diff --git a/cmd/metrics_exporter/app/metrics_exporter.go b/cmd/metrics_exporter/app/metrics_exporter.go index 40c8ba338..425022cbe 100644 --- a/cmd/metrics_exporter/app/metrics_exporter.go +++ b/cmd/metrics_exporter/app/metrics_exporter.go @@ -101,6 +101,7 @@ func Run() { chop.Config().ClickHouse.Access.Scheme, chop.Config().ClickHouse.Access.Username, chop.Config().ClickHouse.Access.Password, + chop.Config().ClickHouse.Access.Cacrt, chop.Config().ClickHouse.Access.Port, ), diff --git a/deploy/builder/templates-install-bundle/clickhouse-operator-install-yaml-template-01-section-crd-02-chopconf.yaml b/deploy/builder/templates-install-bundle/clickhouse-operator-install-yaml-template-01-section-crd-02-chopconf.yaml index dd708010a..ea37dda23 100644 --- a/deploy/builder/templates-install-bundle/clickhouse-operator-install-yaml-template-01-section-crd-02-chopconf.yaml +++ b/deploy/builder/templates-install-bundle/clickhouse-operator-install-yaml-template-01-section-crd-02-chopconf.yaml @@ -116,6 +116,9 @@ spec: password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" secret: type: object properties: diff --git a/deploy/operator/clickhouse-operator-install-ansible.yaml b/deploy/operator/clickhouse-operator-install-ansible.yaml index 8aaea4e21..5aa426c86 100644 --- a/deploy/operator/clickhouse-operator-install-ansible.yaml +++ b/deploy/operator/clickhouse-operator-install-ansible.yaml @@ -2791,6 +2791,9 @@ spec: password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" secret: type: object properties: diff --git a/deploy/operator/clickhouse-operator-install-bundle-v1beta1.yaml b/deploy/operator/clickhouse-operator-install-bundle-v1beta1.yaml index 8ddae2a9d..c59d2d5f2 100644 --- a/deploy/operator/clickhouse-operator-install-bundle-v1beta1.yaml +++ b/deploy/operator/clickhouse-operator-install-bundle-v1beta1.yaml @@ -2756,6 +2756,9 @@ spec: password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" secret: type: object properties: diff --git a/deploy/operator/clickhouse-operator-install-bundle.yaml b/deploy/operator/clickhouse-operator-install-bundle.yaml index 44d6f097f..429ad744a 100644 --- a/deploy/operator/clickhouse-operator-install-bundle.yaml +++ b/deploy/operator/clickhouse-operator-install-bundle.yaml @@ -2784,6 +2784,9 @@ spec: password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" secret: type: object properties: diff --git a/deploy/operator/clickhouse-operator-install-template-dev.yaml b/deploy/operator/clickhouse-operator-install-template-dev.yaml index 3dcba4f79..049807e42 100644 --- a/deploy/operator/clickhouse-operator-install-template-dev.yaml +++ b/deploy/operator/clickhouse-operator-install-template-dev.yaml @@ -2769,6 +2769,9 @@ spec: password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" secret: type: object properties: diff --git a/deploy/operator/clickhouse-operator-install-template-v1beta1.yaml b/deploy/operator/clickhouse-operator-install-template-v1beta1.yaml index f4a593829..71a5ae120 100644 --- a/deploy/operator/clickhouse-operator-install-template-v1beta1.yaml +++ b/deploy/operator/clickhouse-operator-install-template-v1beta1.yaml @@ -2756,6 +2756,9 @@ spec: password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" secret: type: object properties: diff --git a/deploy/operator/clickhouse-operator-install-template.yaml b/deploy/operator/clickhouse-operator-install-template.yaml index 487319891..80049108c 100644 --- a/deploy/operator/clickhouse-operator-install-template.yaml +++ b/deploy/operator/clickhouse-operator-install-template.yaml @@ -2781,6 +2781,9 @@ spec: username: type: string description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" diff --git a/deploy/operator/clickhouse-operator-install-tf.yaml b/deploy/operator/clickhouse-operator-install-tf.yaml index b23e01790..11a2b8d26 100644 --- a/deploy/operator/clickhouse-operator-install-tf.yaml +++ b/deploy/operator/clickhouse-operator-install-tf.yaml @@ -2791,6 +2791,9 @@ spec: password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" secret: type: object properties: diff --git a/deploy/operator/parts/crd.yaml b/deploy/operator/parts/crd.yaml index 75a8a1aae..7c04433d4 100644 --- a/deploy/operator/parts/crd.yaml +++ b/deploy/operator/parts/crd.yaml @@ -2784,6 +2784,9 @@ spec: password: type: string description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName" + cacrt: + type: string + description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection" secret: type: object properties: diff --git a/pkg/apis/clickhouse.altinity.com/v1/type_config_chop.go b/pkg/apis/clickhouse.altinity.com/v1/type_config_chop.go index c07bf9c87..9d3d0edea 100644 --- a/pkg/apis/clickhouse.altinity.com/v1/type_config_chop.go +++ b/pkg/apis/clickhouse.altinity.com/v1/type_config_chop.go @@ -55,6 +55,7 @@ const ( defaultChUsername = "" defaultChPassword = "" defaultChPort = 8123 + defaultChCacrt = "" // defaultReconcileThreadsNumber specifies default number of controller threads running concurrently. // Used in case no other specified in config @@ -150,6 +151,7 @@ type OperatorConfigClickHouse struct { Scheme string `json:"scheme" yaml:"scheme"` Username string `json:"username" yaml:"username"` Password string `json:"password" yaml:"password"` + Cacrt string `json:"cacrt" yaml:"cacrt"` // Location of k8s Secret with username and password to be used by the operator to connect to ClickHouse instances // Can be used instead of explicitly specified (above) username and password @@ -329,6 +331,7 @@ type OperatorConfig struct { CHScheme string `json:"chScheme" yaml:"chScheme"` CHUsername string `json:"chUsername" yaml:"chUsername"` CHPassword string `json:"chPassword" yaml:"chPassword"` + CHCacrt string `json:"chcacrt" yaml:"chcacrt"` // Location of k8s Secret with username and password to be used by operator to connect to ClickHouse instances // Can be used instead of explicitly specified username and password CHCredentialsSecretNamespace string `json:"chCredentialsSecretNamespace" yaml:"chCredentialsSecretNamespace"` @@ -657,7 +660,9 @@ func (c *OperatorConfig) normalizeAccessSection() { if c.ClickHouse.Access.Password == "" { c.ClickHouse.Access.Password = defaultChPassword } - + if c.ClickHouse.Access.Cacrt == "" { + c.ClickHouse.Access.Cacrt = defaultChCacrt + } // config.CHCredentialsSecretNamespace // config.CHCredentialsSecretName @@ -956,6 +961,9 @@ func (c *OperatorConfig) move() { if c.CHPassword != "" { c.ClickHouse.Access.Password = c.CHPassword } + if c.CHCacrt != "" { + c.ClickHouse.Access.Cacrt = c.CHCacrt + } // Location of k8s Secret with username and password to be used by operator to connect to ClickHouse instances // Can be used instead of explicitly specified username and password if c.CHCredentialsSecretNamespace != "" { diff --git a/pkg/apis/metrics/clickhouse_fetcher.go b/pkg/apis/metrics/clickhouse_fetcher.go index 487e23015..2ea04be2c 100644 --- a/pkg/apis/metrics/clickhouse_fetcher.go +++ b/pkg/apis/metrics/clickhouse_fetcher.go @@ -132,9 +132,9 @@ type ClickHouseFetcher struct { } // NewClickHouseFetcher creates new clickhouse fetcher object -func NewClickHouseFetcher(scheme, hostname, username, password string, port int) *ClickHouseFetcher { +func NewClickHouseFetcher(scheme, hostname, username, password, cacrt string, port int) *ClickHouseFetcher { return &ClickHouseFetcher{ - connectionParams: clickhouse.NewConnectionParams(scheme, hostname, username, password, port), + connectionParams: clickhouse.NewConnectionParams(scheme, hostname, username, password, cacrt, port), } } diff --git a/pkg/apis/metrics/exporter.go b/pkg/apis/metrics/exporter.go index 25b6f800b..a411cea8e 100644 --- a/pkg/apis/metrics/exporter.go +++ b/pkg/apis/metrics/exporter.go @@ -167,6 +167,7 @@ func (e *Exporter) newFetcher(hostname string) *ClickHouseFetcher { hostname, e.chAccessInfo.Username, e.chAccessInfo.Password, + e.chAccessInfo.Cacrt, e.chAccessInfo.Port, ).SetQueryTimeout(e.timeout) } diff --git a/pkg/apis/metrics/type_ch_access_info.go b/pkg/apis/metrics/type_ch_access_info.go index 63ea7efb0..7d73589a4 100644 --- a/pkg/apis/metrics/type_ch_access_info.go +++ b/pkg/apis/metrics/type_ch_access_info.go @@ -19,15 +19,17 @@ type CHAccessInfo struct { Scheme string Username string Password string + Cacrt string Port int } // NewCHAccessInfo creates new CHAccessInfo from specified access info -func NewCHAccessInfo(scheme, username, password string, port int) *CHAccessInfo { +func NewCHAccessInfo(scheme, username, password, cacrt string, port int) *CHAccessInfo { return &CHAccessInfo{ Scheme: scheme, Username: username, Password: password, + Cacrt: cacrt, Port: port, } } diff --git a/pkg/controller/chi/worker.go b/pkg/controller/chi/worker.go index bb89623cf..cf49f4502 100644 --- a/pkg/controller/chi/worker.go +++ b/pkg/controller/chi/worker.go @@ -73,6 +73,7 @@ func (c *Controller) newWorker(q queue.PriorityQueue, sys bool) *worker { chop.Config().ClickHouse.Access.Scheme, chop.Config().ClickHouse.Access.Username, chop.Config().ClickHouse.Access.Password, + chop.Config().ClickHouse.Access.Cacrt, chop.Config().ClickHouse.Access.Port, ), creator: nil, diff --git a/pkg/model/clickhouse/cluster.go b/pkg/model/clickhouse/cluster.go index 2dcb49d57..71c987149 100644 --- a/pkg/model/clickhouse/cluster.go +++ b/pkg/model/clickhouse/cluster.go @@ -67,7 +67,7 @@ func (c *Cluster) SetHosts(hosts []string) *Cluster { // getConnection gets connection func (c *Cluster) getConnection(host string) *Connection { - return GetPooledDBConnection(NewConnectionParams(c.Scheme, host, c.Username, c.Password, c.Port)).SetLog(c.l) + return GetPooledDBConnection(NewConnectionParams(c.Scheme, host, c.Username, c.Password, c.Cacrt, c.Port)).SetLog(c.l) } // QueryAny walks over all endpoints and runs query sequentially on each of them. diff --git a/pkg/model/clickhouse/connection.go b/pkg/model/clickhouse/connection.go index 61a374566..09730d4c3 100644 --- a/pkg/model/clickhouse/connection.go +++ b/pkg/model/clickhouse/connection.go @@ -17,6 +17,7 @@ package clickhouse import ( "context" "crypto/tls" + "crypto/x509" databasesql "database/sql" "fmt" "time" @@ -68,6 +69,18 @@ func (c *Connection) SetLog(l log.Announcer) *Connection { // connect performs connect func (c *Connection) connect(ctx context.Context) { + //Add certificate if exist + if c.params.cacrt != "" { + c.l.V(1).Info("suzy trying to see if this gets triggered") + certPool := x509.NewCertPool() + cert, _ := x509.ParseCertificate([]byte(c.params.cacrt)) + certPool.AddCert(cert) + err := goch.RegisterTLSConfig(tlsSettings, &tls.Config{RootCAs: certPool}) + if err != nil { + c.l.V(1).F().Error("suzy debugging !!! %s", err) + } + } + c.l.V(2).Info("Establishing connection: %s", c.params.GetDSNWithHiddenCredentials()) dbConnection, err := databasesql.Open("clickhouse", c.params.GetDSN()) if err != nil { diff --git a/pkg/model/clickhouse/connection_params.go b/pkg/model/clickhouse/connection_params.go index 69274720b..c8d8f6b33 100644 --- a/pkg/model/clickhouse/connection_params.go +++ b/pkg/model/clickhouse/connection_params.go @@ -21,9 +21,9 @@ type ConnectionParams struct { } // NewConnectionParams creates new ConnectionParams -func NewConnectionParams(scheme, hostname, username, password string, port int) *ConnectionParams { +func NewConnectionParams(scheme, hostname, username, password, cacrt string, port int) *ConnectionParams { return &ConnectionParams{ - NewEndpointCredentials(scheme, hostname, username, password, port), + NewEndpointCredentials(scheme, hostname, username, password, cacrt, port), NewTimeouts(), } } diff --git a/pkg/model/clickhouse/endpoint_credentials.go b/pkg/model/clickhouse/endpoint_credentials.go index 758683607..0d358f8ff 100644 --- a/pkg/model/clickhouse/endpoint_credentials.go +++ b/pkg/model/clickhouse/endpoint_credentials.go @@ -40,6 +40,7 @@ type EndpointCredentials struct { hostname string username string password string + cacrt string port int // Internal generated data @@ -48,12 +49,13 @@ type EndpointCredentials struct { } // NewEndpointCredentials creates new EndpointCredentials object -func NewEndpointCredentials(scheme, hostname, username, password string, port int) *EndpointCredentials { +func NewEndpointCredentials(scheme, hostname, username, password, cacrt string, port int) *EndpointCredentials { params := &EndpointCredentials{ scheme: scheme, hostname: hostname, username: username, password: password, + cacrt: cacrt, port: port, } diff --git a/pkg/model/clickhouse/endpoint_credentials_cluster.go b/pkg/model/clickhouse/endpoint_credentials_cluster.go index 9b99eed13..7bc4974e8 100644 --- a/pkg/model/clickhouse/endpoint_credentials_cluster.go +++ b/pkg/model/clickhouse/endpoint_credentials_cluster.go @@ -19,5 +19,6 @@ type ClusterEndpointCredentials struct { Scheme string Username string Password string + Cacrt string Port int } diff --git a/pkg/model/schemer.go b/pkg/model/schemer.go index 1a3c6705e..3054a08e2 100644 --- a/pkg/model/schemer.go +++ b/pkg/model/schemer.go @@ -35,11 +35,12 @@ type Schemer struct { const ignoredDBs = `'system', 'information_schema', 'INFORMATION_SCHEMA'` // NewSchemer creates new Schemer object -func NewSchemer(scheme, username, password string, port int) *Schemer { +func NewSchemer(scheme, username, password, cacrt string, port int) *Schemer { credentials := &clickhouse.ClusterEndpointCredentials{ Scheme: scheme, Username: username, Password: password, + Cacrt: cacrt, Port: port, } return &Schemer{