search

openedx-unsupported / tutor-contrib-clickhouse

0 stars 1 forks source link

Enable TLS connections, make default #20

Open bmtcril opened 1 year ago

bmtcril commented 1 year ago

The current configuration of ClickHouse is insecure over HTTP. This isn't the end of the world when all traffic is over the local network, but is far from best practices. We should work on making our configuration use SSL / TLS by default. There is a guide here: https://clickhouse.com/docs/en/guides/sre/configuring-ssl (since we don't support clustering yet we can skip a lot of those steps).

I'm not sure if there is any applicable prior art in Tutor's Caddy implementation that might ease that process.

bmtcril commented 1 year ago

Some more thoughts after kicking this around with Feanil:

Hopes aren't high, but I'm watching this issue, which may just add Let's Encrypt in a future version: https://github.com/ClickHouse/ClickHouse/pull/48661

Until then I think we should look into using the existing Caddy proxy to TLS terminate and port forward like we do with Superset.

Ian2012 commented 1 year ago

I guess, this stills needs to be optional, and we can use an already existing helm chart for it:

Here is how they set it up on the clickhouse pod once they have it: https://github.com/bitnami/charts/blob/main/bitnami/clickhouse/templates/statefulset.yaml#L173C20-L213

Here is how they generate it when needed: https://github.com/bitnami/charts/blob/d889b12d23b1d401454c1317569e5d316638a22a/bitnami/clickhouse/templates/tls-secret.yaml#L4

Probably we would need to use a similar variable set for this and a similar logic for already created certificates stored using secrets or files:

CLICKHOUSE_TLS_ENABLED CLICKHOUSE_TLS_AUTOGENERATED CLICKHOUSE_TLS_CERTIFICATE_SECRET CLICKHOUSE_TLS_CERTIFICATE_FILENAME CLICKHOUSE_TLS_CERTIFICATE_KEY_FILENAME CLICKHOUSE_TLS_CERTIFICATE_CA_FILENAME

https://github.com/bitnami/charts/blob/main/bitnami/clickhouse/README.md?plain=1#L190-L195

Or, we can simplify this process by forcing them to provide a certificate.

Still wondering if this is really needed in a k8s deployment where all resources are in the k8s network. Or even, when big installations will be using helm charts as those are better supported.

Will this block oars v1?

bmtcril commented 1 year ago

In my perfect world we could always run ClickHouse over SSL and simplify our configuration. If we don't get to this before everything else lands I think we could go without it, but I'd really like to get it in if we can. I'm going to mark it for v1 just to make sure it doesn't get lost.