Skip to content

feat(e2e): enable mTLS for Podman compute driver#1430

Merged
TaylorMutch merged 3 commits into
NVIDIA:mainfrom
russellb:feat/1428-podman-mtls-e2e/russellb
May 18, 2026
Merged

feat(e2e): enable mTLS for Podman compute driver#1430
TaylorMutch merged 3 commits into
NVIDIA:mainfrom
russellb:feat/1428-podman-mtls-e2e/russellb

Conversation

@russellb
Copy link
Copy Markdown
Contributor

@russellb russellb commented May 18, 2026

Summary

Enable mTLS in the Podman e2e test harness. The Podman driver already had full mTLS support in its Rust code (cert bind-mounts, env vars, config validation, unit tests) — the gap was entirely in the e2e harness, which explicitly blocked HTTPS and ran plaintext-only gateways. This PR wires up ephemeral PKI generation, TLS gateway flags, and mTLS registration, then extracts the shared PKI logic into gateway-common.sh to eliminate duplication with the Docker script.

Related Issue

Closes #1428

Changes

  • e2e/with-podman-gateway.sh: Add openssl preflight, generate ephemeral PKI with host.containers.internal SAN, add guest_tls_* to TOML config, replace --disable-tls with --tls-cert/--tls-key/--tls-client-ca, switch to https:// and e2e_register_mtls_gateway, update error messages to match Docker wording
  • e2e/support/gateway-common.sh: Extract e2e_generate_pki(pki_dir, host_alias) shared helper — parameterizes the host-gateway SAN and uses absolute paths (eliminates the cd/cd pattern)
  • e2e/with-docker-gateway.sh: Replace inline PKI generation with e2e_generate_pki call
  • e2e/rust/e2e-podman.sh: Remove "plaintext" from comment

Testing

  • mise run pre-commit passes (pre-existing markdown lint failure in unrelated gitignored file)
  • mise run test:rust — all unit tests pass
  • mise run e2e:podman — all 57 e2e tests pass over mTLS (run twice: once after initial implementation, once after PKI extraction refactor)
  • mise run e2e:docker — not run locally (Docker script change is a pure refactor extracting existing code into a shared function; no behavioral change)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

russellb added 2 commits May 18, 2026 14:00
@russellb
feat(e2e): enable mTLS for Podman compute driver e2e harness
3c8e3ce 
The Podman driver already supported mTLS certificate injection into
sandbox containers, but the e2e test harness explicitly blocked HTTPS
and ran plaintext-only gateways. Generate ephemeral PKI (CA, server,
client certs) with host.containers.internal in the server SANs, wire
guest_tls_* paths into the TOML config, replace --disable-tls with
--tls-cert/--tls-key/--tls-client-ca, and switch to mTLS gateway
registration. The health check remains on the plaintext health port.

Closes NVIDIA#1428
@russellb
refactor(e2e): extract shared PKI generation into gateway-common.sh
5fed024 
The Docker and Podman e2e scripts had near-identical 35-line PKI
generation blocks differing only in the host-gateway SAN. Extract
into e2e_generate_pki(pki_dir, host_alias) in gateway-common.sh,
which also eliminates the cd/cd pattern by using absolute paths
throughout.
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 18, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

TaylorMutch
TaylorMutch reviewed May 18, 2026
View reviewed changes
Comment thread e2e/support/gateway-common.sh
@russellb
refactor(e2e): use generate-certs instead of raw openssl for PKI
99170b5 
Replace the hand-rolled openssl PKI generation in e2e_generate_pki()
with the gateway's built-in generate-certs --output-dir command. This
uses the same PKI generation as production deployments (Helm and RPM).

The helper now takes the gateway binary path and passes extra SANs
via --server-san (host.openshell.internal always, plus the driver's
host alias for Podman). The default SAN list already includes
host.docker.internal and localhost.

Update all cert path references to match the generate-certs output
layout (server/tls.{crt,key}, client/tls.{crt,key}) and remove the
openssl preflight checks from both gateway scripts.
@TaylorMutch TaylorMutch self-assigned this May 18, 2026
@TaylorMutch TaylorMutch added the test:e2e Requires end-to-end coverage label May 18, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026

Label test:e2e applied, but pull-request/1430 is at {"messa while the PR head is 99170b5. A maintainer needs to comment /ok to test 99170b56402e39df0369e38f844c85866338a710 to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 18, 2026

/ok to test 99170b5

TaylorMutch
TaylorMutch approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@TaylorMutch TaylorMutch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@TaylorMutch TaylorMutch merged commit 3cd238a into NVIDIA:main May 18, 2026
39 of 41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TaylorMutch TaylorMutch TaylorMutch approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

@TaylorMutch TaylorMutch

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: enable mTLS for Podman compute driver in e2e test harness

3 participants

@russellb @TaylorMutch @maxamillion