Add ClickHouse server TLS option

Signed-off-by: Yanjun Zhou <[email protected]>

build/charts/theia/README.md

@@ -38,6 +38,14 @@ Kubernetes: `>= 1.16.0-0`
 | clickhouse.monitor.skipRoundsNum | int | `3` | The number of rounds for the monitor to stop after a deletion to wait for the ClickHouse MergeTree Engine to release memory. |
 | clickhouse.monitor.threshold | float | `0.5` | The storage percentage at which the monitor starts to delete old records. Vary from 0 to 1. |
 | clickhouse.service.httpPort | int | `8123` | HTTP port number for the ClickHouse service. |
+| clickhouse.service.secureConnection.commonName | string | `"clickhouse-clickhouse.flow-visibility.svc"` | Common name to use in the certificate. This is ignored if selfSignedCert is false. |
+| clickhouse.service.secureConnection.daysValid | int | `365` | Number of days for which the certificate will be valid. There is no automatic rotation with this method. This is ignored if selfSignedCert is false. |
+| clickhouse.service.secureConnection.dnsNames | list | `[]` | DNS names to use in the certificate. This is ignored if selfSignedCert is false. |
+| clickhouse.service.secureConnection.enable | bool | `false` | Determine whether to enable secure connection to ClickHouse |
+| clickhouse.service.secureConnection.httpsPort | int | `8443` | HTTP port number for the ClickHouse service. |
+| clickhouse.service.secureConnection.ipAddresses | list | `[]` | IP addresses to use in the certificate. This is ignored if selfSignedCert is false. |
+| clickhouse.service.secureConnection.secureTcpPort | int | `9440` | TCP port number for the ClickHouse service. |
+| clickhouse.service.secureConnection.selfSignedCert | bool | `true` | Indicates whether to use auto-generated self-signed TLS certificates. If false, a Secret named "clickhouse-tls" must be provided with the following keys: ca.crt, tls.crt, tls.key. |
 | clickhouse.service.tcpPort | int | `9000` | TCP port number for the ClickHouse service. |
 | clickhouse.service.type | string | `"ClusterIP"` | The type of Service exposing ClickHouse. It can be one of ClusterIP, NodePort or LoadBalancer. |
 | clickhouse.storage.createPersistentVolume.local.affinity | object | `{}` | Affinity for the Local PersistentVolume. By default it requires to label the Node used to store the ClickHouse data with "antrea.io/clickhouse-data-node=". |

build/charts/theia/provisioning/tls/dhparam.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA2kXNnoHdFVUbwHJb17JTNNrNdUqQdbq/gZvEtPsNNoqVc8zLfrKC
+yV0qwOd24+FCn4h+5RE+pDgikH4AIzQmfDI3Nmc5DpARUdmTJau5dhCT+J0zc+FF
+smKuiN0ApHabnB+WN/EHJy0e20oiVgYefYCXjZWogK9FG6YNFDhhm+n3RAq/hclI
+TKcLAW/8tvvJjwVi3dSWPXFtIgwY/DUhct+VbFer0YYCb2k8MBs2Pjl51Pz0u8a9
+T/Y7JKYA5GNlQSFYpmnxb/cR4BOES5ZMH7nBAsjiSn9UUo9DbM5gf8zIesuYnnw9
+wY+OvrjK0o1nEXGycWBIfpAg89i77asWCqq139XN6JcG4nCJWGusrp+6Pw3Bwwah
+UiCrYZVldSIeEsy3ueqVouO7fhLrjbf6nDDBcanSwYniKvRsrxIfBZ9ho3d0PzS/
+kEAe9CPW9SD2P/4LGNDy46YRg9hMFWdJ+1N5Rr9PosAWKvJ0Y2zkk6ihOH4mr9e3
+f2rJISke3z61GAUEB9PokNSbmHIrO9NLnifBhMXoFmdRWZIWJFz9MI5lEHEnt2sz
+ig9vSlva+K4o2GxgIKekLE+DjBL6SjBKPuQxSyw4O6SIOyMEv7mPJLAj/lJ+4KQM
+jQDvgtdWzrZSAVMO+tmT61Jjjs7XvL1U7cmnc9Llxusxlt2bdAxmafsCAQI=
+-----END DH PARAMETERS-----

build/charts/theia/provisioning/tls/settings.xml

@@ -0,0 +1,16 @@
+<yandex>
+  <https_port>{{ .Values.clickhouse.service.secureConnection.httpsPort }}</https_port>
+  <tcp_port_secure>{{ .Values.clickhouse.service.secureConnection.secureTcpPort }}</tcp_port_secure>
+  <openSSL>
+    <server>
+      <certificateFile>/opt/certs/tls.crt</certificateFile>
+      <privateKeyFile>/opt/certs/tls.key</privateKeyFile>
+      <dhParamsFile>/etc/clickhouse-server/config.d/dhparam.pem</dhParamsFile>
+      <verificationMode>none</verificationMode>
+      <loadDefaultCAFile>true</loadDefaultCAFile>
+      <cacheSessions>true</cacheSessions>
+      <disableProtocols>sslv2,sslv3</disableProtocols>
+      <preferServerCiphers>true</preferServerCiphers>
+    </server>
+  </openSSL>
+</yandex>

build/charts/theia/templates/_helpers.tpl

@@ -37,12 +37,21 @@
 {{- $clickhouse := .clickhouse }}
 {{- $enablePV := .enablePV }}
 {{- $Chart := .Chart }}
+{{- $tls := .clickhouse.service.secureConnection }}
 - name: clickhouse
   image: {{ include "clickHouseServerImage" . | quote }}
   imagePullPolicy: {{ $clickhouse.image.pullPolicy }}
   volumeMounts:
     - name: clickhouse-configmap-volume
       mountPath: /docker-entrypoint-initdb.d
+    {{- if $tls.enable }}
+    - name: clickhouse-tls
+      mountPath: /opt/certs/tls.crt
+      subPath: tls.crt
+    - name: clickhouse-tls
+      mountPath: /opt/certs/tls.key
+      subPath: tls.key
+    {{- end }}
     {{- if not $enablePV }}
     - name: clickhouse-storage-volume
       mountPath: /var/lib/clickhouse
@@ -68,6 +77,7 @@
 
 {{- define "clickhouse.volume" }}
 {{- $clickhouse := .clickhouse }}
+{{- $tls := .clickhouse.service.secureConnection }}
 {{- $enablePV := .enablePV }}
 {{- $Files := .Files }}
 - name: clickhouse-configmap-volume
@@ -82,6 +92,12 @@
       - key: {{ regexReplaceAll "(.*)/" $path "" }}
         path: migrators/{{ regexReplaceAll "(.*)/" $path "" }}
       {{- end }}
+{{- if $tls.enable }}
+- name: clickhouse-tls
+  secret:
+    secretName: clickhouse-tls
+    optional: true
+{{- end }}
 {{- if not $enablePV }}
 - name: clickhouse-storage-volume
   emptyDir:
@@ -90,6 +106,14 @@
 {{- end }}
 {{- end }}
 
+{{- define "clickhouse.tlsConfig" -}}
+{{- $Files := .Files }}
+{{- $Global := .Global }}
+{{- range $path, $_ :=  .Files.Glob  "provisioning/tls/*" }}
+{{ regexReplaceAll "(.*)/" $path "" }}: |
+{{ tpl ($.Files.Get $path) $Global | indent 2 }}
+{{- end }}
+{{- end -}}
 
 {{- define "theiaImageTag" -}}
 {{- $tag := .tag -}}

build/charts/theia/templates/clickhouse/clickhouseinstallation.yaml

@@ -16,8 +16,20 @@ spec:
       {{ .Values.clickhouse.connectionSecret.readOnlyUsername }}/networks/ip: "::/0"
     profiles:
       readonly/readonly: 1
+    {{- if .Values.clickhouse.service.secureConnection.enable }}
+    files:
+      {{- include "clickhouse.tlsConfig" (dict "Files" .Files "Global" .) | indent 6 }}
+    {{- end }}
     clusters:
       - name: "clickhouse"
+        {{- if .Values.clickhouse.service.secureConnection.enable }}
+        secure: "yes"
+        settings:
+          tcp_port: {{ .Values.clickhouse.service.tcpPort }} # keep for localhost
+          tcp_port_secure: {{ .Values.clickhouse.service.secureConnection.secureTcpPort }}
+          https_port: {{ .Values.clickhouse.service.secureConnection.httpsPort }}
+          http_port: {{ .Values.clickhouse.service.httpPort }}
+        {{- end }}
         layout:
           {{- if gt (int .Values.clickhouse.cluster.replicas) 1 }}
           shards:
@@ -68,6 +80,12 @@ spec:
               port: {{ .Values.clickhouse.service.httpPort }}
             - name: tcp
               port: {{ .Values.clickhouse.service.tcpPort }}
+            {{- if .Values.clickhouse.service.secureConnection.enable }}
+            - name: https
+              port: {{ .Values.clickhouse.service.secureConnection.httpsPort }}
+            - name: secureclient
+              port: {{ .Values.clickhouse.service.secureConnection.secureTcpPort }}
+            {{- end }}
     podTemplates:
       {{- if gt (int .Values.clickhouse.cluster.replicas) 1 }}
       - name: pod-template-without-monitor

build/charts/theia/templates/clickhouse/secret.yaml

@@ -1,3 +1,28 @@
+{{- $tls := .Values.clickhouse.service.secureConnection }}
+{{- if and $tls.enable $tls.selfSignedCert }}
+{{- $cert := genSelfSignedCert $tls.commonName $tls.ipAddresses (uniq (append $tls.dnsNames $tls.commonName)) ($tls.daysValid | int) }}
+{{- $certPEM := $cert.Cert | b64enc }}
+{{- $keyPEM := $cert.Key | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: clickhouse-tls
+  namespace: {{ .Release.Namespace }}
+data:
+  tls.crt: {{ $certPEM | quote }}
+  tls.key: {{ $keyPEM | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: clickhouse-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: {{ $certPEM | quote }}
+{{- end }}
+---
 apiVersion: v1
 kind: Secret
 metadata:

build/charts/theia/values.yaml

@@ -47,6 +47,37 @@ clickhouse:
     tcpPort: 9000
     # -- HTTP port number for the ClickHouse service.
     httpPort: 8123
+    # As ClickHouse Operator currently does not support the cert management,
+    # we recommend to use Ingress or Load Balancer to expose ClickHouse securely.
+    # But we also provide this option to provide the secure connection from
+    # ClickHouse server end. To use this option, please generate and rotate
+    # the certs manually. Please save these 3 files under under provisioning/tls.
+    # dhparam.pem saves the DH parameter used for connection.
+    # server.crt saves the server Certificated for connection.
+    # server.key saves the server private key for connection.
+    secureConnection:
+      # -- Determine whether to enable secure connection to ClickHouse
+      enable: false
+      # -- TCP port number for the ClickHouse service.
+      secureTcpPort: 9440
+      # -- HTTP port number for the ClickHouse service.
+      httpsPort: 8443
+      # -- Indicates whether to use auto-generated self-signed TLS certificates.
+      # If false, a Secret named "clickhouse-tls" must be provided with the
+      # following keys: ca.crt, tls.crt, tls.key.
+      selfSignedCert: true
+      # -- Common name to use in the certificate. This is ignored if selfSignedCert
+      # is false.
+      commonName: "clickhouse-clickhouse.flow-visibility.svc"
+      # -- IP addresses to use in the certificate. This is ignored if selfSignedCert
+      # is false.
+      ipAddresses: []
+      # -- DNS names to use in the certificate. This is ignored if selfSignedCert
+      # is false.
+      dnsNames: []
+      # -- Number of days for which the certificate will be valid. There is no automatic
+      # rotation with this method. This is ignored if selfSignedCert is false.
+      daysValid: 365
   # -- Time to live for data in the ClickHouse. Can be a plain integer using
   # one of these unit suffixes SECOND, MINUTE, HOUR, DAY, WEEK, MONTH, QUARTER,
   # YEAR.