make tls service ports compatible with #111

fkywong · fkywong · commit 113e40bae1c3 · 2026-02-20T08:53:41.000-08:00
diff --git a/charts/clickhouse/README.md b/charts/clickhouse/README.md
@@ -206,9 +206,9 @@ EOSQL
 | clickhouse.shardsCount | int | `1` | number of shards. |
 | clickhouse.users | list | `[]` | Configure additional ClickHouse users and per-user settings. |
 | clickhouse.tls | object | | TLS certificate configuration for HTTPS/TLS connections. See [examples/values-tls.yaml](examples/values-tls.yaml) for a concrete example. |
-| clickhouse.tls.enabled | bool | `false` | Enable TLS. When true, adds `https_port` and `tcp_port_secure` to ClickHouse settings and exposes secure ports on Service resources. Requires `clickhouse.extraPorts` to declare the corresponding container ports on the pod template. |
-| clickhouse.tls.httpsPort | int | `8443` | HTTPS port for secure HTTP connections. |
-| clickhouse.tls.secureTcpPort | int | `9440` | Secure native TCP port for encrypted client connections. |
+| clickhouse.tls.enabled | bool | `false` | Enable TLS. When true, adds `https_port` and `tcp_port_secure` to ClickHouse settings and exposes secure ports on Service resources. |
+| clickhouse.tls.httpsPort | int | `8443` | HTTPS port for secure HTTP connections. Will automatically be added to Service resources with the name `https` iff that name isn't already used in `clickhouse.extraPorts`. |
+| clickhouse.tls.secureTcpPort | int | `9440` | Secure native TCP port for encrypted client connections. Will automatically be added to Service resources with the name `tcp-secure` iff that name isn't already used in `clickhouse.extraPorts`. |
 | clickhouse.tls.certificateFile | object | | Server X509 certificate file. Requires `configFileName` and exactly one of `inlineFileContent` or `secretReference`. |
 | clickhouse.tls.certificateFile.configFileName | string | | Part of the destination filepath within the ClickHouse pod. Inline content is placed under `config.d/`; secret reference is placed under `secrets.d/`. See [here](https://github.com/Altinity/clickhouse-operator/blob/release-0.25.6/docs/security_hardening.md?plain=1#L428-L429) for the exact filepath format. |
 | clickhouse.tls.certificateFile.inlineFileContent | string | | Certificate content embedded directly in the CHI spec. Mutually exclusive with `secretReference`. |
diff --git a/charts/clickhouse/examples/values-tls.yaml b/charts/clickhouse/examples/values-tls.yaml
@@ -1,16 +1,4 @@
 clickhouse:
-  # If you enable TLS _without_ enabling secret-based cluster communication
-  # (i.e. `clusterSecret.enabled: false`), then you need to expose the secure ports
-  # on the pod containers via the `extraPorts:` config. Otherwise, the load balancer
-  # won't be able to route traffic to them. This is not necessary if you also enable
-  # secret-based cluster communication (i.e. `clusterSecret.enabled: true`).
-  # See: https://github.com/Altinity/clickhouse-operator/blob/release-0.25.6/docs/security_hardening.md?plain=1#L516
-  extraPorts:
-    - name: https
-      containerPort: &httpsPort 8443
-    - name: tcp-secure
-      containerPort: &tcpSecurePort 9440
-
   tls:
     enabled: true
     # httpsPort: *httpsPort          # HTTPS port (default: 8443)
diff --git a/charts/clickhouse/templates/chi.yaml b/charts/clickhouse/templates/chi.yaml
@@ -1,4 +1,8 @@
 {{- $service_name := tpl (include "clickhouse.serviceTemplateName" . ) . -}}
+{{- $extraPortNames := list }}
+{{- range .Values.clickhouse.extraPorts }}
+{{- $extraPortNames = append $extraPortNames .name }}
+{{- end }}
 {{- $tlsEnabled := and .Values.clickhouse.tls .Values.clickhouse.tls.enabled -}}
 {{- $httpsPort := (((.Values.clickhouse).tls).httpsPort) | default 8443 -}}
 {{- $secureTcpPort := (((.Values.clickhouse).tls).secureTcpPort) | default 9440 -}}
@@ -66,12 +70,16 @@ spec:
             {{- end }}
             {{- end }}
             {{- if $tlsEnabled }}
+              {{- if not (has "https" $extraPortNames) }}
             - name: https
               port: {{ $httpsPort }}
               targetPort: {{ $httpsPort }}
+              {{- end }}
+              {{- if not (has "tcp-secure" $extraPortNames) }}
             - name: tcp-secure
               port: {{ $secureTcpPort }}
               targetPort: {{ $secureTcpPort }}
+              {{- end }}
             {{- end }}
           selector:
             {{- include "clickhouse.selectorLabels" . | nindent 12 }}
@@ -108,12 +116,16 @@ spec:
             {{- end }}
             {{- end }}
             {{- if $tlsEnabled }}
+              {{- if not (has "https" $extraPortNames) }}
             - name: https
               port: {{ $httpsPort }}
               targetPort: {{ $httpsPort }}
+              {{- end }}
+              {{- if not (has "tcp-secure" $extraPortNames) }}
             - name: tcp-secure
               port: {{ $secureTcpPort }}
               targetPort: {{ $secureTcpPort }}
+              {{- end }}
             {{- end }}
           selector:
             {{- include "clickhouse.selectorLabels" . | nindent 12 }}
