From 097c90c4764df6aa5a3f0cbe091ffcbc4315e49d Mon Sep 17 00:00:00 2001
From: Manohar Reddy <manohar@simplyblock.io>
Date: Thu, 28 May 2026 11:44:51 +0200
Subject: [PATCH] KMS: enforce TLS requirement

---
 simplyblock_core/cluster_ops.py                 | 13 +++++++++++++
 simplyblock_core/controllers/pool_controller.py | 10 +++++-----
 simplyblock_web/api/v2/pool.py                  | 15 +++++++--------
 3 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/simplyblock_core/cluster_ops.py b/simplyblock_core/cluster_ops.py
index dc97c744c..aef450952 100755
--- a/simplyblock_core/cluster_ops.py
+++ b/simplyblock_core/cluster_ops.py
@@ -14,6 +14,7 @@
 
 from docker.errors import DockerException
 from simplyblock_core import utils, scripts, constants, mgmt_node_ops, storage_node_ops
+from simplyblock_core.settings import Settings
 from simplyblock_core.controllers import backup_controller, cluster_events, device_controller, qos_controller, tasks_controller, tcp_ports_events
 from simplyblock_core.fw_api_client import FirewallClient
 from simplyblock_core.db_controller import DBController
@@ -563,6 +564,18 @@ def add_cluster(blk_size, page_size_in_blocks, cap_warn, cap_crit, prov_cap_warn
     cluster.nvmf_base_port = nvmf_base_port
     cluster.rpc_base_port = rpc_base_port
     cluster.snode_api_port = snode_api_port
+    if hashicorp_vault_settings:
+        settings = Settings()
+        missing = [
+            path
+            for path in [settings.tls_certificate_authority, settings.tls_certificate, settings.tls_key]
+            if not path.is_file()
+        ]
+        if missing:
+            raise ValueError(
+                "HashiCorp Vault requires TLS certificates that are not present: "
+                + ", ".join(map(str, missing))
+            )
     cluster.hashicorp_vault_settings = hashicorp_vault_settings
     if backup_config:
         cluster.backup_config = backup_config
diff --git a/simplyblock_core/controllers/pool_controller.py b/simplyblock_core/controllers/pool_controller.py
index d4c44f89e..cc081319c 100644
--- a/simplyblock_core/controllers/pool_controller.py
+++ b/simplyblock_core/controllers/pool_controller.py
@@ -102,13 +102,13 @@ def add_pool(name, pool_max, lvol_max, max_rw_iops, max_rw_mbytes, max_r_mbytes,
         pool.dhchap_ctrlr_key = utils.generate_dhchap_key(length=32)
 
 
-    with create_kms_connection(cluster) as kms:
-        try:
+    try:
+        with create_kms_connection(cluster) as kms:
             kms.create_key_encryption_key(pool.get_id())
             logger.info("Created pool key")
-        except KMSException:
-            logger.exception("Failed to create pool key")
-            return False
+    except KMSException:
+        logger.exception("Failed to create pool key")
+        return False
 
     pool.status = "active"
     pool.write_to_db(db_controller.kv_store)
diff --git a/simplyblock_web/api/v2/pool.py b/simplyblock_web/api/v2/pool.py
index 97044b997..814495a49 100644
--- a/simplyblock_web/api/v2/pool.py
+++ b/simplyblock_web/api/v2/pool.py
@@ -1,7 +1,7 @@
 from typing import Annotated, List, Optional
 from uuid import UUID
 
-from fastapi import APIRouter, Depends, HTTPException, Request, Response
+from fastapi import APIRouter, Depends, HTTPException, Response
 from pydantic import BaseModel
 
 from simplyblock_core.db_controller import DBController
@@ -42,24 +42,23 @@ class StoragePoolParams(BaseModel):
     cr_plural: str = ""
 
 
-@api.post('/', name='clusters:storage-pools:create', status_code=201, responses={201: {"content": None}})
-def add(request: Request, cluster: Cluster, parameters: StoragePoolParams) -> Response:
+@api.post('/', name='clusters:storage-pools:create', status_code=201)
+def add(cluster: Cluster, parameters: StoragePoolParams):
     for pool in db.get_pools(cluster.get_id()):
         if pool.pool_name == parameters.name:
             raise HTTPException(409, f'Pool {parameters.name} already exists')
 
-    id_or_false =  pool_controller.add_pool(
+    pool_id = pool_controller.add_pool(
         parameters.name, parameters.pool_max, parameters.volume_max_size, parameters.max_rw_iops, parameters.max_rw_mbytes,
         parameters.max_r_mbytes, parameters.max_w_mbytes, cluster.get_id(),
         parameters.cr_name, parameters.cr_namespace, parameters.cr_plural,
         dhchap=parameters.dhchap,
     )
 
-    if not id_or_false:
-        raise ValueError('Failed to create pool')
+    if not pool_id:
+        raise HTTPException(500, 'Failed to create pool')
 
-    pool = db.get_pool_by_id(id_or_false)
-    return pool.to_dict()
+    return db.get_pool_by_id(pool_id).to_dict()
 
 
 instance_api = APIRouter(prefix='/{pool_id}')