feat: Add mTLS connection to clickhouse (#241)

autocomplete/autocomplete.go

@@ -11,6 +11,9 @@ import (
 	"time"
 
 	"github.com/go-graphite/carbonapi/pkg/parser"
+	"github.com/msaf1980/go-stringutils"
+	"go.uber.org/zap"
+
 	"github.com/lomik/graphite-clickhouse/config"
 	"github.com/lomik/graphite-clickhouse/finder"
 	"github.com/lomik/graphite-clickhouse/helper/clickhouse"
@@ -20,8 +23,6 @@ import (
 	"github.com/lomik/graphite-clickhouse/metrics"
 	"github.com/lomik/graphite-clickhouse/pkg/scope"
 	"github.com/lomik/graphite-clickhouse/pkg/where"
-	"github.com/msaf1980/go-stringutils"
-	"go.uber.org/zap"
 )
 
 // override in unit tests for stable results
@@ -330,6 +331,7 @@ func (h *Handler) ServeTags(w http.ResponseWriter, r *http.Request) {
 			h.config.ClickHouse.URL,
 			sql,
 			clickhouse.Options{
+				TLSConfig:      h.config.ClickHouse.TLSConfig,
 				Timeout:        h.config.ClickHouse.IndexTimeout,
 				ConnectTimeout: h.config.ClickHouse.ConnectTimeout,
 			},
@@ -574,6 +576,7 @@ func (h *Handler) ServeValues(w http.ResponseWriter, r *http.Request) {
 			h.config.ClickHouse.URL,
 			sql,
 			clickhouse.Options{
+				TLSConfig:      h.config.ClickHouse.TLSConfig,
 				Timeout:        h.config.ClickHouse.IndexTimeout,
 				ConnectTimeout: h.config.ClickHouse.ConnectTimeout,
 			},

cmd/e2e-test/clickhouse.go

@@ -4,13 +4,12 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 	"os"
 	"os/exec"
 	"strconv"
 	"strings"
-	"time"
 
 	"github.com/msaf1980/go-stringutils"
 )
@@ -20,16 +19,19 @@ var ClickhouseOldImage = "yandex/clickhouse-server"
 var ClickhouseDefaultImage = "clickhouse/clickhouse-server"
 
 type Clickhouse struct {
-	Version string `toml:"version"`
-	Dir     string `toml:"dir"`
+	Version    string `toml:"version"`
+	Dir        string `toml:"dir"`
+	TLSEnabled bool   `toml:"tls"`
 
 	DockerImage string `toml:"image"`
 
 	TZ string `toml:"tz"` // override timezone
 
-	httpAddress string `toml:"-"`
-	url         string `toml:"-"`
-	container   string `toml:"-"`
+	httpAddress  string `toml:"-"`
+	httpsAddress string `toml:"-"`
+	url          string `toml:"-"`
+	tlsurl       string `toml:"-"`
+	container    string `toml:"-"`
 }
 
 func (c *Clickhouse) CheckConfig(rootDir string) error {
@@ -71,6 +73,7 @@ func (c *Clickhouse) Start() (string, error) {
 	if err != nil {
 		return "", err
 	}
+	port := strings.Split(c.httpAddress, ":")[1]
 	c.url = "http://" + c.httpAddress
 
 	c.container = ClickhouseContainerName
@@ -80,14 +83,28 @@ func (c *Clickhouse) Start() (string, error) {
 	chStart := []string{"run", "-d",
 		"--name", c.container,
 		"--ulimit", "nofile=262144:262144",
-		"-p", c.httpAddress + ":8123",
+		"-p", port + ":8123",
 		// "-e", "TZ=" + tz, // workaround for TZ=":/etc/localtime"
 		"-v", c.Dir + "/config.xml:/etc/clickhouse-server/config.xml",
 		"-v", c.Dir + "/users.xml:/etc/clickhouse-server/users.xml",
 		"-v", c.Dir + "/rollup.xml:/etc/clickhouse-server/config.d/rollup.xml",
 		"-v", c.Dir + "/init.sql:/docker-entrypoint-initdb.d/init.sql",
 		"--network", DockerNetwork,
 	}
+	if c.TLSEnabled {
+		c.httpsAddress, err = getFreeTCPPort("")
+		if err != nil {
+			return "", err
+		}
+		port = strings.Split(c.httpsAddress, ":")[1]
+		c.tlsurl = "https://" + c.httpsAddress
+		chStart = append(chStart,
+			"-v", c.Dir+"/server.crt:/etc/clickhouse-server/server.crt",
+			"-v", c.Dir+"/server.key:/etc/clickhouse-server/server.key",
+			"-v", c.Dir+"/rootCA.crt:/etc/clickhouse-server/rootCA.crt",
+			"-p", port+":8443",
+		)
+	}
 	if c.TZ != "" {
 		chStart = append(chStart, "-e", "TZ="+c.TZ)
 	}
@@ -137,6 +154,10 @@ func (c *Clickhouse) URL() string {
 	return c.url
 }
 
+func (c *Clickhouse) TLSURL() string {
+	return c.tlsurl
+}
+
 func (c *Clickhouse) Container() string {
 	return c.container
 }
@@ -152,14 +173,11 @@ func (c *Clickhouse) Query(sql string) (string, error) {
 		return "", err
 	}
 
-	httpClient := http.Client{
-		Timeout: time.Minute,
-	}
-	resp, err := httpClient.Do(request)
+	resp, err := http.DefaultClient.Do(request)
 	if err != nil {
 		return "", err
 	}
-	msg, err := io.ReadAll(resp.Body)
+	msg, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
 	}
@@ -173,7 +191,7 @@ func (c *Clickhouse) Alive() bool {
 	if len(c.container) == 0 {
 		return false
 	}
-	req, err := http.DefaultClient.Get(c.url)
+	req, err := http.DefaultClient.Get(c.URL())
 	if err != nil {
 		return false
 	}

cmd/e2e-test/e2etesting.go

@@ -12,9 +12,10 @@ import (
 	"strings"
 	"time"
 
+	"go.uber.org/zap"
+
 	"github.com/lomik/graphite-clickhouse/helper/client"
 	"github.com/lomik/graphite-clickhouse/helper/datetime"
-	"go.uber.org/zap"
 
 	"github.com/pelletier/go-toml"
 )
@@ -152,6 +153,10 @@ type TestSchema struct {
 	// input map[string][]Point `toml:"-"`
 }
 
+func (schema *TestSchema) HasTLSSettings() bool {
+	return strings.Contains(schema.dir, "tls")
+}
+
 func getFreeTCPPort(name string) (string, error) {
 	if len(name) == 0 {
 		name = "127.0.0.1:0"
@@ -202,7 +207,7 @@ func sendPlain(network, address string, metrics []InputMetric) error {
 
 func verifyGraphiteClickhouse(test *TestSchema, gch *GraphiteClickhouse, clickhouse *Clickhouse, testDir, clickhouseDir string, verbose, breakOnError bool, logger *zap.Logger) (testSuccess bool, verifyCount, verifyFailed int) {
 	testSuccess = true
-	err := gch.Start(testDir, clickhouse.URL(), test.Proxy.URL())
+	err := gch.Start(testDir, clickhouse.URL(), test.Proxy.URL(), clickhouse.TLSURL())
 	if err != nil {
 		logger.Error("starting graphite-clickhouse",
 			zap.String("config", test.name),

cmd/e2e-test/graphite-clickhouse.go

@@ -12,13 +12,15 @@ import (
 	"syscall"
 	"text/template"
 
-	"github.com/lomik/graphite-clickhouse/helper/client"
 	"github.com/msaf1980/go-stringutils"
+
+	"github.com/lomik/graphite-clickhouse/helper/client"
 )
 
 type GraphiteClickhouse struct {
 	Binary    string `toml:"binary"`
 	ConfigTpl string `toml:"template"`
+	TestDir   string `toml:"-"`
 
 	TZ string `toml:"tz"` // override timezone
 
@@ -28,7 +30,7 @@ type GraphiteClickhouse struct {
 	cmd        *exec.Cmd `toml:"-"`
 }
 
-func (c *GraphiteClickhouse) Start(testDir, clickhouseURL, chProxyURL string) error {
+func (c *GraphiteClickhouse) Start(testDir, chURL, chProxyURL, chTLSURL string) error {
 	if c.cmd != nil {
 		return errors.New("carbon-clickhouse already started")
 	}
@@ -52,22 +54,31 @@ func (c *GraphiteClickhouse) Start(testDir, clickhouseURL, chProxyURL string) er
 		return err
 	}
 
+	c.TestDir, err = filepath.Abs(testDir)
+	if err != nil {
+		return err
+	}
+
 	name := filepath.Base(c.ConfigTpl)
 	tmpl, err := template.New(name).ParseFiles(path.Join(testDir, c.ConfigTpl))
 	if err != nil {
 		c.Cleanup()
 		return err
 	}
 	param := struct {
-		CLICKHOUSE_URL string
-		PROXY_URL      string
-		GCH_ADDR       string
-		GCH_DIR        string
+		CLICKHOUSE_URL     string
+		CLICKHOUSE_TLS_URL string
+		PROXY_URL          string
+		GCH_ADDR           string
+		GCH_DIR            string
+		TEST_DIR           string
 	}{
-		CLICKHOUSE_URL: clickhouseURL,
-		PROXY_URL:      chProxyURL,
-		GCH_ADDR:       c.address,
-		GCH_DIR:        c.storeDir,
+		CLICKHOUSE_URL:     chURL,
+		CLICKHOUSE_TLS_URL: chTLSURL,
+		PROXY_URL:          chProxyURL,
+		GCH_ADDR:           c.address,
+		GCH_DIR:            c.storeDir,
+		TEST_DIR:           c.TestDir,
 	}
 
 	c.configFile = path.Join(c.storeDir, "graphite-clickhouse.conf")