[clickhouse] allow supplying root CA as input during peer creation (#…

…2048)

flow/connectors/clickhouse/clickhouse.go

@@ -3,6 +3,7 @@ package connclickhouse
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -218,9 +219,15 @@ func Connect(ctx context.Context, config *protos.ClickhouseConfig) (clickhouse.C
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse provided certificate: %w", err)
 		}
-		// TODO: find a way to modify list of root CAs as well
 		tlsSetting.Certificates = []tls.Certificate{cert}
 	}
+	if config.RootCa != nil {
+		caPool := x509.NewCertPool()
+		if !caPool.AppendCertsFromPEM([]byte(*config.RootCa)) {
+			return nil, errors.New("failed to parse provided root CA")
+		}
+		tlsSetting.RootCAs = caPool
+	}
 
 	conn, err := clickhouse.Open(&clickhouse.Options{
 		Addr: []string{fmt.Sprintf("%s:%d", config.Host, config.Port)},

flow/e2e/clickhouse/clickhouse.go

@@ -10,10 +10,10 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/PeerDB-io/peer-flow/connectors"
-	"github.com/PeerDB-io/peer-flow/connectors/clickhouse"
+	connclickhouse "github.com/PeerDB-io/peer-flow/connectors/clickhouse"
 	connpostgres "github.com/PeerDB-io/peer-flow/connectors/postgres"
 	"github.com/PeerDB-io/peer-flow/e2e"
-	"github.com/PeerDB-io/peer-flow/e2e/s3"
+	e2e_s3 "github.com/PeerDB-io/peer-flow/e2e/s3"
 	"github.com/PeerDB-io/peer-flow/generated/protos"
 	"github.com/PeerDB-io/peer-flow/model"
 	"github.com/PeerDB-io/peer-flow/model/qvalue"

nexus/analyzer/src/lib.rs

@@ -752,6 +752,7 @@ fn parse_db_options(db_type: DbType, with_options: &[SqlOption]) -> anyhow::Resu
                 endpoint: opts.get("endpoint").map(|s| s.to_string()),
                 certificate: opts.get("certificate").map(|s| s.to_string()),
                 private_key: opts.get("private_key").map(|s| s.to_string()),
+                root_ca: opts.get("root_ca").map(|s| s.to_string()),
             };
             Config::ClickhouseConfig(clickhouse_config)
         }

protos/peers.proto

@@ -122,6 +122,7 @@ message ClickhouseConfig{
   optional string endpoint = 11;
   optional string certificate = 12 [(peerdb_redacted) = true];
   optional string private_key = 13 [(peerdb_redacted) = true];
+  optional string root_ca = 14 [(peerdb_redacted) = true];
 }
 
 message SqlServerConfig {

ui/app/peers/create/[peerType]/helpers/ch.ts

@@ -95,7 +95,7 @@ export const clickhouseSetting: PeerSetting[] = [
     },
     type: 'file',
     optional: true,
-    tips: 'This is needed only if the user is authenticated via certificate.',
+    tips: 'This is only needed if the user is authenticated via certificate.',
   },
   {
     label: 'Private Key',
@@ -110,7 +110,22 @@ export const clickhouseSetting: PeerSetting[] = [
     },
     type: 'file',
     optional: true,
-    tips: 'This is needed only if the user is authenticated via certificate.',
+    tips: 'This is only needed if the user is authenticated via certificate.',
+  },
+  {
+    label: 'Root Certificate',
+    stateHandler: (value, setter) => {
+      if (!value) {
+        // remove key from state if empty
+        setter((curr) => {
+          delete (curr as ClickhouseConfig)['rootCa'];
+          return curr;
+        });
+      } else setter((curr) => ({ ...curr, rootCa: value as string }));
+    },
+    type: 'file',
+    optional: true,
+    tips: 'If not provided, host CA roots will be used.',
   },
 ];
 

ui/app/peers/create/[peerType]/schema.ts

@@ -309,6 +309,12 @@ export const chSchema = (hostDomains: string[]) =>
       })
       .optional()
       .transform((e) => (e === '' ? undefined : e)),
+    rootCa: z
+      .string({
+        invalid_type_error: 'Root CA must be a string',
+      })
+      .optional()
+      .transform((e) => (e === '' ? undefined : e)),
   });
 
 export const kaSchema = z.object({