paulbsd-salt/states/clickhouse/templates/tls.xml.j2

{%- from "clickhouse/map.jinja" import clickhouse with context %}
<clickhouse>
  <openSSL>
    <server>
        <certificateFile>/etc/clickhouse-server/certs/{{ salt['grains.get']('fqdn') }}.crt</certificateFile>
        <privateKeyFile>/etc/clickhouse-server/certs/{{ salt['grains.get']('fqdn') }}.key</privateKeyFile>
        <verificationMode>relaxed</verificationMode>
        <caConfig>/etc/clickhouse-server/certs/{{ clickhouse.cluster }}_ca.crt</caConfig>
        <cacheSessions>true</cacheSessions>
        <disableProtocols>sslv2,sslv3</disableProtocols>
        <preferServerCiphers>true</preferServerCiphers>
    </server>
    <client>
        <loadDefaultCAFile>false</loadDefaultCAFile>
        <caConfig>/etc/clickhouse-server/certs/{{ clickhouse.cluster }}_ca.crt</caConfig>
        <cacheSessions>true</cacheSessions>
        <disableProtocols>sslv2,sslv3</disableProtocols>
        <preferServerCiphers>true</preferServerCiphers>
        <verificationMode>relaxed</verificationMode>
        <invalidCertificateHandler>
            <name>RejectCertificateHandler</name>
        </invalidCertificateHandler>
    </client>
  </openSSL>
</clickhouse>