forked from Altinity/clickhouse-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
22-secure-ssl-03-files-multi-secrets-ref.yaml
186 lines (183 loc) · 6.94 KB
/
22-secure-ssl-03-files-multi-secrets-ref.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
apiVersion: v1
kind: Secret
metadata:
name: ssl-files-server.crt
type: Opaque
stringData:
file: |
-----BEGIN CERTIFICATE-----
MIIDNjCCAh4CFFKzg6giENI2qQn7y3GE9yivGOhZMA0GCSqGSIb3DQEBCwUAMFQx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQxDTALBgNVBAMMBHJvb3QwHhcNMjIwNzI1MDMw
NDUxWhcNMjMwNzI1MDMwNDUxWjBbMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRQwEgYD
VQQDDAtjbGlja2hvdXNlMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJJPj0wXhUChyAWpFVSa1YxGLENX5xo4dUF6k31pLQMW39uxV2sEs5aN7WZNIZsi
nKunYmJKkU4DI/XucnxIgie8yJOgFmR9dwA0yZzhJbuBuFsvSCvqp8qZhXvYDWZK
O0eFHUAkKWLZPYn/a8TNM3yzKP8z9G76bHb59dJdmUNThFt1jUuGoJAgWdq41UES
1WcFW4KpRrTS8piu65DSXbisCs76TabLvmICPXRDcGSYmAXBr3n7NtgpHDqn+VKX
XxMfKf/4IXkDubkXOcA1/u2cTHBiokF1Q/vjaLZTeXK+sadcxey33LZgZKeSoc9/
cU0uSJWX8IBahN+NeCSMyrcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADpq9diF5
NH2V46JaDGqjteS5hugQwFIK+tC15XEKVxsEII6JhmudgoZ7CPp3EeytFGSqKrvU
F1Ipm2YI3nbax9AFsciPaFFtqYDh87JHEpoZmNbhSFBO7IlO4l0c1MwYQyEoJ6dL
dX35wNVtZsEgeNzK8IxqQEMwFZCK/TZ1FUMMpVbae8IMPFVHlA0aJE3uLvNsbiOf
eVpdIFa287F8EsuDw+9oi7msqgjy+vWgF2FWMVULIUDymt6qffs7i+SQzGqyMRvy
Q1OOZi4Rjve6j2BvirwHCeb+Kcv3RufpSHrzWUdK4nAy9unrJ/BiEyCUjkVWFOEm
FKjewcFISj1u5w==
-----END CERTIFICATE-----
---
apiVersion: v1
kind: Secret
metadata:
name: ssl-files-server.key
type: Opaque
stringData:
file: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAkk+PTBeFQKHIBakVVJrVjEYsQ1fnGjh1QXqTfWktAxbf27FX
awSzlo3tZk0hmyKcq6diYkqRTgMj9e5yfEiCJ7zIk6AWZH13ADTJnOElu4G4Wy9I
K+qnypmFe9gNZko7R4UdQCQpYtk9if9rxM0zfLMo/zP0bvpsdvn10l2ZQ1OEW3WN
S4agkCBZ2rjVQRLVZwVbgqlGtNLymK7rkNJduKwKzvpNpsu+YgI9dENwZJiYBcGv
efs22CkcOqf5UpdfEx8p//gheQO5uRc5wDX+7ZxMcGKiQXVD++NotlN5cr6xp1zF
7LfctmBkp5Khz39xTS5IlZfwgFqE3414JIzKtwIDAQABAoIBAQCJCp407n7wd9hL
fQEuusw01HGXLlmXlLQ3faFyQTZZA27wbx5rbf7skMmBHdPRZE0M9v5PBHsvb/+Z
1htD0AKhR9EzfSocO+xftBH3sGdQRwOv3QyjnepF+SAvTMHYQsVdixBHyNc+8C4U
+LovnuiP75wB1d8op8U6d4xJ20O367Kqgz9ESOa4sranwspfvz/x3ho0HqzI3CmP
Xc1f0S+IDIroZrutv6gVGUAXeONyS6mE0HSfxy9dqHeCX8QzZ8YZiGOSPWffjNYK
wwnp0dEClqlcba73EvBsdN661wXL7N4E/BRVHWEHWVowZfPOUAXx93hAqLgGQLUR
0gPNUAxhAoGBAMJQOPCy02IB2PBT3jAlvQPDIITex40N80VWzeW3DJ76DupHviHi
4u0WuAmfP1Ufc+UhWg3a0U18yYzmk0bwJx/QV8qB00+ibgQppJYGAzbzBtG2ydU9
gCLmwWuZaxGydssFyLv5MQRy1FNpvgjvHkre6H7FR69/hRVT9VbPM6HHAoGBAMDC
Lym/8nWRtqst7UHC7bGS0fEqyl8Ri2D1Kbjrv6rYvKJ2I01ylMFo+kA9fSLTeojk
8FB6L4Hz2ANJfbWR6yewP/BYRLKfenUVXgsWTYKNcRWjZt3z1LxUBWuzXDbx86Ry
kbGb392T/Qdaw5w7iFrfooZMb+3u5M+GXCyHkI+RAoGAcak5VVpVGWwZOKLmQeWh
RZUa7X3e3hx9415eO/Ox90Av/0yN5AZyVNrINiCnjCREx4+VvKr1aU0IHFo3ZfRN
/mcBI1yDfX52ugqd0n+b28WWhI9WSlyaGlA+bbElFwn8QM+WVpXx3TdKCay90z4D
yynOd3DweLCv6QTearPy8LsCgYBxFLo0ZO3peQ1PyQaqEJ//D6HoOHE2aoV44PqU
CIGNyc6IBIRbV//aoypEa44w0x3Ml3o/zB54v0OXUhLUZQEubGBmMHJE0/g0Hc/o
8zGPiEiyKAUd6oB/506yyysq9LA5ZhkAt/AR/lJvcRjWW7p3jUC8RrVXQVGsSSdj
3De7cQKBgGk1wIz5eHc9W5KptvhLiXHIyiW35JxAyuKDbNc40uXFRGvQAyFacX3R
q7B5PhnbA6AXxzhIHwjhOs/3ljKudLKDNUben6YTZJ+6gMyVqskWmPQCQWVDKrYV
g2bjXkOxpjZ7UMWdKP05WOdwuleQ4T5LtQJvXgmTrGOCdDLOiAzS
-----END RSA PRIVATE KEY-----
---
apiVersion: v1
kind: Secret
metadata:
name: ssl-files-dhparam.pem
type: Opaque
stringData:
file: |
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA9G8CNMdx+VBtQLs8NLLbe8h/qUhard6zg8dcWrOFkVSQW0y/Gxlb
J2rtIzXfPF3RZHpb5z7Kcx9UEQwRDWJYSFkR8S4wGyEizpwkkIdLW7FgstZrmAQF
yaKdrH0o+1xhkvd0aOAOKLe/WkVHP5BkCP0ckekKxNF0OPo4ek/y8NBfDquYn6ps
ouXxP6p/Jq/hh6j15JJfu2dOEJ0Ls4w4kltsugc8GNRQRSnut+qoCQQUX9KbKull
mUDZqN7jWZ+zhp9RzU7U0agshirsfJZ81AXJ/Yd9mA7oFC+FNB/0Eb1tC1LspaOC
47OBQdcPqcM9/EJQaSgDNzvsUo6TZFOet2dz/H1nTQU8JaXHs8JK02RWv/hx6RAC
0WapzdR3a3h0k+5Z6S6QXFxx7D/HtmRWCs0DM1TYIGyVZk0Ua4dNqgEh33cDhjnP
bUW2Wn5+Koe1hvlNxNejGIdBQ0zqzU2A7iVdP6BO0rcooTP6mPl2N45yNTcwtmrC
begwBB3OBfia7OvNuk/kjusvDaGTgv0rz3Hg1VxWQoEQ2gtN8e5FAK+fGadoMdWu
mQccid9Ks4naXEQ2zfjZo+3w5IbwA9uQrOdo1oNOWH1jJ7gd+fFzWCbsTZL12H9d
q0M0PPsm7i5RlwLcUjkLY3HZpPQKBl5eMxQhnoNjxLW6NM5SKhKI5AsCAQI=
-----END DH PARAMETERS-----
---
apiVersion: "clickhouse.altinity.com/v1"
kind: "ClickHouseInstallation"
metadata:
name: secure-ssl
spec:
defaults:
templates:
podTemplate: default
templates:
podTemplates:
- name: default
spec:
containers:
- name: clickhouse
image: altinity/clickhouse-server:23.8.8.21.altinitystable
imagePullPolicy: IfNotPresent
configuration:
clusters:
- name: cluster1
secure: "yes"
users:
user1/password: qwerty
user1/networks/ip: "::/0"
settings:
# tcp_port: 9000 # keep for localhost
tcp_port_secure: 9440
https_port: 8443
files:
openssl.xml: |
<yandex>
<openSSL>
<server>
<certificateFile>/etc/clickhouse-server/secrets.d/server.crt/ssl-files-server.crt/file</certificateFile>
<privateKeyFile>/etc/clickhouse-server/secrets.d/server.key/ssl-files-server.key/file</privateKeyFile>
<dhParamsFile>/etc/clickhouse-server/secrets.d/dhparam.pem/ssl-files-dhparam.pem/file</dhParamsFile>
<verificationMode>none</verificationMode>
<loadDefaultCAFile>true</loadDefaultCAFile>
<cacheSessions>true</cacheSessions>
<disableProtocols>sslv2,sslv3</disableProtocols>
<preferServerCiphers>true</preferServerCiphers>
</server>
</openSSL>
</yandex>
server.crt:
valueFrom:
secretKeyRef:
name: ssl-files-server.crt
key: file
server.key:
valueFrom:
secretKeyRef:
name: ssl-files-server.key
key: file
dhparam.pem:
valueFrom:
secretKeyRef:
name: ssl-files-dhparam.pem
key: file
---
apiVersion: v1
kind: ConfigMap
metadata:
name: "secure-ssl-client-config"
data:
config.xml: |
<config>
<openSSL>
<client>
<verificationMode>relaxed</verificationMode>
<invalidCertificateHandler>
<name>AcceptCertificateHandler</name>
</invalidCertificateHandler>
</client>
</openSSL>
<port>9440</port>
<secure>1</secure>
</config>
---
apiVersion: v1
kind: Pod
metadata:
name: "secure-ssl-client"
spec:
containers:
- name: clickhouse-client
image: clickhouse/clickhouse-server:23.8
command: [ "/bin/sh", "-c", "sleep 3600" ]
volumeMounts:
- name: config
mountPath: "/etc/clickhouse-client/"
volumes:
- name: config
configMap:
name: secure-ssl-client-config
items:
- key: config.xml
path: config.xml
# Run on client
# kubectl -n dev exec secure-ssl-client -- clickhouse-client -h chi-secure-ssl-cluster1-0-0 --secure --port 9440 --user=user1 --password=qwerty -q 'select 1000'