Altinity · sunsingerus · Apr 7, 2022 · Apr 1, 2022 · Apr 4, 2022 · sunsingerus
diff --git a/cmd/metrics_exporter/app/metrics_exporter.go b/cmd/metrics_exporter/app/metrics_exporter.go
@@ -98,6 +98,7 @@ func Run() {
 
 	exporter := metrics.StartMetricsREST(
 		metrics.NewCHAccessInfo(
+			chop.Config().ClickHouse.Access.Scheme,
 			chop.Config().ClickHouse.Access.Username,
 			chop.Config().ClickHouse.Access.Password,
 			chop.Config().ClickHouse.Access.Port,

diff --git a/...-install-bundle/clickhouse-operator-install-yaml-template-01-section-crd-02-chopconf.yaml b/...-install-bundle/clickhouse-operator-install-yaml-template-01-section-crd-02-chopconf.yaml
@@ -107,6 +107,9 @@ spec:
                     access:
                       type: object
                       properties:
+                        scheme:
+                          type: string
+                          description: "The scheme to user for connecting to ClickHouse. One of http or https"                      
                         username:
                           type: string
                           description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/deploy/operator/clickhouse-operator-install-bundle-v1beta1.yaml b/deploy/operator/clickhouse-operator-install-bundle-v1beta1.yaml
@@ -2747,6 +2747,9 @@ spec:
                 access:
                   type: object
                   properties:
+                    scheme:
+                      type: string
+                      description: "The scheme to user for connecting to ClickHouse. One of http or https"
                     username:
                       type: string
                       description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/deploy/operator/clickhouse-operator-install-bundle.yaml b/deploy/operator/clickhouse-operator-install-bundle.yaml
@@ -2775,6 +2775,9 @@ spec:
                     access:
                       type: object
                       properties:
+                        scheme:
+                          type: string
+                          description: "The scheme to user for connecting to ClickHouse. One of http or https"
                         username:
                           type: string
                           description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/deploy/operator/clickhouse-operator-install-template-dev.yaml b/deploy/operator/clickhouse-operator-install-template-dev.yaml
@@ -2760,6 +2760,9 @@ spec:
                     access:
                       type: object
                       properties:
+                        scheme:
+                          type: string
+                          description: "The scheme to user for connecting to ClickHouse. One of http or https"
                         username:
                           type: string
                           description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/deploy/operator/clickhouse-operator-install-template-v1beta1.yaml b/deploy/operator/clickhouse-operator-install-template-v1beta1.yaml
@@ -2747,6 +2747,9 @@ spec:
                 access:
                   type: object
                   properties:
+                    scheme:
+                      type: string
+                      description: "The scheme to user for connecting to ClickHouse. One of http or https"
                     username:
                       type: string
                       description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/deploy/operator/clickhouse-operator-install-template.yaml b/deploy/operator/clickhouse-operator-install-template.yaml
@@ -2775,6 +2775,9 @@ spec:
                     access:
                       type: object
                       properties:
+                        scheme:
+                          type: string
+                          description: "The scheme to user for connecting to ClickHouse. One of http or https"
                         username:
                           type: string
                           description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/deploy/operator/clickhouse-operator-install-tf.yaml b/deploy/operator/clickhouse-operator-install-tf.yaml
@@ -2782,6 +2782,9 @@ spec:
                     access:
                       type: object
                       properties:
+                        scheme:
+                          type: string
+                          description: "The scheme to user for connecting to ClickHouse. One of http or https"
                         username:
                           type: string
                           description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/deploy/operator/parts/crd.yaml b/deploy/operator/parts/crd.yaml
@@ -2775,6 +2775,9 @@ spec:
                     access:
                       type: object
                       properties:
+                        scheme:
+                          type: string
+                          description: "The scheme to user for connecting to ClickHouse. One of http or https"
                         username:
                           type: string
                           description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/dev/go_build_universal.sh b/dev/go_build_universal.sh
@@ -18,7 +18,7 @@ GOOS=${GOOS:-linux}
 GOARCH=${GOARCH:-amd64}
 
 if [[ "" != "${GCFLAGS:-}" ]]; then
-    GCFLAGS="-gcflags ${GCFLAGS:-}"
+    GCFLAG='-gcflags'
 fi
 
 if CGO_ENABLED=0 GO111MODULE=on GOOS="${GOOS}" GOARCH="${GOARCH}" go build \
@@ -29,7 +29,7 @@ if CGO_ENABLED=0 GO111MODULE=on GOOS="${GOOS}" GOARCH="${GOARCH}" go build \
         -X ${REPO}/pkg/version.GitSHA=${GIT_SHA}  \
         -X ${REPO}/pkg/version.BuiltAt=${NOW}     \
     " \
-    ${GCFLAGS:-} \
+    $GCFLAG "${GCFLAGS:-}" \
     -o "${OUTPUT_BINARY}" \
     "${MAIN_SRC_FILE}"
 then

diff --git a/pkg/apis/clickhouse.altinity.com/v1/type_config_chop.go b/pkg/apis/clickhouse.altinity.com/v1/type_config_chop.go
@@ -51,6 +51,7 @@ const (
 	// 1. Metrics requests
 	// 2. Schema maintenance
 	// User credentials can be specified in additional ClickHouse config files located in `chUsersConfigsPath` folder
+	defaultChScheme   = "http"
 	defaultChUsername = ""
 	defaultChPassword = ""
 	defaultChPort     = 8123
@@ -146,6 +147,7 @@ type OperatorConfigClickHouse struct {
 		// 1. Metrics requests
 		// 2. Schema maintenance
 		// User credentials can be specified in additional ClickHouse config files located in `chUsersConfigsPath` folder
+		Scheme   string `json:"scheme" yaml:"scheme"`
 		Username string `json:"username" yaml:"username"`
 		Password string `json:"password" yaml:"password"`
 
@@ -324,6 +326,7 @@ type OperatorConfig struct {
 	// 1. Metrics requests
 	// 2. Schema maintenance
 	// User credentials can be specified in additional ClickHouse config files located in `chUsersConfigsPath` folder
+	CHScheme   string `json:"chScheme" yaml:"chScheme"`
 	CHUsername string `json:"chUsername" yaml:"chUsername"`
 	CHPassword string `json:"chPassword" yaml:"chPassword"`
 	// Location of k8s Secret with username and password to be used by operator to connect to ClickHouse instances
@@ -645,6 +648,9 @@ func (c *OperatorConfig) normalizeAccessSection() {
 	// 1. Metrics requests
 	// 2. Schema maintenance
 	// User credentials can be specified in additional ClickHouse config files located in `chUsersConfigsPath` folder
+	if c.ClickHouse.Access.Scheme == "" {
+		c.ClickHouse.Access.Scheme = defaultChScheme
+	}
 	if c.ClickHouse.Access.Username == "" {
 		c.ClickHouse.Access.Username = defaultChUsername
 	}
@@ -941,6 +947,9 @@ func (c *OperatorConfig) move() {
 	// 1. Metrics requests
 	// 2. Schema maintenance
 	// User credentials can be specified in additional ClickHouse config files located in `chUsersConfigsPath` folder
+	if c.CHScheme != "" {
+		c.ClickHouse.Access.Password = c.CHScheme
+	}
 	if c.CHUsername != "" {
 		c.ClickHouse.Access.Username = c.CHUsername
 	}

diff --git a/pkg/apis/metrics/clickhouse_fetcher.go b/pkg/apis/metrics/clickhouse_fetcher.go
@@ -132,9 +132,9 @@ type ClickHouseFetcher struct {
 }
 
 // NewClickHouseFetcher creates new clickhouse fetcher object
-func NewClickHouseFetcher(hostname, username, password string, port int) *ClickHouseFetcher {
+func NewClickHouseFetcher(scheme, hostname, username, password string, port int) *ClickHouseFetcher {
 	return &ClickHouseFetcher{
-		connectionParams: clickhouse.NewConnectionParams(hostname, username, password, port),
+		connectionParams: clickhouse.NewConnectionParams(scheme, hostname, username, password, port),
 	}
 }
 

diff --git a/pkg/apis/metrics/exporter.go b/pkg/apis/metrics/exporter.go
@@ -163,6 +163,7 @@ func (e *Exporter) updateWatched(chi *WatchedCHI) {
 // newFetcher returns new Metrics Fetcher for specified host
 func (e *Exporter) newFetcher(hostname string) *ClickHouseFetcher {
 	return NewClickHouseFetcher(
+		e.chAccessInfo.Scheme,
 		hostname,
 		e.chAccessInfo.Username,
 		e.chAccessInfo.Password,

diff --git a/pkg/apis/metrics/type_ch_access_info.go b/pkg/apis/metrics/type_ch_access_info.go
@@ -16,14 +16,16 @@ package metrics
 
 // CHAccessInfo specifies ClickHouse access info
 type CHAccessInfo struct {
+	Scheme   string
 	Username string
 	Password string
 	Port     int
 }
 
 // NewCHAccessInfo creates new CHAccessInfo from specified access info
-func NewCHAccessInfo(username, password string, port int) *CHAccessInfo {
+func NewCHAccessInfo(scheme, username, password string, port int) *CHAccessInfo {
 	return &CHAccessInfo{
+		Scheme:   scheme,
 		Username: username,
 		Password: password,
 		Port:     port,

diff --git a/pkg/controller/chi/worker.go b/pkg/controller/chi/worker.go
@@ -70,6 +70,7 @@ func (c *Controller) newWorker(q queue.PriorityQueue, sys bool) *worker {
 		queue:      q,
 		normalizer: chopmodel.NewNormalizer(c.kubeClient),
 		schemer: chopmodel.NewSchemer(
+			chop.Config().ClickHouse.Access.Scheme,
 			chop.Config().ClickHouse.Access.Username,
 			chop.Config().ClickHouse.Access.Password,
 			chop.Config().ClickHouse.Access.Port,

diff --git a/pkg/model/clickhouse/cluster.go b/pkg/model/clickhouse/cluster.go
@@ -67,7 +67,7 @@ func (c *Cluster) SetHosts(hosts []string) *Cluster {
 
 // getConnection gets connection
 func (c *Cluster) getConnection(host string) *Connection {
-	return GetPooledDBConnection(NewConnectionParams(host, c.Username, c.Password, c.Port)).SetLog(c.l)
+	return GetPooledDBConnection(NewConnectionParams(c.Scheme, host, c.Username, c.Password, c.Port)).SetLog(c.l)
 }
 
 // QueryAny walks over all endpoints and runs query sequentially on each of them.

diff --git a/pkg/model/clickhouse/connection.go b/pkg/model/clickhouse/connection.go
@@ -16,6 +16,7 @@ package clickhouse
 
 import (
 	"context"
+	"crypto/tls"
 	databasesql "database/sql"
 	"fmt"
 	"time"
@@ -24,9 +25,13 @@ import (
 	"github.com/altinity/clickhouse-operator/pkg/util"
 
 	// go-clickhouse is explicitly required in order to setup connection to clickhouse db
-	_ "github.com/mailru/go-clickhouse"
+	goch "github.com/mailru/go-clickhouse"
 )
 
+func init(){
+	goch.RegisterTLSConfig(tlsSettings, &tls.Config{InsecureSkipVerify: true})
+}
+
 // Connection specifies clickhouse database connection object
 type Connection struct {
 	params *ConnectionParams
@@ -41,6 +46,7 @@ func NewConnection(params *ConnectionParams) *Connection {
 		params: params,
 		l:      log.New(),
 	}
+
 }
 
 // Params gets connection params

diff --git a/pkg/model/clickhouse/connection_params.go b/pkg/model/clickhouse/connection_params.go
@@ -21,9 +21,9 @@ type ConnectionParams struct {
 }
 
 // NewConnectionParams creates new ConnectionParams
-func NewConnectionParams(hostname, username, password string, port int) *ConnectionParams {
+func NewConnectionParams(scheme, hostname, username, password string, port int) *ConnectionParams {
 	return &ConnectionParams{
-		NewEndpointCredentials(hostname, username, password, port),
+		NewEndpointCredentials(scheme, hostname, username, password, port),
 		NewTimeouts(),
 	}
 }
diff --git a/pkg/model/clickhouse/endpoint_credentials.go b/pkg/model/clickhouse/endpoint_credentials.go
@@ -21,18 +21,22 @@ import (
 
 const (
 	// http://user:password@host:8123/
-	chDsnUrlPattern = "http://%s%s:%s/"
+	chDsnUrlPattern = "%s://%s%s:%s/"
 
 	usernameReplacer = "***"
 	passwordReplacer = "***"
 
 	dsnUsernamePasswordPairPattern             = "%s:%s@"
 	dsnUsernamePasswordPairUsernameOnlyPattern = "%s@"
+
+	httpsScheme = "https"
+	tlsSettings = "tls-settings"
 )
 
 // EndpointCredentials specifies credentials to access specified endpoint
 type EndpointCredentials struct {
 	// External data
+	scheme   string
 	hostname string
 	username string
 	password string
@@ -44,8 +48,9 @@ type EndpointCredentials struct {
 }
 
 // NewEndpointCredentials creates new EndpointCredentials object
-func NewEndpointCredentials(hostname, username, password string, port int) *EndpointCredentials {
+func NewEndpointCredentials(scheme, hostname, username, password string, port int) *EndpointCredentials {
 	params := &EndpointCredentials{
+		scheme:   scheme,
 		hostname: hostname,
 		username: username,
 		password: password,
@@ -82,12 +87,17 @@ func (c *EndpointCredentials) makeUsernamePassword(hidden bool) string {
 
 // makeDSN makes ClickHouse DSN
 func (c *EndpointCredentials) makeDSN(hideCredentials bool) string {
-	return fmt.Sprintf(
+	baseUrl := fmt.Sprintf(
 		chDsnUrlPattern,
+		c.scheme,
 		c.makeUsernamePassword(hideCredentials),
 		c.hostname,
 		strconv.Itoa(c.port),
 	)
+	if c.scheme == httpsScheme {
+		baseUrl += "?tls_config=" + tlsSettings
+	}
+	return baseUrl
 }
 
 // GetDSN gets DSN

diff --git a/pkg/model/clickhouse/endpoint_credentials_cluster.go b/pkg/model/clickhouse/endpoint_credentials_cluster.go
@@ -16,6 +16,7 @@ package clickhouse
 
 // ClusterEndpointCredentials specifies cluster endpoint credentials
 type ClusterEndpointCredentials struct {
+	Scheme   string
 	Username string
 	Password string
 	Port     int

diff --git a/pkg/model/schemer.go b/pkg/model/schemer.go
@@ -35,8 +35,9 @@ type Schemer struct {
 const ignoredDBs = `'system', 'information_schema', 'INFORMATION_SCHEMA'`
 
 // NewSchemer creates new Schemer object
-func NewSchemer(username, password string, port int) *Schemer {
+func NewSchemer(scheme, username, password string, port int) *Schemer {
 	credentials := &clickhouse.ClusterEndpointCredentials{
+		Scheme:   scheme,
 		Username: username,
 		Password: password,
 		Port:     port,