diff --git a/.chloggen/fix-clickhouse-server-tls.yaml b/.chloggen/fix-clickhouse-server-tls.yaml new file mode 100644 index 0000000000000..8266a243fff1b --- /dev/null +++ b/.chloggen/fix-clickhouse-server-tls.yaml @@ -0,0 +1,27 @@ +# Use this changelog template to create an entry for release notes. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: bug_fix + +# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog) +component: exporter/clickhouse + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Fix TLS configuration being ignored when only ca_file is provided and no cert/key files are set. + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +issues: [43911] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: This change ensures server-side TLS validation works correctly even without client certificates. + +# If your change doesn't affect end users or the exported elements of any package, +# you should instead start your pull request title with [chore] or use the "Skip Changelog" label. +# Optional: The change log or logs in which this entry should be included. +# e.g. '[user]' or '[user, api]' +# Include 'user' if the change is relevant to end users. +# Include 'api' if there is a change to a library API. +# Default: '[user]' +change_logs: [] diff --git a/exporter/clickhouseexporter/config.go b/exporter/clickhouseexporter/config.go index 55a032c68c3c6..1195e0fbfb8f4 100644 --- a/exporter/clickhouseexporter/config.go +++ b/exporter/clickhouseexporter/config.go @@ -210,7 +210,13 @@ func (cfg *Config) buildClickHouseOptions() (*clickhouse.Options, error) { return nil, fmt.Errorf("failed to parse DSN: %w", err) } - if cfg.TLS.CertFile != "" || cfg.TLS.KeyFile != "" { + // Load TLS config if any TLS-related field is set (not just cert/key). + if cfg.TLS.CertFile != "" || + cfg.TLS.KeyFile != "" || + cfg.TLS.CAFile != "" || + cfg.TLS.ServerName != "" || + cfg.TLS.Insecure || + cfg.TLS.InsecureSkipVerify { opt.TLS, err = cfg.TLS.LoadTLSConfig(context.Background()) if err != nil { return nil, fmt.Errorf("failed to load TLS config: %w", err) diff --git a/exporter/clickhouseexporter/config_test.go b/exporter/clickhouseexporter/config_test.go index a70e49c145ed4..614650b4f66da 100644 --- a/exporter/clickhouseexporter/config_test.go +++ b/exporter/clickhouseexporter/config_test.go @@ -5,6 +5,7 @@ package clickhouseexporter import ( "fmt" + "os" "path/filepath" "testing" "time" @@ -756,3 +757,32 @@ func TestConfigDatabase(t *testing.T) { }) } } + +// TestBuildClickHouseOptions_WithCAFileOnly verifies that when only a CAFile is provided, +// buildClickHouseOptions returns a clean TLS error instead of crashing. +func TestBuildClickHouseOptions_WithCAFileOnly(t *testing.T) { + cfg := createDefaultConfig().(*Config) + + // Use a valid DSN to ensure parsing succeeds before TLS setup. + cfg.Endpoint = "clickhouse://default:password@localhost:9000/default?secure=true" + + // Create a dummy CA file (intentionally invalid to trigger TLS error). + tmpFile, err := os.CreateTemp(t.TempDir(), "ca*.pem") + require.NoError(t, err) + defer os.Remove(tmpFile.Name()) + + _, err = tmpFile.WriteString("-----BEGIN CERTIFICATE-----\nINVALID\n-----END CERTIFICATE-----") + require.NoError(t, err) + tmpFile.Close() + + cfg.TLS.CAFile = tmpFile.Name() + + // Run buildClickHouseOptions. + opt, err := cfg.buildClickHouseOptions() + + // We expect an error since the CA file is invalid. + require.Error(t, err, "expected error due to invalid CA file") + + // No panic, but options may be nil since TLS setup failed early. + require.Nil(t, opt, "expected nil options when TLS setup fails cleanly") +}