Add TLS support for ClickhouseDB

common/helpers/tls.go

@@ -0,0 +1,59 @@
+package helpers
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"os"
+)
+
+// TLSConfiguration defines TLS configuration.
+type TLSConfiguration struct {
+	// Enable says if TLS should be used to connect to brokers
+	Enable bool `validate:"required_with=CAFile CertFile KeyFile Username Password SASLAlgorithm"`
+	// Verify says if we need to check remote certificates
+	Verify bool
+	// CAFile tells the location of the CA certificate to check broker
+	// certificate. If empty, the system CA certificates are used instead.
+	CAFile string // no validation as the orchestrator may not have the file
+	// CertFile tells the location of the user certificate if any.
+	CertFile string `validate:"required_with=KeyFile"`
+	// KeyFile tells the location of the user key if any.
+	KeyFile string
+}
+
+// MakeTLSConfig Create and *tls.Config from a TLSConfiguration.
+// Loading of certificates, key and Certificate authority is done here as well.
+func (config TLSConfiguration) MakeTLSConfig() (*tls.Config, error) {
+	if !config.Enable {
+		return nil, nil
+	}
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: !config.Verify,
+	}
+	// Read CA certificate if provided
+	if config.CAFile != "" {
+		caCert, err := os.ReadFile(config.CAFile)
+		if err != nil {
+			return nil, fmt.Errorf("cannot read CA certificate for Kafka: %w", err)
+		}
+		caCertPool := x509.NewCertPool()
+		if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+			return nil, errors.New("cannot parse CA certificate for Kafka")
+		}
+		tlsConfig.RootCAs = caCertPool
+	}
+	// Read user certificate if provided
+	if config.CertFile != "" {
+		if config.KeyFile == "" {
+			config.KeyFile = config.CertFile
+		}
+		cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
+		if err != nil {
+			return nil, fmt.Errorf("cannot read user certificate: %w", err)
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+	return tlsConfig, nil
+}