PMM-14118 Use a pre-generated dhparam.pem file

Author: ademidoff

build/ansible/roles/clickhouse/files/dhparam.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICDAKCAgEAq+0HHfksNBJ9CslMoQ5n0VuQSikNJdT/ryr6IjKsXxZH9t7+WXEQ
+GYmvRHP52f8t0GBTuJxkPX4OuWFhMZCSac0QtYxBiT1BnHScUptZaScR4n4Nia0d
+FK7ejd1a8LlMXg+Xf1iZLVlDB+xgJw6oFEP6zmAfQy6z0iKiFEYW6WoSGHHzwNQX
+FCY4PMlvq0MuBH87d1pGbsKxkEtpAreCaSRiLSI+me7y4S1FkBNrKaoIzBgyZFCe
+zCcA0o35DWMucbVHXbzXE4fdZhKuorQoRMhkWZ6kHn0tmhhUILG5j7R/M5dz/cYt
+sBImy4SmNhmx3G+u+lAxfELhWf1bVJ22c3EOGmzl0eUSRhWXIxiLV6tqbHLTAvFF
+Ny14H7ewVOYrPVTm/1uw1uC4EesNR7nAW81H3vscIKCt4R4zSPxaayN+Du8OKbpn
+tE2iXaeOcRwTRs8NbLTJA/9CwOd7XcYY+YGBzgJvC6gzRvwt8wLf2M5Njiv9MFGK
++4bGlk6WHx2wKr3St0ahv4ga4N2nVwMyZrNVFJ5Ai7g5SOMl7pYB2wEJ3FAtelDe
+JGjiDNn7qres9pnMfnMFfildZ5vwulcYGHuz0+uDcLq1v4PCvoA8huzfwRKcRJkK
+feZsurABRZZCIwLxLgvULfmzVWCj/j271OfEaUCLORR5ut+BMdT/2V8CAQICAgFF
+-----END DH PARAMETERS-----

build/ansible/roles/clickhouse/tasks/main.yml

@@ -19,12 +19,6 @@
     enablerepo: clickhouse
   ignore_errors: "{{ ansible_check_mode }}" # We don't have clickhouse repo when we run ansible with --check
 
-- name: Generate DH params
-  command: openssl dhparam -out /etc/clickhouse-server/dhparam.pem 4096
-  args:
-    creates: /etc/clickhouse-server/dhparam.pem
-  no_log: true
-
 - name: Generate SSL certificates
   command: openssl req -new -newkey rsa:2048 -days 1095 -nodes -x509 -subj "/CN=localhost" -keyout /etc/clickhouse-server/server.key -out /etc/clickhouse-server/server.crt
   args:
@@ -46,7 +40,7 @@
     - /var/log/clickhouse-server
     - /run/clickhouse-server
 
-- name: Copy customized clickhouse config files
+- name: Copy customized clickhouse config files and dhparam.pem
   copy:
     src: "{{ item }}"
     dest: "/etc/clickhouse-server/{{ item }}"
@@ -56,6 +50,7 @@
   loop:
     - config.xml
     - users.xml
+    - dhparam.pem
 
 # We need to remove capabilities because we run PMM in an unprivileged container
 - name: Remove cap_ipc_lock from clickhouse binary