ClickHouse
diff --git a/‎api/v1alpha1/clickhousecluster_types.go‎
Lines changed: 0 additions & 4 deletions b/‎api/v1alpha1/clickhousecluster_types.go‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎api/v1alpha1/common.go‎
Lines changed: 15 additions & 5 deletions b/‎api/v1alpha1/common.go‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 16 additions & 1 deletion b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎bundle.Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎bundle.Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/crd/bases/clickhouse.com_clickhouseclusters.yaml‎
Lines changed: 4 additions & 5 deletions b/‎config/crd/bases/clickhouse.com_clickhouseclusters.yaml‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎config/crd/bases/clickhouse.com_keeperclusters.yaml‎
Lines changed: 4 additions & 5 deletions b/‎config/crd/bases/clickhouse.com_keeperclusters.yaml‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎config/manifests/bases/clickhouse-operator.clusterserviceversion.yaml‎
Lines changed: 2 additions & 1 deletion b/‎config/manifests/bases/clickhouse-operator.clusterserviceversion.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎dist/chart/templates/crd/clickhouseclusters.clickhouse.com.yaml‎
Lines changed: 4 additions & 5 deletions b/‎dist/chart/templates/crd/clickhouseclusters.clickhouse.com.yaml‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎dist/chart/templates/crd/keeperclusters.clickhouse.com.yaml‎
Lines changed: 4 additions & 5 deletions b/‎dist/chart/templates/crd/keeperclusters.clickhouse.com.yaml‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎docs/guides/configuration.mdx‎
Lines changed: 3 additions & 5 deletions b/‎docs/guides/configuration.mdx‎
Lines changed: 3 additions & 5 deletions
@@ -158,10 +158,6 @@ func (s *ClickHouseClusterSpec) WithDefaults() {
 		}
 	}
 
-	if s.Settings.TLS.CABundle != nil && s.Settings.TLS.CABundle.Key == "" {
-		s.Settings.TLS.CABundle.Key = "ca.crt"
-	}
-
 	if s.DataVolumeClaimSpec != nil && len(s.DataVolumeClaimSpec.AccessModes) == 0 {
 		s.DataVolumeClaimSpec.AccessModes = []corev1.PersistentVolumeAccessMode{DefaultAccessMode}
 	}
 
@@ -324,17 +324,27 @@ type ClusterTLSSpec struct {
 	// +kubebuilder:default:=false
 	// +optional
 	Required bool `json:"required,omitempty"`
-	// ServerCertSecretRef is a reference to a TLS Secret containing the server certificate.
+	// ServerCertSecret is a reference to a TLS Secret containing the server certificate.
 	// It is expected that the Secret has the same structure as certificates generated by cert-manager,
 	// with the certificate and private key stored under "tls.crt" and "tls.key" keys respectively.
 	// +optional
 	ServerCertSecret *corev1.LocalObjectReference `json:"serverCertSecret,omitempty"`
-	// CABundle is a reference to a TLS Secret containing the CA bundle.
-	// If empty and ServerCertSecret is specified, the CA bundle from certificate will be used.
-	// Otherwise, system trusted CA bundle will be used.
+	// CABundle is a reference to a Secret key holding a CA bundle used to verify peer certificates.
+	// If empty, the system trusted CA bundle is used.
 	// Key is defaulted to "ca.crt" if not specified.
 	// +optional
-	CABundle *SecretKeySelector `json:"caBundle,omitempty"`
+	CABundle *CABundleSelector `json:"caBundle,omitempty"`
+}
+
+// CABundleSelector selects a key holding a CA bundle from a Secret in the cluster's namespace.
+type CABundleSelector struct {
+	// The name of the secret in the cluster's namespace to select from.
+	// +kubebuilder:validation:Required
+	Name string `json:"name,omitempty"`
+	// The key of the secret to select from.  Must be a valid secret key.
+	// +kubebuilder:default:="ca.crt"
+	// +optional
+	Key string `json:"key,omitempty"`
 }
 
 // Validate validates the ClusterTLSSpec configuration.
 
@@ -5,7 +5,7 @@ LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=clickhouse-operator
-LABEL operators.operatorframework.io.bundle.channels.v1=stable
+LABEL operators.operatorframework.io.bundle.channels.v1=stable,fast
 LABEL operators.operatorframework.io.bundle.channel.default.v1=stable
 LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.42.2
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 
@@ -6460,12 +6460,12 @@ spec:
                     properties:
                       caBundle:
                         description: |-
-                          CABundle is a reference to a TLS Secret containing the CA bundle.
-                          If empty and ServerCertSecret is specified, the CA bundle from certificate will be used.
-                          Otherwise, system trusted CA bundle will be used.
+                          CABundle is a reference to a Secret key holding a CA bundle used to verify peer certificates.
+                          If empty, the system trusted CA bundle is used.
                           Key is defaulted to "ca.crt" if not specified.
                         properties:
                           key:
+                            default: ca.crt
                             description: The key of the secret to select from.  Must
                               be a valid secret key.
                             type: string
@@ -6474,7 +6474,6 @@ spec:
                               to select from.
                             type: string
                         required:
-                        - key
                         - name
                         type: object
                       enabled:
@@ -6489,7 +6488,7 @@ spec:
                         type: boolean
                       serverCertSecret:
                         description: |-
-                          ServerCertSecretRef is a reference to a TLS Secret containing the server certificate.
+                          ServerCertSecret is a reference to a TLS Secret containing the server certificate.
                           It is expected that the Secret has the same structure as certificates generated by cert-manager,
                           with the certificate and private key stored under "tls.crt" and "tls.key" keys respectively.
                         properties:
 
@@ -6110,12 +6110,12 @@ spec:
                     properties:
                       caBundle:
                         description: |-
-                          CABundle is a reference to a TLS Secret containing the CA bundle.
-                          If empty and ServerCertSecret is specified, the CA bundle from certificate will be used.
-                          Otherwise, system trusted CA bundle will be used.
+                          CABundle is a reference to a Secret key holding a CA bundle used to verify peer certificates.
+                          If empty, the system trusted CA bundle is used.
                           Key is defaulted to "ca.crt" if not specified.
                         properties:
                           key:
+                            default: ca.crt
                             description: The key of the secret to select from.  Must
                               be a valid secret key.
                             type: string
@@ -6124,7 +6124,6 @@ spec:
                               to select from.
                             type: string
                         required:
-                        - key
                         - name
                         type: object
                       enabled:
@@ -6139,7 +6138,7 @@ spec:
                         type: boolean
                       serverCertSecret:
                         description: |-
-                          ServerCertSecretRef is a reference to a TLS Secret containing the server certificate.
+                          ServerCertSecret is a reference to a TLS Secret containing the server certificate.
                           It is expected that the Secret has the same structure as certificates generated by cert-manager,
                           with the certificate and private key stored under "tls.crt" and "tls.key" keys respectively.
                         properties:
 
@@ -137,7 +137,7 @@ spec:
           every replica.
         displayName: Stateful Set Revision
         path: statefulSetRevision
-      - description: CurrentRevision indicates latest requested KeeperCluster spec
+      - description: UpdateRevision indicates latest requested KeeperCluster spec
           revision.
         displayName: Update Revision
         path: updateRevision
@@ -146,6 +146,7 @@ spec:
         path: version
       - description: |-
           VersionProbeRevision is the image hash of the last successful version probe.
+
           Deprecated: Keeper version probe Jobs are not used; this field is retained for backward compatibility.
         displayName: Version Probe Revision
         path: versionProbeRevision
 
@@ -6463,12 +6463,12 @@ spec:
                     properties:
                       caBundle:
                         description: |-
-                          CABundle is a reference to a TLS Secret containing the CA bundle.
-                          If empty and ServerCertSecret is specified, the CA bundle from certificate will be used.
-                          Otherwise, system trusted CA bundle will be used.
+                          CABundle is a reference to a Secret key holding a CA bundle used to verify peer certificates.
+                          If empty, the system trusted CA bundle is used.
                           Key is defaulted to "ca.crt" if not specified.
                         properties:
                           key:
+                            default: ca.crt
                             description: The key of the secret to select from.  Must
                               be a valid secret key.
                             type: string
@@ -6477,7 +6477,6 @@ spec:
                               to select from.
                             type: string
                         required:
-                        - key
                         - name
                         type: object
                       enabled:
@@ -6492,7 +6491,7 @@ spec:
                         type: boolean
                       serverCertSecret:
                         description: |-
-                          ServerCertSecretRef is a reference to a TLS Secret containing the server certificate.
+                          ServerCertSecret is a reference to a TLS Secret containing the server certificate.
                           It is expected that the Secret has the same structure as certificates generated by cert-manager,
                           with the certificate and private key stored under "tls.crt" and "tls.key" keys respectively.
                         properties:
 
@@ -6113,12 +6113,12 @@ spec:
                     properties:
                       caBundle:
                         description: |-
-                          CABundle is a reference to a TLS Secret containing the CA bundle.
-                          If empty and ServerCertSecret is specified, the CA bundle from certificate will be used.
-                          Otherwise, system trusted CA bundle will be used.
+                          CABundle is a reference to a Secret key holding a CA bundle used to verify peer certificates.
+                          If empty, the system trusted CA bundle is used.
                           Key is defaulted to "ca.crt" if not specified.
                         properties:
                           key:
+                            default: ca.crt
                             description: The key of the secret to select from.  Must
                               be a valid secret key.
                             type: string
@@ -6127,7 +6127,6 @@ spec:
                               to select from.
                             type: string
                         required:
-                        - key
                         - name
                         type: object
                       enabled:
@@ -6142,7 +6141,7 @@ spec:
                         type: boolean
                       serverCertSecret:
                         description: |-
-                          ServerCertSecretRef is a reference to a TLS Secret containing the server certificate.
+                          ServerCertSecret is a reference to a TLS Secret containing the server certificate.
                           It is expected that the Secret has the same structure as certificates generated by cert-manager,
                           with the certificate and private key stored under "tls.crt" and "tls.key" keys respectively.
                         properties:
 
@@ -365,10 +365,9 @@ spec:
 
 ### SSL certificate secret format {#ssl-certificate-secret-format}
 
-It is expected that the Secret contains the following keys:
+It is expected that the Secret contains the server keypair:
 - `tls.crt` - PEM encoded server certificate
 - `tls.key` - PEM encoded private key
-- `ca.crt` - PEM encoded CA certificate chain
 
 <Note>
 This format is compatible with cert-manager generated certificates.
@@ -378,10 +377,9 @@ This format is compatible with cert-manager generated certificates.
 
 If KeeperCluster has TLS enabled, ClickHouseCluster would use secure connection to Keeper nodes automatically.
 
-ClickHouseCluster should be able to verify Keeper nodes certificates.
-If ClickHouseCluster has TLS enabled, is uses `ca.crt` bundle for verification. Otherwise, default CA bundle is used.
+ClickHouseCluster verifies Keeper node certificates against the system trust store, plus any `caBundle` you configure.
 
-User may provide a custom CA bundle reference:
+To trust a private CA (for example, a self-signed or internal CA), provide a custom CA bundle reference:
 
 ```yaml
 spec:
Original file line number	Diff line number	Diff line change
`@@ -158,10 +158,6 @@ func (s *ClickHouseClusterSpec) WithDefaults() {`
`158`	`158`	`}`
`159`	`159`	`}`
`160`	`160`
`161`		`- if s.Settings.TLS.CABundle != nil && s.Settings.TLS.CABundle.Key == "" {`
`162`		`- s.Settings.TLS.CABundle.Key = "ca.crt"`
`163`		`- }`
`164`		`-`
`165`	`161`	`if s.DataVolumeClaimSpec != nil && len(s.DataVolumeClaimSpec.AccessModes) == 0 {`
`166`	`162`	`s.DataVolumeClaimSpec.AccessModes = []corev1.PersistentVolumeAccessMode{DefaultAccessMode}`
`167`	`163`	`}`