Deployment
We can host everything you’ll need to use RunReveal in your account including the data pipeline.
To get started with RunReveal BYOC, please contact our team for personalized guidance and setup assistance. We’ll work with you to design a deployment that meets your specific requirements and security needs.
Contact us at [email protected] or through the chat on our website to schedule a consultation.
SPIFFE/mTLS Authentication for ClickHouse
RunReveal supports SPIFFE-based mTLS authentication for ClickHouse connections. This enables certificate-based authentication with automatic certificate rotation, eliminating the need for password management.
Configuration
SPIFFE authentication is configured in the clickhouse.spiffe section of your configuration:
{
"common": {
"clickhouse": {
"spiffe": {
"defaultDestEnabled": false,
"certPath": "/etc/identity/tls.crt",
"keyPath": "/etc/identity/tls.key",
"caCertPath": "/etc/identity/ca.crt",
"refreshInterval": "10m"
}
}
}
}Configuration Options
| Option | Description | Default |
|---|---|---|
defaultDestEnabled | Enable SPIFFE for the default/multi-tenant ClickHouse destination | false |
certPath | Path to the client certificate file | /etc/identity/tls.crt |
keyPath | Path to the client private key file | /etc/identity/tls.key |
caCertPath | Path to the CA certificate for server verification | (none) |
refreshInterval | How often to check for certificate changes | 10m |
Usage Scenarios
SPIFFE for BYODB destinations only:
Configure certificate paths but set defaultDestEnabled: false. This allows individual ClickHouse destinations to opt-in to SPIFFE authentication while the default multi-tenant cluster uses standard authentication.
{
"clickhouse": {
"spiffe": {
"defaultDestEnabled": false,
"certPath": "/etc/identity/tls.crt",
"keyPath": "/etc/identity/tls.key",
"caCertPath": "/etc/identity/ca.crt"
}
}
}SPIFFE for all connections:
Set defaultDestEnabled: true to use SPIFFE authentication for both the default ClickHouse cluster and any BYODB destinations that enable it.
{
"clickhouse": {
"spiffe": {
"defaultDestEnabled": true,
"certPath": "/etc/identity/tls.crt",
"keyPath": "/etc/identity/tls.key",
"caCertPath": "/etc/identity/ca.crt"
}
}
}When SPIFFE is enabled, certificates are automatically watched and reloaded when they change on disk. This integrates seamlessly with SPIFFE/SPIRE identity systems that rotate certificates periodically.
ClickHouse Server Configuration
Your ClickHouse server must be configured to accept certificate-based authentication. This typically involves:
- Enabling TLS on ClickHouse (HTTPS interface)
- Configuring ClickHouse to trust your CA certificate
- Setting up user authentication via SSL certificates
Refer to the ClickHouse SSL documentation for detailed server configuration.