feat: part 1 of TLS configs: external TLS

[fkywong]

Summary

• Exposes HTTPS and TCP secure ports as extra ports.
• Adds smoke test on top of TLS support introduced in 0b1a57d.
• Testing improvements:
  1. Small refactor to support OrbStack as a Kubernetes cluster provider for local testing in addition to the existing Minikube + Docker option.
  2. Bugfix for dangling namespaces when tests finish (see tests/steps/kubernetes.py: remove_chi_finalizers(...)).

(Screenshot of the t10-tls ClickHouse cluster from the TestFlows smoke test fixtures showing HTTPS.)

Tests

All existing and new test fixtures/scenarios pass locally:

Mar 05,2026 21:28:39           ⟥  And I clean up, flags:TE|MANDATORY|CLEANUP
Mar 05,2026 21:28:39             ⟥  And uninstall ClickHouse Operator, flags:TE|MANDATORY|CLEANUP
               115us             ⟥    [note] > helm uninstall upgrade -n upgrade
               300ms             ⟥⟤ OK uninstall ClickHouse Operator, /smoke/comprehensive/check all upgrades/upgrade_initial_to_upgrade/I clean up/uninstall ClickHouse Operator
               300ms           ⟥⟤ OK I clean up, /smoke/comprehensive/check all upgrades/upgrade_initial_to_upgrade/I clean up
              4m 37s         ⟥⟤ OK upgrade_initial_to_upgrade, /smoke/comprehensive/check all upgrades/upgrade_initial_to_upgrade
              4m 37s       ⟥⟤ OK check all upgrades, /smoke/comprehensive/check all upgrades
Mar 05,2026 21:28:39       ⟥  Finally I clean up, flags:TE|MANDATORY|CLEANUP
               277us       ⟥    [note] OrbStack environment lifecycle is managed outside of this framework.
               304us       ⟥⟤ OK I clean up, /smoke/comprehensive/I clean up
              11m 3s     ⟥⟤ OK comprehensive, /smoke/comprehensive
              11m 3s   ⟥⟤ OK smoke, /smoke

Passing

✔ [ OK ] '/smoke/comprehensive/check all fixtures/deploy_01-minimal-single-node' (52s 37ms)
✔ [ OK ] '/smoke/comprehensive/check all fixtures/deploy_02-replicated-with-users' (2m 58s)
✔ [ OK ] '/smoke/comprehensive/check all fixtures/deploy_08-extracontainer-data-mount' (51s 264ms)
✔ [ OK ] '/smoke/comprehensive/check all fixtures/deploy_09-usersprofiles-settings' (50s 901ms)
✔ [ OK ] '/smoke/comprehensive/check all fixtures/deploy_10-tls' (52s 969ms)
✔ [ OK ] '/smoke/comprehensive/check all fixtures' (6m 25s)
✔ [ OK ] '/smoke/comprehensive/check all upgrades/upgrade_initial_to_upgrade' (4m 37s)
✔ [ OK ] '/smoke/comprehensive/check all upgrades' (4m 37s)
✔ [ OK ] '/smoke/comprehensive' (11m 3s)
✔ [ OK ] '/smoke' (11m 3s)

1 module (1 ok)
3 features (3 ok)
6 scenarios (6 ok)
90 steps (90 ok)

Total time 11m 3s

Executed on Mar 05,2026 21:17
TestFlows.com Open-Source Software Testing Framework v2.0.240813.1212956

References

• Altinity/helm-charts#62
• ClickHouse operator hardening guide (github.com)
• [Altinity Operations Guide] Security: Network Hardening (docs.altinity.com)

[fkywong]

Every other kubectl command wrapped with run(...) in this file is already not prefixed with minikube, so I think this change is safe.

[joshleecreates]

Thank you, please give us some time to review.

[fkywong]

Tangential optimization to not wrap every clickhouse.settings.* value in quotes. Instead, if the value is fully numeric, it won't quote the value, allowing the type to remain as a number.

This allows the generated spec to look similar to the documented example:

spec:
  configuration:
    clusters:
    # ...
    settings:
      tcp_port: 9000
      tcp_port_secure: 9440
      https_port: 8443