Open
Conversation
|
|
vkazmirchuk
changed the title
- Add CLICKHOUSE_TLS_MODE to README mTLS section with valid options - Update ClickHouseConfig docstring with TLS_MODE variable feat: add CLICKHOUSE_TLS_MODE support for proxy/strict modes docs: add mTLS configuration documentation Document new environment variables for mutual TLS authentication: - CLICKHOUSE_CA_CERT - CLICKHOUSE_CLIENT_CERT - CLICKHOUSE_CLIENT_CERT_KEY Include example configuration for mTLS setup. feat: add mTLS (mutual TLS) support Add support for client certificate authentication (mTLS) via new environment variables: - CLICKHOUSE_CA_CERT: Path to CA certificate file - CLICKHOUSE_CLIENT_CERT: Path to client certificate file - CLICKHOUSE_CLIENT_CERT_KEY: Path to client private key file These parameters are passed to clickhouse-connect's get_client() function to enable secure connections to ClickHouse servers that require mutual TLS authentication.
vkazmirchuk
force-pushed
the
feature/mtls-support
branch
from
677e608 to
5fe1cb8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds support for mutual TLS (mTLS) client certificate authentication, enabling connections to ClickHouse servers that require client certificates.
Changes
Added new environment variables in
mcp_env.py:CLICKHOUSE_CA_CERT: Path to CA certificate file for SSL verificationCLICKHOUSE_CLIENT_CERT: Path to client certificate file for mTLS authenticationCLICKHOUSE_CLIENT_CERT_KEY: Path to client private key file (optional if using combined .pem)CLICKHOUSE_TLS_MODE: TLS mode for client certificate usage (mutual,proxy, orstrict)Updated
get_client_config()to pass these parameters toclickhouse_connect.get_client()Added comprehensive documentation in
README.md:Motivation
Some ClickHouse deployments require mutual TLS authentication for enhanced security. Currently, there's no way to configure client certificates in mcp-clickhouse, which prevents connections to such servers.
The
clickhouse-connectlibrary already supports these parameters (ca_cert,client_cert,client_cert_key,tls_mode), so this PR simply exposes them through environment variables.Example Usage
{ "mcpServers": { "mcp-clickhouse": { "command": "uv", "args": ["run", "--with", "mcp-clickhouse", "--python", "3.10", "mcp-clickhouse"], "env": { "CLICKHOUSE_HOST": "your-secure-clickhouse.example.com", "CLICKHOUSE_PORT": "8443", "CLICKHOUSE_USER": "your-user", "CLICKHOUSE_PASSWORD": "your-password", "CLICKHOUSE_SECURE": "true", "CLICKHOUSE_CA_CERT": "/path/to/ca.crt", "CLICKHOUSE_CLIENT_CERT": "/path/to/client.crt", "CLICKHOUSE_CLIENT_CERT_KEY": "/path/to/client.key", "CLICKHOUSE_TLS_MODE": "mutual" } } } }Testing