Merge branch 'main' into 06/10/26/certs_as_string

chernser · chernser · commit 55ac61a5978c · 2026-06-15T09:30:34.000-07:00
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -1,4 +1,4 @@
-name: Analysis
+name: Coverage
 
 on:
   push:
@@ -94,13 +94,13 @@ jobs:
           find . -type f -name "simplelogger.*" -exec rm -fv '{}' \;
           mvn -q --no-transfer-progress --batch-mode -DclickhouseVersion=$PREFERRED_LTS_VERSION \
             -DskipTests install
-      - name: Analyze
+      - name: Generate coverage report
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: |
           mvn -fn --no-transfer-progress --batch-mode -DclickhouseVersion=$PREFERRED_LTS_VERSION \
-            -Panalysis verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=ClickHouse_clickhouse-java
+            -Pcoverage verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=ClickHouse_clickhouse-java
         continue-on-error: true
       - name: Generate and post coverage report
         env:
diff --git a/.gitignore b/.gitignore
@@ -60,3 +60,8 @@ performance/jmh-simple-results.json
 *.csv
 *.sql
 *.json
+
+*.crt 
+*.key
+*.srl
+*.csr
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
diff --git a/examples/client-v2/README.md b/examples/client-v2/README.md
@@ -135,9 +135,12 @@ openssl req -newkey rsa:2048 -nodes \
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
   -days 365 -out server.crt \
   -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1")
+  
+# Only for demo purpose we make key readable by all. On production should be readable only by owner, not even by group.
+chmod a+r server.key
 ```
 
-2. Create a `config.d` overlay enabling the HTTPS interface, e.g. `zzz_ssl.xml`:
+2. Create a `config.d` overlay enabling the HTTPS interface, e.g. `my_ssl.xml`:
 
 ```xml
 <clickhouse>
@@ -161,11 +164,22 @@ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
 docker run -d --name clickhouse-ssl -p 8443:8443 \
   -v "$PWD/server.crt:/etc/clickhouse-server/certs/server.crt:ro" \
   -v "$PWD/server.key:/etc/clickhouse-server/certs/server.key:ro" \
-  -v "$PWD/zzz_ssl.xml:/etc/clickhouse-server/config.d/zzz_ssl.xml:ro" \
+  -v "$PWD/my_ssl.xml:/etc/clickhouse-server/config.d/my_ssl.xml:ro" \
+  -e CLICKHOUSE_PASSWORD="secret" \
   clickhouse/clickhouse-server:latest
 ```
 
 4. Run the example in standalone mode with `-DchHost=localhost -DchRootCert="$PWD/ca.crt"`.
 
+```shell
+mvn exec:java -Dexec.mainClass="com.clickhouse.examples.client_v2.SSLExamples" \
+  -DchHost="localhost" \
+  -DchPort="8443" \
+  -DchUser="default" \
+  -DchPassword="secret" \
+  -DchDatabase="default" \
+  -DchRootCert="$PWD/ca.crt"
+```
+
 The full description of the server-side TLS configuration is in the official documentation:
 [Configuring SSL-TLS](https://clickhouse.com/docs/en/guides/sre/configuring-ssl).
diff --git a/examples/client-v2/src/main/java/com/clickhouse/examples/client_v2/SSLExamples.java b/examples/client-v2/src/main/java/com/clickhouse/examples/client_v2/SSLExamples.java
@@ -82,10 +82,7 @@ public static void main(String[] args) {
                     SecureServerSupport.USER, SecureServerSupport.PASSWORD, server.getCaCertPath());
         } catch (Exception e) {
             log.error("Failed to run the SSL example against a local Docker server", e);
-            Runtime.getRuntime().exit(-1);
         }
-        // Explicit exit: testcontainers keeps non-daemon threads alive after the scenario is done.
-        Runtime.getRuntime().exit(0);
     }
 
     /**
diff --git a/examples/client-v2/src/main/java/com/clickhouse/examples/client_v2/SecureServerSupport.java b/examples/client-v2/src/main/java/com/clickhouse/examples/client_v2/SecureServerSupport.java
@@ -82,7 +82,7 @@ private SecureServerSupport(GenericContainer<?> container, Path certDir, Path co
     public static SecureServerSupport start(String image) throws Exception {
         Path certDir = Files.createTempDirectory("ch-ssl-example-certs-");
         Path confDir = Files.createTempDirectory("ch-ssl-example-config-");
-        Path sslConfig = confDir.resolve("zzz_ssl.xml");
+        Path sslConfig = confDir.resolve("custom_ca_ssl.xml");
 
         log.info("Generating an ephemeral private CA and a server certificate in {}", certDir);
         generatePrivateCaAndServerCertificate(certDir);
@@ -100,7 +100,7 @@ public static SecureServerSupport start(String image) throws Exception {
                 .withFileSystemBind(certDir.toAbsolutePath().toString(),
                         "/etc/clickhouse-server/certs", BindMode.READ_ONLY)
                 .withFileSystemBind(sslConfig.toAbsolutePath().toString(),
-                        "/etc/clickhouse-server/config.d/zzz_ssl.xml", BindMode.READ_ONLY)
+                        "/etc/clickhouse-server/config.d/custom_ca_ssl.xml", BindMode.READ_ONLY)
                 .waitingFor(Wait.forHttp("/ping")
                         .forPort(HTTP_PORT)
                         .forStatusCode(200)
diff --git a/examples/jdbc/README.md b/examples/jdbc/README.md
@@ -79,9 +79,12 @@ openssl req -newkey rsa:2048 -nodes \
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
   -days 365 -out server.crt \
   -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1")
+  
+# Only for demo purpose we make key readable by all. On production should be readable only by owner, not even by group.^M
+chmod a+r server.key
 ```
 
-2. Create a `config.d` overlay enabling the HTTPS interface, e.g. `zzz_ssl.xml`:
+2. Create a `config.d` overlay enabling the HTTPS interface, e.g. `my_ssl.xml`:
 
 ```xml
 <clickhouse>
@@ -105,12 +108,22 @@ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
 docker run -d --name clickhouse-ssl -p 8443:8443 \
   -v "$PWD/server.crt:/etc/clickhouse-server/certs/server.crt:ro" \
   -v "$PWD/server.key:/etc/clickhouse-server/certs/server.key:ro" \
-  -v "$PWD/zzz_ssl.xml:/etc/clickhouse-server/config.d/zzz_ssl.xml:ro" \
+  -v "$PWD/my_ssl.xml:/etc/clickhouse-server/config.d/my_ssl.xml:ro" \
+  -e CLICKHOUSE_PASSWORD="secret" \
   clickhouse/clickhouse-server:latest
 ```
 
 4. Run the example in standalone mode with
 `-DchUrl="jdbc:clickhouse://localhost:8443/default" -DchRootCert="$PWD/ca.crt"`.
 
+```shell
+mvn exec:java -Dexec.mainClass="com.clickhouse.examples.jdbc.SSLExamples" \
+  -DchUrl="jdbc:clickhouse:https://localhost:8443/default" \
+  -DchUser="default" \
+  -DchPassword="secret" \
+  -DchRootCert="$PWD/ca.crt"
+```
+
+
 The full description of the server-side TLS configuration is in the official documentation:
 [Configuring SSL-TLS](https://clickhouse.com/docs/en/guides/sre/configuring-ssl).
diff --git a/pom.xml b/pom.xml
@@ -626,7 +626,7 @@
 
     <profiles>
         <profile>
-            <id>analysis</id>
+            <id>coverage</id>
             <build>
                 <plugins>
                     <plugin>

-Original file line number
+Diff line change
 *.csv
 *.sql
 *.json
++
 +*.crt
 +*.key
 +*.srl
 +*.csr
Original file line number	Diff line number	Diff line change
`@@ -82,10 +82,7 @@ public static void main(String[] args) {`
`82`	`82`	`SecureServerSupport.USER, SecureServerSupport.PASSWORD, server.getCaCertPath());`
`83`	`83`	`} catch (Exception e) {`
`84`	`84`	`log.error("Failed to run the SSL example against a local Docker server", e);`
`85`		`- Runtime.getRuntime().exit(-1);`
`86`	`85`	`}`
`87`		`- // Explicit exit: testcontainers keeps non-daemon threads alive after the scenario is done.`
`88`		`- Runtime.getRuntime().exit(0);`
`89`	`86`	`}`
`90`	`87`
`91`	`88`	`/**`