feat: Add documentation on Clickhouse Collector + Analyzer

See also: replicatedhq/troubleshoot#1967

Author: Blokje5

docs/analyze/clickhouse.md

@@ -0,0 +1,58 @@
+---
+title: "ClickHouse"
+description: "Check version and connection status"
+tags: ["analyze"]
+---
+
+
+The `ClickHouse` analyzer is available to check version and connection status of a ClickHouse database.
+It relies on the data collected by the [ClickHouse collector](/docs/collect/clickhouse/).
+
+The analyzer's outcome `when` clause may be used to evaluate the database connection status or a semver range to compare against the running version, and supports standard comparison operators.
+
+## Parameters
+
+**checkName:** Optional name.
+
+**collectorName:** (Recommended) Must match the `collectorName` specified by the ClickHouse collector.
+
+## Outcomes
+
+The `when` value in an outcome of this analyzer contains the connection or version information.
+
+The conditional in the when value supports the following:
+
+**connected:** A boolean representing whether the database is connected.
+Can be compared to a boolean value with the `==` operator.
+
+**version:** A string representing the semantic version of the database.
+Can be compared to a semver string using `<`, `<=`, `>`, `>=`, `==`, `!=`, with the letter 'x' as a version wildcard (25.x).
+The 'x' is parsed as '0'.
+
+## Example Analyzer Definition
+
+```yaml
+apiVersion: troubleshoot.sh/v1beta2
+kind: Preflight
+metadata:
+  name: supported-clickhouse-version
+spec:
+  collectors:
+    - clickhouse:
+        collectorName: clickhouse
+        uri: 'clickhouse://user:password@hostname:9000/defaultdb'
+  analyzers:
+    - clickhouse:
+        checkName: Must be ClickHouse 25.x or later
+        collectorName: clickhouse
+        outcomes:
+          - fail:
+              when: connected == false
+              message: Cannot connect to ClickHouse server
+          - fail:
+              when: version < 25.x
+              message: The ClickHouse server must be at least version 25
+          - pass:
+              message: The ClickHouse server is ready
+```
+

docs/collect/all.md

@@ -34,6 +34,7 @@ tags: ["collect"]
 - [postgresql](./postgresql): collects information related to a postgresql server
 - [mysql](./mysql): collects information related to a mysql server
 - [redis](./redis): collects information related to a redis cluster
+- [clickhouse](./clickhouse.md) collects information related to a ClickHouse cluster
 
 ## CSI
 

docs/collect/clickhouse.md

@@ -0,0 +1,166 @@
+---
+title: "ClickHouse"
+description: "Include connection details from a ClickHouse server"
+tags: ["collect"]
+---
+
+The data collector will validate and add information about a ClickHouse server to a support bundle.
+
+## Parameters
+
+The data collector has the following parameters:
+
+#### `collectorName` (Recommended)
+The name of the collector.
+This is recommended to set to a string identifying the ClickHouse instance, and can be used to refer to this collector in analyzers and preflight checks.
+If unset, this will be set to the string "clickhouse".
+
+#### `uri` (Required)
+The connection URI to use when connecting to the ClickHouse server.  The ClickHouse collector uses the clickhous-go [`ParseDSN()`](https://pkg.go.dev/github.com/ClickHouse/clickhouse-go/v2#ParseDSN) function which expects URL-encoded connection strings. This relies on `url.Parse()`(https://pkg.go.dev/net/url#Parse) to parse the connection URI.
+If your password contains special characters, like `@`, `#`, `&`, etc., you may need to URL-encode the password.
+
+#### `tls` (Optional)
+
+TLS parameters are required whenever connections to the target ClickHouse server are encrypted using TLS. The server can be configured to authenticate clients (`mTLS`) or to secure the connection (`TLS`). This is controlled via the `verificationMode` setting in the Clickhouse Configuration. If `verificationMode` is strict, ClickHouse will additinally validate the client certificate. See the [OpenSSL configuration settings of ClickHouse](https://clickhouse.com/docs/operations/server-configuration-parameters/settings#openssl) for more details.
+
+In `mTLS` mode, the required parameters are `client certificate`, `private key` and a `CA certificate`. If the server is configured to encrypt only the connection, then only the `CA certificate` is required. When the `skipVerify` option is set to `true`, then verifying the server certificate can be skipped. The `skipVerify` option is available only in `TLS` mode.
+
+## Example Collector Definitions
+
+Plain text connection to a server:
+```yaml
+apiVersion: troubleshoot.sh/v1beta2
+kind: SupportBundle
+metadata:
+  name: sample
+spec:
+  collectors:
+    - clickhouse:
+        collectorName: clickhouse-collector
+        uri: clickhouse://user:password@hostname:9000/defaultdb
+```
+
+URL-encoded password with special characters, using [Helm's `urlquery` function](https://helm.sh/docs/chart_template_guide/function_list/#urlquery):
+```yaml
+apiVersion: troubleshoot.sh/v1beta2
+kind: SupportBundle
+metadata:
+  name: sample
+spec:
+  collectors:
+    - clickhouse:
+        collectorName: clickhouse-collector
+        uri: 'clickhouse://{{ $db_user | urlquery }}:{{ $db_pass | urlquery }}@{{ $db_host }}:{{ $db_port }}/{{ $db_name }}'
+```
+
+Secured (`mTLS`) connection to a server with inline TLS parameter configurations. The parameters must be in `PEM` format:
+```yaml
+apiVersion: troubleshoot.sh/v1beta2
+kind: SupportBundle
+metadata:
+  name: sample
+spec:
+  collectors:
+    - clickhouse:
+        collectorName: clickhouse-collector
+        uri: clickhouse://user:password@hostname:9000/defaultdb
+        tls:
+          cacert: |
+            -----BEGIN CERTIFICATE-----
+            ...
+            <truncated>
+            ...
+            -----END CERTIFICATE-----
+          clientCert: |
+            -----BEGIN CERTIFICATE-----
+            ...
+            <truncated>
+            ...
+            -----END CERTIFICATE-----
+          clientKey: |
+            -----BEGIN RSA PRIVATE KEY-----
+            ...
+            <truncated>
+            ...
+            -----END RSA PRIVATE KEY-----
+```
+
+Secured (`mTLS`) connection to a server with TLS parameters stored in a Kubernetes secret as `stringData`. The parameters must be in `PEM` format:
+```yaml
+apiVersion: troubleshoot.sh/v1beta2
+kind: Preflight
+metadata:
+  name: sample
+spec:
+  collectors:
+    - clickhouse:
+        collectorName: clickhouse-collector
+        uri: clickhouse://user:password@hostname:9000/defaultdb
+        tls:
+          secret:
+            # This secret must contain the following keys:
+            # cacert: <CA PEM cert>
+            # clientCert: <Client PEM cert> if mTLS
+            # clientKey: <Client PEM key> if mTLS
+            name: pg-tls-secret
+            namespace: default
+```
+
+Encrypted (`TLS`) connection to a server with TLS parameters inline. The parameters must be in `PEM` format. In this case, the server is configured not to authenticate clients:
+```yaml
+apiVersion: troubleshoot.sh/v1beta2
+kind: Preflight
+metadata:
+  name: dbs-collector
+spec:
+  collectors:
+    - clickhouse:
+        collectorName: clickhouse-collector
+        uri: clickhouse://user:password@hostname:9000/defaultdb
+        tls:
+          cacert: |
+            -----BEGIN CERTIFICATE-----
+            ...
+            <truncated>
+            ...
+            -----END CERTIFICATE-----
+```
+
+Skip verification of the server certificate when creating an encrypted connection. This works only if the ClickHouse server has `verificationMode` set to `relaxed`. This means the connection will not validate the signing of the ClickHouse server certificate. The connection remains encrypted:
+```yaml
+apiVersion: troubleshoot.sh/v1beta2
+kind: Preflight
+metadata:
+  name: dbs-collector
+spec:
+  collectors:
+    - clickhouse:
+        collectorName: clickhouse-collector
+        uri: clickhouse://user:password@hostname:9000/defaultdb
+        tls:
+          skipVerify: true
+```
+
+## Included resources
+
+A single JSON file will be added to the support bundle, in the path `/clickhouse/[collector-name].json`:
+
+```json
+{
+    "isConnected": false,
+    "error": "Code: 241. DB::Exception: Received from ***:9000 ....",
+    "version": "10.12",
+}
+```
+
+### Fields
+
+#### `isConnected`
+a boolean indicating if the collector was able to connect and authenticate using the connection string provided.
+
+#### `error`
+a string that indicates the connection error, if there was one.
+
+#### `version`
+when connected, a string indicating the version of ClickHouse that's running. Note that it is a valid Semver version, meaning
+commit information has been stripped from the version.

sidebars.ts

@@ -75,6 +75,7 @@ const sidebars: SidebarsConfig = {
             "collect/node-metrics",
             "collect/postgresql",
             "collect/redis",
+            "collect/clickhouse",
             "collect/registry-images",
             "collect/sonobuoy",
             "collect/sysctl",
@@ -127,6 +128,7 @@ const sidebars: SidebarsConfig = {
             "analyze/mssql",
             "analyze/mysql",
             "analyze/postgresql",
+            "analyze/clickhouse",
             "analyze/redis",
             "analyze/registry-images",
             "analyze/velero",
@@ -190,4 +192,4 @@ const sidebars: SidebarsConfig = {
 ],
 };
 
-export default sidebars;
+export default sidebars;