diff --git a/build/charts/theia/README.md b/build/charts/theia/README.md index f198cefc..f0238357 100644 --- a/build/charts/theia/README.md +++ b/build/charts/theia/README.md @@ -38,6 +38,14 @@ Kubernetes: `>= 1.16.0-0` | clickhouse.monitor.skipRoundsNum | int | `3` | The number of rounds for the monitor to stop after a deletion to wait for the ClickHouse MergeTree Engine to release memory. | | clickhouse.monitor.threshold | float | `0.5` | The storage percentage at which the monitor starts to delete old records. Vary from 0 to 1. | | clickhouse.service.httpPort | int | `8123` | HTTP port number for the ClickHouse service. | +| clickhouse.service.secureConnection.commonName | string | `"clickhouse-clickhouse.flow-visibility.svc"` | Common name to use in the certificate. This is ignored if selfSignedCert is false. | +| clickhouse.service.secureConnection.daysValid | int | `365` | Number of days for which the certificate will be valid. There is no automatic rotation with this method. This is ignored if selfSignedCert is false. | +| clickhouse.service.secureConnection.dnsNames | list | `[]` | DNS names to use in the certificate. This is ignored if selfSignedCert is false. | +| clickhouse.service.secureConnection.enable | bool | `false` | Determine whether to enable secure connection to ClickHouse | +| clickhouse.service.secureConnection.httpsPort | int | `8443` | HTTP port number for the ClickHouse service. | +| clickhouse.service.secureConnection.ipAddresses | list | `[]` | IP addresses to use in the certificate. This is ignored if selfSignedCert is false. | +| clickhouse.service.secureConnection.secureTcpPort | int | `9440` | TCP port number for the ClickHouse service. | +| clickhouse.service.secureConnection.selfSignedCert | bool | `true` | Indicates whether to use auto-generated self-signed TLS certificates. If false, a Secret named "clickhouse-tls" must be provided with the following keys: ca.crt, tls.crt, tls.key. | | clickhouse.service.tcpPort | int | `9000` | TCP port number for the ClickHouse service. | | clickhouse.service.type | string | `"ClusterIP"` | The type of Service exposing ClickHouse. It can be one of ClusterIP, NodePort or LoadBalancer. | | clickhouse.storage.createPersistentVolume.local.affinity | object | `{}` | Affinity for the Local PersistentVolume. By default it requires to label the Node used to store the ClickHouse data with "antrea.io/clickhouse-data-node=". | diff --git a/build/charts/theia/provisioning/tls/dhparam.pem b/build/charts/theia/provisioning/tls/dhparam.pem new file mode 100644 index 00000000..ed12cc84 --- /dev/null +++ b/build/charts/theia/provisioning/tls/dhparam.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA2kXNnoHdFVUbwHJb17JTNNrNdUqQdbq/gZvEtPsNNoqVc8zLfrKC +yV0qwOd24+FCn4h+5RE+pDgikH4AIzQmfDI3Nmc5DpARUdmTJau5dhCT+J0zc+FF +smKuiN0ApHabnB+WN/EHJy0e20oiVgYefYCXjZWogK9FG6YNFDhhm+n3RAq/hclI +TKcLAW/8tvvJjwVi3dSWPXFtIgwY/DUhct+VbFer0YYCb2k8MBs2Pjl51Pz0u8a9 +T/Y7JKYA5GNlQSFYpmnxb/cR4BOES5ZMH7nBAsjiSn9UUo9DbM5gf8zIesuYnnw9 +wY+OvrjK0o1nEXGycWBIfpAg89i77asWCqq139XN6JcG4nCJWGusrp+6Pw3Bwwah +UiCrYZVldSIeEsy3ueqVouO7fhLrjbf6nDDBcanSwYniKvRsrxIfBZ9ho3d0PzS/ +kEAe9CPW9SD2P/4LGNDy46YRg9hMFWdJ+1N5Rr9PosAWKvJ0Y2zkk6ihOH4mr9e3 +f2rJISke3z61GAUEB9PokNSbmHIrO9NLnifBhMXoFmdRWZIWJFz9MI5lEHEnt2sz +ig9vSlva+K4o2GxgIKekLE+DjBL6SjBKPuQxSyw4O6SIOyMEv7mPJLAj/lJ+4KQM +jQDvgtdWzrZSAVMO+tmT61Jjjs7XvL1U7cmnc9Llxusxlt2bdAxmafsCAQI= +-----END DH PARAMETERS----- diff --git a/build/charts/theia/provisioning/tls/settings.xml b/build/charts/theia/provisioning/tls/settings.xml new file mode 100644 index 00000000..25b92188 --- /dev/null +++ b/build/charts/theia/provisioning/tls/settings.xml @@ -0,0 +1,16 @@ + + {{ .Values.clickhouse.service.secureConnection.httpsPort }} + {{ .Values.clickhouse.service.secureConnection.secureTcpPort }} + + + /opt/certs/tls.crt + /opt/certs/tls.key + /etc/clickhouse-server/config.d/dhparam.pem + none + true + true + sslv2,sslv3 + true + + + diff --git a/build/charts/theia/templates/_helpers.tpl b/build/charts/theia/templates/_helpers.tpl index def9bc77..166aa764 100644 --- a/build/charts/theia/templates/_helpers.tpl +++ b/build/charts/theia/templates/_helpers.tpl @@ -37,12 +37,21 @@ {{- $clickhouse := .clickhouse }} {{- $enablePV := .enablePV }} {{- $Chart := .Chart }} +{{- $tls := .clickhouse.service.secureConnection }} - name: clickhouse image: {{ include "clickHouseServerImage" . | quote }} imagePullPolicy: {{ $clickhouse.image.pullPolicy }} volumeMounts: - name: clickhouse-configmap-volume mountPath: /docker-entrypoint-initdb.d + {{- if $tls.enable }} + - name: clickhouse-tls + mountPath: /opt/certs/tls.crt + subPath: tls.crt + - name: clickhouse-tls + mountPath: /opt/certs/tls.key + subPath: tls.key + {{- end }} {{- if not $enablePV }} - name: clickhouse-storage-volume mountPath: /var/lib/clickhouse @@ -68,6 +77,7 @@ {{- define "clickhouse.volume" }} {{- $clickhouse := .clickhouse }} +{{- $tls := .clickhouse.service.secureConnection }} {{- $enablePV := .enablePV }} {{- $Files := .Files }} - name: clickhouse-configmap-volume @@ -82,6 +92,12 @@ - key: {{ regexReplaceAll "(.*)/" $path "" }} path: migrators/{{ regexReplaceAll "(.*)/" $path "" }} {{- end }} +{{- if $tls.enable }} +- name: clickhouse-tls + secret: + secretName: clickhouse-tls + optional: true +{{- end }} {{- if not $enablePV }} - name: clickhouse-storage-volume emptyDir: @@ -90,6 +106,14 @@ {{- end }} {{- end }} +{{- define "clickhouse.tlsConfig" -}} +{{- $Files := .Files }} +{{- $Global := .Global }} +{{- range $path, $_ := .Files.Glob "provisioning/tls/*" }} +{{ regexReplaceAll "(.*)/" $path "" }}: | +{{ tpl ($.Files.Get $path) $Global | indent 2 }} +{{- end }} +{{- end -}} {{- define "theiaImageTag" -}} {{- $tag := .tag -}} diff --git a/build/charts/theia/templates/clickhouse/clickhouseinstallation.yaml b/build/charts/theia/templates/clickhouse/clickhouseinstallation.yaml index 38781ea8..9df37330 100644 --- a/build/charts/theia/templates/clickhouse/clickhouseinstallation.yaml +++ b/build/charts/theia/templates/clickhouse/clickhouseinstallation.yaml @@ -16,8 +16,20 @@ spec: {{ .Values.clickhouse.connectionSecret.readOnlyUsername }}/networks/ip: "::/0" profiles: readonly/readonly: 1 + {{- if .Values.clickhouse.service.secureConnection.enable }} + files: + {{- include "clickhouse.tlsConfig" (dict "Files" .Files "Global" .) | indent 6 }} + {{- end }} clusters: - name: "clickhouse" + {{- if .Values.clickhouse.service.secureConnection.enable }} + secure: "yes" + settings: + tcp_port: {{ .Values.clickhouse.service.tcpPort }} # keep for localhost + tcp_port_secure: {{ .Values.clickhouse.service.secureConnection.secureTcpPort }} + https_port: {{ .Values.clickhouse.service.secureConnection.httpsPort }} + http_port: {{ .Values.clickhouse.service.httpPort }} + {{- end }} layout: {{- if gt (int .Values.clickhouse.cluster.replicas) 1 }} shards: @@ -68,6 +80,12 @@ spec: port: {{ .Values.clickhouse.service.httpPort }} - name: tcp port: {{ .Values.clickhouse.service.tcpPort }} + {{- if .Values.clickhouse.service.secureConnection.enable }} + - name: https + port: {{ .Values.clickhouse.service.secureConnection.httpsPort }} + - name: secureclient + port: {{ .Values.clickhouse.service.secureConnection.secureTcpPort }} + {{- end }} podTemplates: {{- if gt (int .Values.clickhouse.cluster.replicas) 1 }} - name: pod-template-without-monitor diff --git a/build/charts/theia/templates/clickhouse/secret.yaml b/build/charts/theia/templates/clickhouse/secret.yaml index ba1ec108..13671e01 100644 --- a/build/charts/theia/templates/clickhouse/secret.yaml +++ b/build/charts/theia/templates/clickhouse/secret.yaml @@ -1,3 +1,28 @@ +{{- $tls := .Values.clickhouse.service.secureConnection }} +{{- if and $tls.enable $tls.selfSignedCert }} +{{- $cert := genSelfSignedCert $tls.commonName $tls.ipAddresses (uniq (append $tls.dnsNames $tls.commonName)) ($tls.daysValid | int) }} +{{- $certPEM := $cert.Cert | b64enc }} +{{- $keyPEM := $cert.Key | b64enc }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: clickhouse-tls + namespace: {{ .Release.Namespace }} +data: + tls.crt: {{ $certPEM | quote }} + tls.key: {{ $keyPEM | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: clickhouse-ca + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ $certPEM | quote }} +{{- end }} +--- apiVersion: v1 kind: Secret metadata: diff --git a/build/charts/theia/values.yaml b/build/charts/theia/values.yaml index 279f1f83..dbdc8547 100644 --- a/build/charts/theia/values.yaml +++ b/build/charts/theia/values.yaml @@ -47,6 +47,37 @@ clickhouse: tcpPort: 9000 # -- HTTP port number for the ClickHouse service. httpPort: 8123 + # As ClickHouse Operator currently does not support the cert management, + # we recommend to use Ingress or Load Balancer to expose ClickHouse securely. + # But we also provide this option to provide the secure connection from + # ClickHouse server end. To use this option, please generate and rotate + # the certs manually. Please save these 3 files under under provisioning/tls. + # dhparam.pem saves the DH parameter used for connection. + # server.crt saves the server Certificated for connection. + # server.key saves the server private key for connection. + secureConnection: + # -- Determine whether to enable secure connection to ClickHouse + enable: false + # -- TCP port number for the ClickHouse service. + secureTcpPort: 9440 + # -- HTTP port number for the ClickHouse service. + httpsPort: 8443 + # -- Indicates whether to use auto-generated self-signed TLS certificates. + # If false, a Secret named "clickhouse-tls" must be provided with the + # following keys: ca.crt, tls.crt, tls.key. + selfSignedCert: true + # -- Common name to use in the certificate. This is ignored if selfSignedCert + # is false. + commonName: "clickhouse-clickhouse.flow-visibility.svc" + # -- IP addresses to use in the certificate. This is ignored if selfSignedCert + # is false. + ipAddresses: [] + # -- DNS names to use in the certificate. This is ignored if selfSignedCert + # is false. + dnsNames: [] + # -- Number of days for which the certificate will be valid. There is no automatic + # rotation with this method. This is ignored if selfSignedCert is false. + daysValid: 365 # -- Time to live for data in the ClickHouse. Can be a plain integer using # one of these unit suffixes SECOND, MINUTE, HOUR, DAY, WEEK, MONTH, QUARTER, # YEAR.