID}}\t{{.Names}}' | awk '$2 ~ /nvmeof/ && $2 ~ /1/ {print $1}') | ||
GW1_IP="$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$GW1_NAME")" | ||
NQN="nqn.2016-06.io.spdk:cnode1" | ||
|
||
docker-compose run --rm nvmeof-cli --server-address $GW1_IP --server-port 5500 --server-cert /etc/ceph/server.crt --client-key /etc/ceph/client.key --client-cert /etc/ceph/client.crt subsystem add --subsystem $NQN | ||
docker-compose run --rm nvmeof-cli --server-address $GW1_IP --server-port 5500 --server-cert /etc/ceph/server.crt --client-key /etc/ceph/client.key --client-cert /etc/ceph/client.crt namespace add --subsystem $NQN --rbd-pool rbd --rbd-image demo_image1 --size 10M --rbd-create-image -l 1 | ||
#docker-compose run --rm nvmeof-cli --server-address $GW1_IP --server-port 5500 --server-cert /etc/ceph/server.crt --client-key /etc/ceph/client.key --client-cert /etc/ceph/client.crt namespace add --subsystem $NQN --rbd-pool rbd --rbd-image demo_image2 --size 10M --rbd-create-image -l 2 | ||
docker-compose run --rm nvmeof-cli --server-address $GW1_IP --server-port 5500 --server-cert /etc/ceph/server.crt --client-key /etc/ceph/client.key --client-cert /etc/ceph/client.crt listener add --subsystem $NQN --host-name $GW1_NAME --traddr $GW1_IP --trsvcid 4420 | ||
docker-compose run --rm nvmeof-cli --server-address $GW1_IP --server-port 5500 --server-cert /etc/ceph/server.crt --client-key /etc/ceph/client.key --client-cert /etc/ceph/client.crt host add --subsystem $NQN --host "*" | ||
docker-compose run --rm nvmeof-cli --server-address $GW1_IP --server-port 5500 --server-cert /etc/ceph/server.crt --client-key /etc/ceph/client.key --client-cert /etc/ceph/client.crt get_subsystems | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Check if GITHUB_WORKSPACE is defined | ||
if [ -n "$GITHUB_WORKSPACE" ]; then | ||
test_dir="$GITHUB_WORKSPACE/tests/ha" | ||
else | ||
test_dir=$(dirname $0) | ||
fi | ||
|
||
export NVMEOF_CONFIG=./tests/ceph-nvmeof.tls.conf | ||
$test_dir/start_up.sh 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Check if GITHUB_WORKSPACE is defined | ||
if [ -n "$GITHUB_WORKSPACE" ]; then | ||
test_dir="$GITHUB_WORKSPACE/tests/ha" | ||
else | ||
test_dir=$(dirname $0) | ||
fi | ||
|
||
export CLI_TLS_ARGS="--server-cert /etc/ceph/server.crt --client-key /etc/ceph/client.key --client-cert /etc/ceph/client.crt" | ||
$test_dir/wait_gateways.sh 1 |