Skip to content

Commit 22a176e

Browse files
fix(chart): respect clickhouse.auth.existingSecret in URL helper
When `clickhouse.deploy: true` is paired with `clickhouse.auth.existingSecret`, the chart was silently ignoring the secret reference: the `trigger-v4.clickhouse.url` and `.replication.url` helpers baked `auth.password` literal into the rendered URL while the Bitnami ClickHouse pod read the real password from the Secret, producing HTTP 401 on every CH query from the webapp. This switches both helpers to emit `$(CLICKHOUSE_PASSWORD)` and adds the matching env var on the webapp deployment, so the kubelet substitutes the real value at container-creation time. Behavior is unchanged when `existingSecret` is empty (literal password is still used). Schema for `clickhouse.auth.existingSecret` and `existingSecretKey` (default `admin-password`) added to values.yaml. Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent b87e5fc commit 22a176e

3 files changed

Lines changed: 28 additions & 6 deletions

File tree

hosting/k8s/helm/templates/_helpers.tpl

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -401,11 +401,14 @@ ClickHouse hostname
401401
{{/*
402402
ClickHouse URL for application (with secure parameter)
403403
404-
Note on the external+existingSecret branch: the password is expanded via
404+
Note on `$(CLICKHOUSE_PASSWORD)`: the password is expanded via
405405
Kubernetes' `$(VAR)` syntax, not shell `${VAR}`. Kubelet substitutes
406406
`$(CLICKHOUSE_PASSWORD)` at container-creation time from the
407407
CLICKHOUSE_PASSWORD env var declared just before CLICKHOUSE_URL in
408-
webapp.yaml. Shell-style `${...}` does not work here because
408+
webapp.yaml. Both the `deploy: true` and external+existingSecret
409+
branches use this placeholder so that the chart never bakes the
410+
password literal into a rendered URL string. Shell-style `${...}`
411+
does not work here because
409412
`docker/scripts/entrypoint.sh` assigns CLICKHOUSE_URL to GOOSE_DBSTRING
410413
with a single-pass expansion (`export GOOSE_DBSTRING="$CLICKHOUSE_URL"`),
411414
so any inner `${...}` reaches goose verbatim and fails URL parsing.
@@ -418,7 +421,7 @@ hex-encoded password or percent-encode before storing in the Secret.
418421
{{- if .Values.clickhouse.deploy -}}
419422
{{- $protocol := ternary "https" "http" .Values.clickhouse.secure -}}
420423
{{- $secure := ternary "true" "false" .Values.clickhouse.secure -}}
421-
{{ $protocol }}://{{ .Values.clickhouse.auth.username }}:{{ .Values.clickhouse.auth.password }}@{{ include "trigger-v4.clickhouse.hostname" . }}:8123?secure={{ $secure }}
424+
{{ $protocol }}://{{ .Values.clickhouse.auth.username }}:$(CLICKHOUSE_PASSWORD)@{{ include "trigger-v4.clickhouse.hostname" . }}:8123?secure={{ $secure }}
422425
{{- else if .Values.clickhouse.external.host -}}
423426
{{- $protocol := ternary "https" "http" .Values.clickhouse.external.secure -}}
424427
{{- $secure := ternary "true" "false" .Values.clickhouse.external.secure -}}
@@ -439,7 +442,7 @@ applies to the replication URL.
439442
{{- define "trigger-v4.clickhouse.replication.url" -}}
440443
{{- if .Values.clickhouse.deploy -}}
441444
{{- $protocol := ternary "https" "http" .Values.clickhouse.secure -}}
442-
{{ $protocol }}://{{ .Values.clickhouse.auth.username }}:{{ .Values.clickhouse.auth.password }}@{{ include "trigger-v4.clickhouse.hostname" . }}:8123
445+
{{ $protocol }}://{{ .Values.clickhouse.auth.username }}:$(CLICKHOUSE_PASSWORD)@{{ include "trigger-v4.clickhouse.hostname" . }}:8123
443446
{{- else if .Values.clickhouse.external.host -}}
444447
{{- $protocol := ternary "https" "http" .Values.clickhouse.external.secure -}}
445448
{{- if .Values.clickhouse.external.existingSecret -}}

hosting/k8s/helm/templates/webapp.yaml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -374,7 +374,17 @@ spec:
374374
- name: INTERNAL_OTEL_METRIC_EXPORTER_INTERVAL_MS
375375
value: {{ .Values.webapp.observability.metrics.exporterIntervalMs | quote }}
376376
{{- end }}
377-
{{- if and .Values.clickhouse.external.host .Values.clickhouse.external.existingSecret }}
377+
{{- if .Values.clickhouse.deploy }}
378+
- name: CLICKHOUSE_PASSWORD
379+
{{- if .Values.clickhouse.auth.existingSecret }}
380+
valueFrom:
381+
secretKeyRef:
382+
name: {{ .Values.clickhouse.auth.existingSecret }}
383+
key: {{ .Values.clickhouse.auth.existingSecretKey | default "admin-password" }}
384+
{{- else }}
385+
value: {{ .Values.clickhouse.auth.password | quote }}
386+
{{- end }}
387+
{{- else if and .Values.clickhouse.external.host .Values.clickhouse.external.existingSecret }}
378388
- name: CLICKHOUSE_PASSWORD
379389
valueFrom:
380390
secretKeyRef:

hosting/k8s/helm/values.yaml

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -550,7 +550,16 @@ clickhouse:
550550
# Bitnami ClickHouse chart configuration (when deploy: true)
551551
auth:
552552
username: "default"
553-
password: "password"
553+
password: "password" # Optional - ignored if existingSecret is set
554+
#
555+
# Secure credential management. When set, the chart resolves
556+
# CLICKHOUSE_PASSWORD from this Secret (via Kubernetes' `$(VAR)` env
557+
# substitution in the rendered URL) instead of baking the literal
558+
# `password` above into the URL helper. The Bitnami ClickHouse
559+
# subchart also reads the same fields, so the running ClickHouse
560+
# pod and the webapp agree on the password.
561+
existingSecret: "" # Name of existing secret containing password
562+
existingSecretKey: "admin-password" # Key in existing secret containing password
554563

555564
# Single-node configuration (disable clustering for dev/test)
556565
keeper:

0 commit comments

Comments
 (0)