feat(clickhouse): load TLS certificate from Kubernetes secret

[jkaflik]

Adds tls_certificate_secret_name ClickHouse config that is used to dynamically load TLS certificate from Kubernetes secret, in a format compatible with cert-manager. (https://cert-manager.io/docs/usage/certificate/)

The feature is gated with PEERDB_CLICKHOUSE_TLS_K8S_SECRET_ENABLED and enabled by default. It can be used to force fallback into an inline certificate.

This comes with a little refactor to the ClickHouse peer's Connect function.

[codecov]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
1679	2	1677	163

View the top 2 failed test(s) by shortest run time

github.com/PeerDB-io/peerdb/flow/e2e::TestClickHouseTLSInlineCerts

Stack Traces | 0.03s run time

=== RUN   TestClickHouseTLSInlineCerts
    clickhouse_tls_test.go:88: 
        	Error Trace:	.../flow/e2e/clickhouse_tls_test.go:88
        	Error:      	Received unexpected error:
        	            	clickhouse [ScanRow]: (1) converting UInt8 to *uint64 is unsupported. try using *uint8
        	Test:       	TestClickHouseTLSInlineCerts
        	Messages:   	failed to execute SELECT 1
--- FAIL: TestClickHouseTLSInlineCerts (0.03s)

github.com/PeerDB-io/peerdb/flow/e2e::TestClickHouseTLSK8sSecret

Stack Traces | 0.2s run time

=== RUN   TestClickHouseTLSK8sSecret
2026/02/14 09:32:54 INFO K8s Secret store initialized namespace=test-namespace
    clickhouse_tls_test.go:163: 
        	Error Trace:	.../flow/e2e/clickhouse_tls_test.go:163
        	Error:      	Received unexpected error:
        	            	clickhouse [ScanRow]: (1) converting UInt8 to *uint64 is unsupported. try using *uint8
        	Test:       	TestClickHouseTLSK8sSecret
        	Messages:   	failed to execute SELECT 1
--- FAIL: TestClickHouseTLSK8sSecret (0.20s)

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}