Altinity · sunsingerus · Jul 1, 2022 · May 11, 2022
diff --git a/cmd/metrics_exporter/app/metrics_exporter.go b/cmd/metrics_exporter/app/metrics_exporter.go
@@ -101,6 +101,7 @@ func Run() {
 			chop.Config().ClickHouse.Access.Scheme,
 			chop.Config().ClickHouse.Access.Username,
 			chop.Config().ClickHouse.Access.Password,
+			chop.Config().ClickHouse.Access.Cacrt,
 			chop.Config().ClickHouse.Access.Port,
 		),
 

diff --git a/...-install-bundle/clickhouse-operator-install-yaml-template-01-section-crd-02-chopconf.yaml b/...-install-bundle/clickhouse-operator-install-yaml-template-01-section-crd-02-chopconf.yaml
@@ -116,6 +116,9 @@ spec:
                         password:
                           type: string
                           description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                        cacrt:
+                          type: string
+                          description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                         secret:
                           type: object
                           properties:

diff --git a/deploy/operator/clickhouse-operator-install-ansible.yaml b/deploy/operator/clickhouse-operator-install-ansible.yaml
@@ -2791,6 +2791,9 @@ spec:
                         password:
                           type: string
                           description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                        cacrt:
+                          type: string
+                          description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                         secret:
                           type: object
                           properties:

diff --git a/deploy/operator/clickhouse-operator-install-bundle-v1beta1.yaml b/deploy/operator/clickhouse-operator-install-bundle-v1beta1.yaml
@@ -2756,6 +2756,9 @@ spec:
                     password:
                       type: string
                       description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                    cacrt:
+                      type: string
+                      description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                     secret:
                       type: object
                       properties:

diff --git a/deploy/operator/clickhouse-operator-install-bundle.yaml b/deploy/operator/clickhouse-operator-install-bundle.yaml
@@ -2784,6 +2784,9 @@ spec:
                         password:
                           type: string
                           description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                        cacrt:
+                          type: string
+                          description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                         secret:
                           type: object
                           properties:

diff --git a/deploy/operator/clickhouse-operator-install-template-dev.yaml b/deploy/operator/clickhouse-operator-install-template-dev.yaml
@@ -2769,6 +2769,9 @@ spec:
                         password:
                           type: string
                           description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                        cacrt:
+                          type: string
+                          description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                         secret:
                           type: object
                           properties:

diff --git a/deploy/operator/clickhouse-operator-install-template-v1beta1.yaml b/deploy/operator/clickhouse-operator-install-template-v1beta1.yaml
@@ -2756,6 +2756,9 @@ spec:
                     password:
                       type: string
                       description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                    cacrt:
+                      type: string
+                      description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                     secret:
                       type: object
                       properties:

diff --git a/deploy/operator/clickhouse-operator-install-template.yaml b/deploy/operator/clickhouse-operator-install-template.yaml
@@ -2781,6 +2781,9 @@ spec:
                         username:
                           type: string
                           description: "ClickHouse username to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                        cacrt:
+                          type: string
+                          description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                         password:
                           type: string
                           description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"

diff --git a/deploy/operator/clickhouse-operator-install-tf.yaml b/deploy/operator/clickhouse-operator-install-tf.yaml
@@ -2791,6 +2791,9 @@ spec:
                         password:
                           type: string
                           description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                        cacrt:
+                          type: string
+                          description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                         secret:
                           type: object
                           properties:

diff --git a/deploy/operator/parts/crd.yaml b/deploy/operator/parts/crd.yaml
@@ -2784,6 +2784,9 @@ spec:
                         password:
                           type: string
                           description: "ClickHouse password to be used by operator to connect to ClickHouse instances, deprecated, use chCredentialsSecretName"
+                        cacrt:
+                          type: string
+                          description: "ClickHouse rootCA certificate authentication to be added to verify ClickHouse Https connection"
                         secret:
                           type: object
                           properties:

diff --git a/pkg/apis/clickhouse.altinity.com/v1/type_config_chop.go b/pkg/apis/clickhouse.altinity.com/v1/type_config_chop.go
@@ -55,6 +55,7 @@ const (
 	defaultChUsername = ""
 	defaultChPassword = ""
 	defaultChPort     = 8123
+	defaultChCacrt    = ""
 
 	// defaultReconcileThreadsNumber specifies default number of controller threads running concurrently.
 	// Used in case no other specified in config
@@ -150,6 +151,7 @@ type OperatorConfigClickHouse struct {
 		Scheme   string `json:"scheme" yaml:"scheme"`
 		Username string `json:"username" yaml:"username"`
 		Password string `json:"password" yaml:"password"`
+		Cacrt    string `json:"cacrt" yaml:"cacrt"`
 
 		// Location of k8s Secret with username and password to be used by the operator to connect to ClickHouse instances
 		// Can be used instead of explicitly specified (above) username and password
@@ -329,6 +331,7 @@ type OperatorConfig struct {
 	CHScheme   string `json:"chScheme" yaml:"chScheme"`
 	CHUsername string `json:"chUsername" yaml:"chUsername"`
 	CHPassword string `json:"chPassword" yaml:"chPassword"`
+	CHCacrt    string `json:"chcacrt" yaml:"chcacrt"`
 	// Location of k8s Secret with username and password to be used by operator to connect to ClickHouse instances
 	// Can be used instead of explicitly specified username and password
 	CHCredentialsSecretNamespace string `json:"chCredentialsSecretNamespace" yaml:"chCredentialsSecretNamespace"`
@@ -657,7 +660,9 @@ func (c *OperatorConfig) normalizeAccessSection() {
 	if c.ClickHouse.Access.Password == "" {
 		c.ClickHouse.Access.Password = defaultChPassword
 	}
-
+	if c.ClickHouse.Access.Cacrt == "" {
+		c.ClickHouse.Access.Cacrt = defaultChCacrt
+	}
 	// config.CHCredentialsSecretNamespace
 	// config.CHCredentialsSecretName
 
@@ -956,6 +961,9 @@ func (c *OperatorConfig) move() {
 	if c.CHPassword != "" {
 		c.ClickHouse.Access.Password = c.CHPassword
 	}
+	if c.CHCacrt != "" {
+		c.ClickHouse.Access.Cacrt = c.CHCacrt
+	}
 	// Location of k8s Secret with username and password to be used by operator to connect to ClickHouse instances
 	// Can be used instead of explicitly specified username and password
 	if c.CHCredentialsSecretNamespace != "" {

diff --git a/pkg/apis/metrics/clickhouse_fetcher.go b/pkg/apis/metrics/clickhouse_fetcher.go
@@ -132,9 +132,9 @@ type ClickHouseFetcher struct {
 }
 
 // NewClickHouseFetcher creates new clickhouse fetcher object
-func NewClickHouseFetcher(scheme, hostname, username, password string, port int) *ClickHouseFetcher {
+func NewClickHouseFetcher(scheme, hostname, username, password, cacrt string, port int) *ClickHouseFetcher {
 	return &ClickHouseFetcher{
-		connectionParams: clickhouse.NewConnectionParams(scheme, hostname, username, password, port),
+		connectionParams: clickhouse.NewConnectionParams(scheme, hostname, username, password, cacrt, port),
 	}
 }
 

diff --git a/pkg/apis/metrics/exporter.go b/pkg/apis/metrics/exporter.go
@@ -167,6 +167,7 @@ func (e *Exporter) newFetcher(hostname string) *ClickHouseFetcher {
 		hostname,
 		e.chAccessInfo.Username,
 		e.chAccessInfo.Password,
+		e.chAccessInfo.Cacrt,
 		e.chAccessInfo.Port,
 	).SetQueryTimeout(e.timeout)
 }

diff --git a/pkg/apis/metrics/type_ch_access_info.go b/pkg/apis/metrics/type_ch_access_info.go
@@ -19,15 +19,17 @@ type CHAccessInfo struct {
 	Scheme   string
 	Username string
 	Password string
+	Cacrt    string
 	Port     int
 }
 
 // NewCHAccessInfo creates new CHAccessInfo from specified access info
-func NewCHAccessInfo(scheme, username, password string, port int) *CHAccessInfo {
+func NewCHAccessInfo(scheme, username, password, cacrt string, port int) *CHAccessInfo {
 	return &CHAccessInfo{
 		Scheme:   scheme,
 		Username: username,
 		Password: password,
+		Cacrt:    cacrt,
 		Port:     port,
 	}
 }
diff --git a/pkg/controller/chi/worker.go b/pkg/controller/chi/worker.go
@@ -73,6 +73,7 @@ func (c *Controller) newWorker(q queue.PriorityQueue, sys bool) *worker {
 			chop.Config().ClickHouse.Access.Scheme,
 			chop.Config().ClickHouse.Access.Username,
 			chop.Config().ClickHouse.Access.Password,
+			chop.Config().ClickHouse.Access.Cacrt,
 			chop.Config().ClickHouse.Access.Port,
 		),
 		creator: nil,

diff --git a/pkg/model/clickhouse/cluster.go b/pkg/model/clickhouse/cluster.go
@@ -67,7 +67,7 @@ func (c *Cluster) SetHosts(hosts []string) *Cluster {
 
 // getConnection gets connection
 func (c *Cluster) getConnection(host string) *Connection {
-	return GetPooledDBConnection(NewConnectionParams(c.Scheme, host, c.Username, c.Password, c.Port)).SetLog(c.l)
+	return GetPooledDBConnection(NewConnectionParams(c.Scheme, host, c.Username, c.Password, c.Cacrt, c.Port)).SetLog(c.l)
 }
 
 // QueryAny walks over all endpoints and runs query sequentially on each of them.

diff --git a/pkg/model/clickhouse/connection.go b/pkg/model/clickhouse/connection.go
@@ -17,6 +17,7 @@ package clickhouse
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	databasesql "database/sql"
 	"fmt"
 	"time"
@@ -68,6 +69,18 @@ func (c *Connection) SetLog(l log.Announcer) *Connection {
 
 // connect performs connect
 func (c *Connection) connect(ctx context.Context) {
+	//Add certificate if exist
+	if c.params.cacrt != "" {
+		c.l.V(1).Info("suzy trying to see if this gets triggered")
+		certPool := x509.NewCertPool()
+		cert, _ := x509.ParseCertificate([]byte(c.params.cacrt))
+		certPool.AddCert(cert)
+		err := goch.RegisterTLSConfig(tlsSettings, &tls.Config{RootCAs: certPool})
+		if err != nil {
+			c.l.V(1).F().Error("suzy debugging !!! %s", err)
+		}
+	}
+
 	c.l.V(2).Info("Establishing connection: %s", c.params.GetDSNWithHiddenCredentials())
 	dbConnection, err := databasesql.Open("clickhouse", c.params.GetDSN())
 	if err != nil {

diff --git a/pkg/model/clickhouse/connection_params.go b/pkg/model/clickhouse/connection_params.go
@@ -21,9 +21,9 @@ type ConnectionParams struct {
 }
 
 // NewConnectionParams creates new ConnectionParams
-func NewConnectionParams(scheme, hostname, username, password string, port int) *ConnectionParams {
+func NewConnectionParams(scheme, hostname, username, password, cacrt string, port int) *ConnectionParams {
 	return &ConnectionParams{
-		NewEndpointCredentials(scheme, hostname, username, password, port),
+		NewEndpointCredentials(scheme, hostname, username, password, cacrt, port),
 		NewTimeouts(),
 	}
 }
diff --git a/pkg/model/clickhouse/endpoint_credentials.go b/pkg/model/clickhouse/endpoint_credentials.go
@@ -40,6 +40,7 @@ type EndpointCredentials struct {
 	hostname string
 	username string
 	password string
+	cacrt    string
 	port     int
 
 	// Internal generated data
@@ -48,12 +49,13 @@ type EndpointCredentials struct {
 }
 
 // NewEndpointCredentials creates new EndpointCredentials object
-func NewEndpointCredentials(scheme, hostname, username, password string, port int) *EndpointCredentials {
+func NewEndpointCredentials(scheme, hostname, username, password, cacrt string, port int) *EndpointCredentials {
 	params := &EndpointCredentials{
 		scheme:   scheme,
 		hostname: hostname,
 		username: username,
 		password: password,
+		cacrt:    cacrt,
 		port:     port,
 	}
 

diff --git a/pkg/model/clickhouse/endpoint_credentials_cluster.go b/pkg/model/clickhouse/endpoint_credentials_cluster.go
@@ -19,5 +19,6 @@ type ClusterEndpointCredentials struct {
 	Scheme   string
 	Username string
 	Password string
+	Cacrt    string
 	Port     int
 }
diff --git a/pkg/model/schemer.go b/pkg/model/schemer.go
@@ -35,11 +35,12 @@ type Schemer struct {
 const ignoredDBs = `'system', 'information_schema', 'INFORMATION_SCHEMA'`
 
 // NewSchemer creates new Schemer object
-func NewSchemer(scheme, username, password string, port int) *Schemer {
+func NewSchemer(scheme, username, password, cacrt string, port int) *Schemer {
 	credentials := &clickhouse.ClusterEndpointCredentials{
 		Scheme:   scheme,
 		Username: username,
 		Password: password,
+		Cacrt: 	  cacrt,
 		Port:     port,
 	}
 	return &Schemer{