Is your feature request related to a problem?
The ClickHouse native protocol client (internal/clickhouse/client.go) always
connects in plaintext. There is no way to use the native protocol (port 9440)
with TLS, which is required when connecting to ClickHouse clusters that mandate
encrypted connections or expose only a TLS-wrapped native endpoint.
Describe the solution you'd like
Add a tls_enable toggle to the source connection configuration. When enabled,
the connection should use TLS with certificate verification against the system
CA store. Default should be false so existing plaintext setups are unaffected.
A UI toggle in the Add/Edit source form would make this accessible without
requiring any config file changes.
Describe alternatives you've considered
Inferring TLS from the port number (e.g. 9440 → TLS) was considered but
rejected. It is fragile and non-standard. An explicit opt-in is cleaner.
Additional context
The clickhouse-go driver supports TLS natively via clickhouse.Options.TLS,
so no dependency changes are needed.
Importance
Critical
Contribution
Yes, I'd like to implement this
Is your feature request related to a problem?
The ClickHouse native protocol client (
internal/clickhouse/client.go) alwaysconnects in plaintext. There is no way to use the native protocol (port 9440)
with TLS, which is required when connecting to ClickHouse clusters that mandate
encrypted connections or expose only a TLS-wrapped native endpoint.
Describe the solution you'd like
Add a
tls_enabletoggle to the source connection configuration. When enabled,the connection should use TLS with certificate verification against the system
CA store. Default should be false so existing plaintext setups are unaffected.
A UI toggle in the Add/Edit source form would make this accessible without
requiring any config file changes.
Describe alternatives you've considered
Inferring TLS from the port number (e.g. 9440 → TLS) was considered but
rejected. It is fragile and non-standard. An explicit opt-in is cleaner.
Additional context
The
clickhouse-godriver supports TLS natively viaclickhouse.Options.TLS,so no dependency changes are needed.
Importance
Critical
Contribution
Yes, I'd like to implement this