From 64c606a4a7ea4d5ead88462909414bd760c30247 Mon Sep 17 00:00:00 2001
From: Zirui Liu <ziliu@ddn.com>
Date: Wed, 17 Sep 2025 16:38:31 +0000
Subject: [PATCH 1/4] obj: Add ca_bundle option for S3 compatible storage

Signed-off-by: Zirui Liu <ziliu@ddn.com>
---
 benchmark/nixlbench/src/utils/utils.cpp             | 4 ++++
 benchmark/nixlbench/src/utils/utils.h               | 1 +
 benchmark/nixlbench/src/worker/nixl/nixl_worker.cpp | 4 ++++
 src/plugins/obj/obj_s3_client.cpp                   | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/benchmark/nixlbench/src/utils/utils.cpp b/benchmark/nixlbench/src/utils/utils.cpp
index caa6b6105..8ff451491 100644
--- a/benchmark/nixlbench/src/utils/utils.cpp
+++ b/benchmark/nixlbench/src/utils/utils.cpp
@@ -120,6 +120,7 @@ DEFINE_string(obj_endpoint_override, "", "Endpoint override for S3 backend");
 DEFINE_string(obj_req_checksum,
               XFERBENCH_OBJ_REQ_CHECKSUM_SUPPORTED,
               "Required checksum for S3 backend [supported, required]");
+DEFINE_string(obj_ca_bundle, "", "CA bundle for S3 backend");
 
 // HF3FS options - only used when backend is HF3FS
 DEFINE_int32(hf3fs_iopool_size, 64, "Size of io memory pool");
@@ -169,6 +170,7 @@ std::string xferBenchConfig::obj_region = "";
 bool xferBenchConfig::obj_use_virtual_addressing = false;
 std::string xferBenchConfig::obj_endpoint_override = "";
 std::string xferBenchConfig::obj_req_checksum = "";
+std::string xferBenchConfig::obj_ca_bundle = "";
 int xferBenchConfig::hf3fs_iopool_size = 0;
 
 int
@@ -235,6 +237,7 @@ xferBenchConfig::loadFromFlags() {
             obj_use_virtual_addressing = FLAGS_obj_use_virtual_addressing;
             obj_endpoint_override = FLAGS_obj_endpoint_override;
             obj_req_checksum = FLAGS_obj_req_checksum;
+            obj_ca_bundle = FLAGS_obj_ca_bundle;
 
             // Validate OBJ S3 scheme
             if (obj_scheme != XFERBENCH_OBJ_SCHEME_HTTP &&
@@ -412,6 +415,7 @@ xferBenchConfig::printConfig() {
                         obj_endpoint_override);
             printOption("OBJ S3 required checksum (--obj_req_checksum=[supported, required])",
                         obj_req_checksum);
+            printOption("OBJ S3 CA bundle (--obj_ca_bundle=cert-path)", obj_ca_bundle);
         }
 
         if (xferBenchConfig::isStorageBackend()) {
diff --git a/benchmark/nixlbench/src/utils/utils.h b/benchmark/nixlbench/src/utils/utils.h
index 1f27f578d..586d3e799 100644
--- a/benchmark/nixlbench/src/utils/utils.h
+++ b/benchmark/nixlbench/src/utils/utils.h
@@ -165,6 +165,7 @@ class xferBenchConfig {
         static bool obj_use_virtual_addressing;
         static std::string obj_endpoint_override;
         static std::string obj_req_checksum;
+        static std::string obj_ca_bundle;
         static int hf3fs_iopool_size;
 
         static int
diff --git a/benchmark/nixlbench/src/worker/nixl/nixl_worker.cpp b/benchmark/nixlbench/src/worker/nixl/nixl_worker.cpp
index f3ed39900..31129398e 100644
--- a/benchmark/nixlbench/src/worker/nixl/nixl_worker.cpp
+++ b/benchmark/nixlbench/src/worker/nixl/nixl_worker.cpp
@@ -182,6 +182,10 @@ xferBenchNixlWorker::xferBenchNixlWorker(int *argc, char ***argv, std::vector<st
             xferBenchConfig::obj_use_virtual_addressing ? "true" : "false";
         backend_params["req_checksum"] = xferBenchConfig::obj_req_checksum;
 
+        if (xferBenchConfig::obj_ca_bundle != "") {
+            backend_params["ca_bundle"] = xferBenchConfig::obj_ca_bundle;
+        }
+
         if (xferBenchConfig::obj_endpoint_override != "") {
             backend_params["endpoint_override"] = xferBenchConfig::obj_endpoint_override;
         }
diff --git a/src/plugins/obj/obj_s3_client.cpp b/src/plugins/obj/obj_s3_client.cpp
index 1d62e49f2..72815daec 100644
--- a/src/plugins/obj/obj_s3_client.cpp
+++ b/src/plugins/obj/obj_s3_client.cpp
@@ -74,6 +74,9 @@ createClientConfiguration(nixl_b_params_t *custom_params) {
                                      "'. Must be 'required' or 'supported'");
     }
 
+    auto ca_bundle_it = custom_params->find("ca_bundle");
+    if (ca_bundle_it != custom_params->end()) config.caFile = ca_bundle_it->second;
+
     return config;
 }
 

From 6651d4a976681d1d3fe62bf70708729e74cfe936 Mon Sep 17 00:00:00 2001
From: Zirui Liu <ziliu@ddn.com>
Date: Thu, 18 Sep 2025 07:50:27 +0000
Subject: [PATCH 2/4] obj: Add ca_bundle option in README.md

Signed-off-by: Zirui Liu <ziliu@ddn.com>
---
 src/plugins/obj/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/plugins/obj/README.md b/src/plugins/obj/README.md
index 719f8acac..2daf44ff9 100644
--- a/src/plugins/obj/README.md
+++ b/src/plugins/obj/README.md
@@ -48,6 +48,7 @@ Backend parameters are passed as a key-value map (`nixl_b_params_t`) when creati
 | `region` | AWS region for the S3 service | `us-east-1` | No |
 | `use_virtual_addressing` | Use virtual-hosted-style addressing (`true`/`false`) | `false` | No |
 | `req_checksum` | Request checksum validation (`required`/`supported`) | - | No |
+| `ca_bundle` | path to a custom certificate bundle | - | No |
 
 \* If `access_key` and `secret_key` are not provided, the AWS SDK will attempt to use default credential providers (IAM roles, environment variables, credential files, etc.)
 
@@ -115,7 +116,8 @@ nixl_b_params_t params = {
     {"scheme", "http"},
     {"region", "us-east-1"},
     {"use_virtual_addressing", "false"},
-    {"req_checksum", "supported"}
+    {"req_checksum", "supported"},
+    {"ca_bundle", "/root/ca-certs/cacert.pem"}
 };
 agent.createBackend("obj", params);
 ```

From d4514e7b404ac569b57c58e04f12a0eba05a6e0e Mon Sep 17 00:00:00 2001
From: ziruiliu <ziliu@ddn.com>
Date: Thu, 18 Sep 2025 20:30:11 +0800
Subject: [PATCH 3/4] Update benchmark/nixlbench/src/utils/utils.cpp

update with clearer description

Co-authored-by: ovidiusm <ovidium@nvidia.com>
Signed-off-by: ziruiliu <ziliu@ddn.com>
---
 benchmark/nixlbench/src/utils/utils.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benchmark/nixlbench/src/utils/utils.cpp b/benchmark/nixlbench/src/utils/utils.cpp
index 8ff451491..8ace6025e 100644
--- a/benchmark/nixlbench/src/utils/utils.cpp
+++ b/benchmark/nixlbench/src/utils/utils.cpp
@@ -120,7 +120,7 @@ DEFINE_string(obj_endpoint_override, "", "Endpoint override for S3 backend");
 DEFINE_string(obj_req_checksum,
               XFERBENCH_OBJ_REQ_CHECKSUM_SUPPORTED,
               "Required checksum for S3 backend [supported, required]");
-DEFINE_string(obj_ca_bundle, "", "CA bundle for S3 backend");
+DEFINE_string(obj_ca_bundle, "", "Path to CA bundle for S3 backend");
 
 // HF3FS options - only used when backend is HF3FS
 DEFINE_int32(hf3fs_iopool_size, 64, "Size of io memory pool");

From b85ef3ee0cce0d2be6620c70c2a99eaca7800552 Mon Sep 17 00:00:00 2001
From: Zirui Liu <ziliu@ddn.com>
Date: Fri, 19 Sep 2025 01:06:43 +0000
Subject: [PATCH 4/4] obj: add ca_bundle option

Signed-off-by: Zirui Liu <ziliu@ddn.com>
---
 benchmark/kvbench/commands/args.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/benchmark/kvbench/commands/args.py b/benchmark/kvbench/commands/args.py
index 6898f6481..38480bc6a 100644
--- a/benchmark/kvbench/commands/args.py
+++ b/benchmark/kvbench/commands/args.py
@@ -264,6 +264,11 @@ def nixl_bench_args(func):
         type=str,
         help="Required checksum type for S3 backend [supported, required] (only used with OBJ backend)",
     )(func)
+    func = click.option(
+        "--obj_ca_bundle",
+        type=str,
+        help="Path to CA bundle for S3 backend (only used with OBJ backend)",
+    )(func)
     return func