Enable TLS


Native port change from 9000 to 9440

When TLS is enabled, the native clickhouse interface listens on port 9440.

You should use TLS when communicating with Hydrolix endpoints. The traefik component manages TLS. By default, Hydrolix uses a self signed certificate.

If you want to use cert-manager to generate and manage certificates for you, see Add a Custom Certificate .

To enable TLS, update the protocol section of the hydrolix_url component to https in your hydrolixcluster.yaml configuration file:


  hydrolix_url: https://demo.hydrolix.net -> Will force Hydrolix cluster to use TLS
  hydrolix_url: http://demo.hydrolix.net -> Will force Hydrolix cluster to use plain HTTP.


Add a Certificate

Hydrolix provides multiple ways to manage certificates on your cluster. You can:

  • generate and manage the certificate entirely within Hydrolix
  • upload your own certificate to your cluster

Generate a Certificate with Hydrolix

Hydrolix can handle TLS certificate generation for you.

You'll need:

  • an active DNS record for your Hydrolix cluster's URL
  • public access to the IP that hosts your cluster (for the certificate challenge)


  1. Set the configuration option acme_enabled to true in hydrolixcluster.yaml.
  2. Load the configuration changes to your Hydrolix cluster. Hydrolix will automatically generate a certificate for your cluster and store it in a Kubernetes secret named traefik-tls.

If your cluster uses an allowlist, Hydrolix will add the Buypass ACME certificate provider IP address to the allowlist. If your cluster does not use an allowlist, Hydrolix uses the Let's Encrypt certificate provider.

Hydrolix refreshes the certificate weekly.

Load Your Own Certificate

To specify a certificate, load one with kubectl:

kubectl create secret tls traefik-tls --key=certificates.key --cert=fullchain.pem

This creates a secret in Kubernetes called traefik-tls and stores your certificate and private key in that secret. traefik automatically checks for the traefik-tls secret, and uses it if a valid configuration exists.


Certificate Chain Order

Kubernetes requires full chain certificates. Certificate chain should begin with your certificate, continue with intermediate certificates down the chain, and end with the root certificate:

{ Your issued Certificate }
{ Intermediate Certificate }
{ Root Certificate }

To put your changes into effect, restart traefik with the following command:

kubectl rollout restart deployment traefik

Renew a Certificate

To renew a certificate:

  • Delete the existing traefik-tls secret:
    kubectl delete secret traefik-tls
  • Create a new traefik-tls secret containing the new certificate:
    kubectl create secret tls traefik-tls --key=privkey.pem --cert=fullchain.pem
  • Restart traefik to put your changes into effect:
    kubectl rollout restart deployment traefik