From b5590ab2a8fd033cb5fbf8a1b1b7a4ee24b90468 Mon Sep 17 00:00:00 2001 From: Minier Anthony Date: Fri, 14 Mar 2025 11:04:39 +0100 Subject: [PATCH] add insecure skip verify option on clickhouse tls connection to allow invalid certificates on internal cluster connection --- cmd/server/main.go | 15 +++++++-------- .../kubenetmon-server/templates/configMap.yaml | 1 + deploy/helm/kubenetmon-server/values.yaml | 2 ++ pkg/inserter/inserter.go | 4 +++- 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/cmd/server/main.go b/cmd/server/main.go index 01443d3..ae96639 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -3,14 +3,13 @@ package main import ( "errors" "fmt" - "strings" - "time" - "net" "net/http" "os" "runtime" "runtime/debug" + "strings" + "time" yaml "gopkg.in/yaml.v3" "k8s.io/client-go/kubernetes" @@ -46,6 +45,7 @@ type Config struct { ClickHouseWaitForAsyncInsert bool `yaml:"clickhouse_wait_for_async_insert"` ClickHouseSkipPing bool `yaml:"clickhouse_skip_ping"` ClickHouseDisableTLS bool `yaml:"clickhouse_disable_tls"` + ClickHouseInsecureSkipVerify bool `yaml:"clickhouse_insecure_skip_verify"` ClickHouseUsername string ClickHousePassword string @@ -57,9 +57,7 @@ const ( defaultClickHousePasswordPath string = "/etc/clickhouse/password" ) -var ( - configMap = Config{} -) +var configMap = Config{} func init() { b, err := os.ReadFile(defaultClickHouseConfigPath) @@ -72,7 +70,7 @@ func init() { } if configMap.IgnoreUDP == nil { - var b = true + b := true configMap.IgnoreUDP = &b } @@ -176,6 +174,7 @@ func main() { BatchSize: configMap.ClickHouseBatchSize, BatchSendTimeout: configMap.ClickHouseBatchSendTimeout, WaitForAsyncInsert: configMap.ClickHouseWaitForAsyncInsert, + InsecureSkipVerify: configMap.ClickHouseInsecureSkipVerify, SkipPing: configMap.ClickHouseSkipPing, DisableTLS: configMap.ClickHouseDisableTLS, @@ -188,7 +187,7 @@ func main() { server := NewFlowHandlerServer(labeler, inserter) go func() { - var opts = []grpc.ServerOption{ + opts := []grpc.ServerOption{ grpc.KeepaliveParams(keepalive.ServerParameters{ MaxConnectionAge: configMap.MaxGRPCConnectionAge, MaxConnectionAgeGrace: 1 * time.Minute, diff --git a/deploy/helm/kubenetmon-server/templates/configMap.yaml b/deploy/helm/kubenetmon-server/templates/configMap.yaml index a75d745..b2a3e60 100644 --- a/deploy/helm/kubenetmon-server/templates/configMap.yaml +++ b/deploy/helm/kubenetmon-server/templates/configMap.yaml @@ -26,3 +26,4 @@ data: clickhouse_wait_for_async_insert: {{ .Values.inserter.waitForAsyncInsert }} clickhouse_skip_ping: {{ .Values.inserter.skipPing }} clickhouse_disable_tls: {{ .Values.inserter.disableTLS }} + clickhouse_insecure_skip_verify: {{ .Values.inserter.insecureSkipVerify }} diff --git a/deploy/helm/kubenetmon-server/values.yaml b/deploy/helm/kubenetmon-server/values.yaml index 06f40cb..0ff20e5 100644 --- a/deploy/helm/kubenetmon-server/values.yaml +++ b/deploy/helm/kubenetmon-server/values.yaml @@ -71,6 +71,8 @@ inserter: skipPing: false # Disable TLS to ClickHouse. This is useful for testing. disableTLS: false + # setup insecure skip verify on TLS connection. Useful on TLS connection intern to clickhouse + insecureSkipVerify: false deployment: replicaCount: 3 diff --git a/pkg/inserter/inserter.go b/pkg/inserter/inserter.go index 037bd37..8a5155a 100644 --- a/pkg/inserter/inserter.go +++ b/pkg/inserter/inserter.go @@ -52,6 +52,8 @@ type ClickHouseOptions struct { SkipPing bool // Disable TLS on ClickHouse connection. DisableTLS bool + // Allow TLS with unverified certificates + InsecureSkipVerify bool } // Observation is a conntrack observation from kubenetmon-agent labeled by the @@ -132,7 +134,7 @@ func createClickHouseConnectionWithOptions(ctx context.Context, clickhouseOption } // Configure TLS if need be. if !clickhouseOptions.DisableTLS { - options.TLS = &tls.Config{} + options.TLS = &tls.Config{InsecureSkipVerify: clickhouseOptions.InsecureSkipVerify} } conn, err := clickhouse.Open(&options)