v.21.6Improvement

Added SSL Support for ClickHouse-Keeper as Experimental ZooKeeper Replacement

Published: November 25, 2025

Added ability to run clickhouse-keeper (experimental drop-in replacement to ZooKeeper) with SSL. Config settings keeper_server.tcp_port_secure can be used for secure interaction between client and keeper-server. keeper_server.raft_configuration.secure can be used to enable internal secure communication between nodes. #22992 (alesapin).

Added the ability to run clickhouse-keeper, an experimental drop-in replacement for ZooKeeper, with SSL support for secure communication.

Why it matters

This feature enhances security by enabling encrypted connections between clients and the clickhouse-keeper server, as well as secure internal communication between nodes. It addresses the need for confidentiality and integrity of data transmitted within distributed coordination services.

How to use it

To enable secure communication, set the configuration option keeper_server.tcp_port_secure for client-to-server SSL connections. For secure internal node communication, enable SSL by setting keeper_server.raft_configuration.secure to true in the configuration files.

Related resources

Pull Request #22992