open-telemetry · songy23 · Nov 18, 2025 · Nov 6, 2025 · Nov 7, 2025 · Nov 7, 2025
@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog)
+component: exporter/clickhouse
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Fix TLS configuration being ignored when only ca_file is provided and no cert/key files are set.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [43911]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: This change ensures server-side TLS validation works correctly even without client certificates.
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []
@@ -210,7 +210,13 @@ func (cfg *Config) buildClickHouseOptions() (*clickhouse.Options, error) {
 		return nil, fmt.Errorf("failed to parse DSN: %w", err)
 	}
 
-	if cfg.TLS.CertFile != "" || cfg.TLS.KeyFile != "" {
+	// Load TLS config if any TLS-related field is set (not just cert/key).
+	if cfg.TLS.CertFile != "" ||
+		cfg.TLS.KeyFile != "" ||
+		cfg.TLS.CAFile != "" ||
+		cfg.TLS.ServerName != "" ||
+		cfg.TLS.Insecure ||
+		cfg.TLS.InsecureSkipVerify {
 		opt.TLS, err = cfg.TLS.LoadTLSConfig(context.Background())
 		if err != nil {
 			return nil, fmt.Errorf("failed to load TLS config: %w", err)

@@ -5,6 +5,7 @@ package clickhouseexporter
 
 import (
 	"fmt"
+	"os"
 	"path/filepath"
 	"testing"
 	"time"
@@ -756,3 +757,32 @@ func TestConfigDatabase(t *testing.T) {
 		})
 	}
 }
+
+// TestBuildClickHouseOptions_WithCAFileOnly verifies that when only a CAFile is provided,
+// buildClickHouseOptions returns a clean TLS error instead of crashing.
+func TestBuildClickHouseOptions_WithCAFileOnly(t *testing.T) {
+	cfg := createDefaultConfig().(*Config)
+
+	// Use a valid DSN to ensure parsing succeeds before TLS setup.
+	cfg.Endpoint = "clickhouse://default:password@localhost:9000/default?secure=true"
+
+	// Create a dummy CA file (intentionally invalid to trigger TLS error).
+	tmpFile, err := os.CreateTemp(t.TempDir(), "ca*.pem")
+	require.NoError(t, err)
+	defer os.Remove(tmpFile.Name())
+
+	_, err = tmpFile.WriteString("-----BEGIN CERTIFICATE-----\nINVALID\n-----END CERTIFICATE-----")
+	require.NoError(t, err)
+	tmpFile.Close()
+
+	cfg.TLS.CAFile = tmpFile.Name()
+
+	// Run buildClickHouseOptions.
+	opt, err := cfg.buildClickHouseOptions()
+
+	// We expect an error since the CA file is invalid.
+	require.Error(t, err, "expected error due to invalid CA file")
+
+	// No panic, but options may be nil since TLS setup failed early.
+	require.Nil(t, opt, "expected nil options when TLS setup fails cleanly")
+}