Skip to content

PMM-14118 Generate SSL certificates for ClickHouse #4575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: v3
Choose a base branch
from
Open

PMM-14118 Generate SSL certificates for ClickHouse #4575

wants to merge 5 commits into from
+22 −2

Conversation

ademidoff
Copy link
Member

@ademidoff ademidoff commented Sep 27, 2025
edited
Loading

PMM-14118

Link to the Feature Build: SUBMODULES-4054

This pull request introduces SSL support for the ClickHouse server and fixes a configuration path for Nginx certificate generation. The main changes include generating SSL certificates for ClickHouse, adding Diffie-Hellman parameters, and ensuring the correct configuration file is used for Nginx certificate creation.

SSL support for ClickHouse:

  • Added a new Ansible task to generate self-signed SSL certificates (server.key and server.crt) for ClickHouse using OpenSSL, improving security for ClickHouse connections.
  • Included the dhparam.pem file containing Diffie-Hellman parameters for enhanced SSL security, and updated the Ansible copy task to deploy this file to the ClickHouse server directory.

Nginx certificate generation fix:

  • Corrected the path to the certificate configuration file in the Nginx SSL certificate generation script, ensuring it references /srv/nginx/certificate.conf instead of /etc/nginx/ssl/certificate.conf.

@codecov Codecov
Copy link

codecov bot commented Sep 27, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.54%. Comparing base (fa6ecd0) to head (5030ef4).
⚠️ Report is 1 commits behind head on v3.

Additional details and impacted files 
@@           Coverage Diff           @@
##               v3    #4575   +/-   ##
=======================================
  Coverage   44.54%   44.54%           
=======================================
  Files         363      363           
  Lines       45715    45715           
=======================================
  Hits        20365    20365           
  Misses      23692    23692           
  Partials     1658     1658
Flag Coverage Δ
admin 17.33% <ø> (ø)
agent 53.35% <ø> (ø)
managed 44.48% <ø> (ø)
vmproxy 74.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ademidoff ademidoff mentioned this pull request Sep 27, 2025
Draft
@ademidoff ademidoff force-pushed the PMM-14118-default-clickhouse-ssl-certificates branch from 7588ddd to 5030ef4 Compare September 27, 2025 13:47
ademidoff
ademidoff commented Sep 27, 2025
View reviewed changes
build/ansible/roles/nginx/files/ssl/generate-ssl-certificate
-keyout /srv/nginx/certificate.key \
-out /srv/nginx/certificate.crt \
-config /etc/nginx/ssl/certificate.conf
-config /srv/nginx/certificate.conf
Copy link
Member Author

@ademidoff ademidoff Sep 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BupycHuk Are we OK with this fix?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tested it?

Copy link
Member Author

@ademidoff ademidoff Oct 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, no issues )

Copy link
Member Author

@ademidoff ademidoff Oct 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder, wasn't it meant to be that way? I thought it was an oversight, no? If we don't take the certificate.conf from /srv/nginx/, then there is no way for the user to override ours, which comes from /etc/nginx/.

@ademidoff ademidoff marked this pull request as ready for review September 27, 2025 13:51
@ademidoff ademidoff requested a review from a team as a code owner September 27, 2025 13:51
@ademidoff ademidoff requested review from BupycHuk and idoqo and removed request for a team September 27, 2025 13:51
@JiriCtvrtka JiriCtvrtka self-requested a review October 1, 2025 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BupycHuk BupycHuk BupycHuk approved these changes

@JiriCtvrtka JiriCtvrtka JiriCtvrtka approved these changes

@idoqo idoqo Awaiting requested review from idoqo idoqo is a code owner automatically assigned from percona/pmm-review-be

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ademidoff @BupycHuk @JiriCtvrtka