New to KubeDB? Please start here.
Reconfiguring TLS of ClickHouse
This guide will give an overview on how KubeDB Ops-manager operator reconfigures TLS configuration i.e. add TLS, remove TLS, update issuer/cluster issuer or Certificates and rotate the certificates of ClickHouse.
Before You Begin
- You should be familiar with the following
KubeDBconcepts:
How Reconfiguring ClickHouse TLS Configuration Process Works
The following diagram shows how KubeDB Ops-manager operator reconfigures TLS of a ClickHouse. Open the image in a new tab to see the enlarged version.
The Reconfiguring ClickHouse TLS process consists of the following steps:
At first, a user creates a
ClickHouseCustom Resource Object (CRO).KubeDBProvisioner operator watches theClickHouseCRO.When the operator finds a
ClickHouseCR, it creates required number ofPetSetsand related necessary stuff like secrets, services, etc.Then, in order to reconfigure the TLS configuration of the
ClickHousedatabase the user creates aClickHouseOpsRequestCR with desired information.KubeDBOps-manager operator watches theClickHouseOpsRequestCR.When it finds a
ClickHouseOpsRequestCR, it pauses theClickHouseobject which is referred from theClickHouseOpsRequest. So, theKubeDBProvisioner operator doesn’t perform any operations on theClickHouseobject during the reconfiguring TLS process.Then the
KubeDBOps-manager operator will add, remove, update or rotate TLS configuration based on the Ops Request yaml.Then the
KubeDBOps-manager operator will restart all the Pods of the database so that they restart with the new TLS configuration defined in theClickHouseOpsRequestCR.After the successful reconfiguring of the
ClickHouseTLS, theKubeDBOps-manager operator resumes theClickHouseobject so that theKubeDBProvisioner operator resumes its usual operations.
In the next docs, we are going to show a step-by-step guide on reconfiguring TLS configuration of a ClickHouse database using ClickHouseOpsRequest CRD.