Skip to content

ClickhouseUser

Usage examples

Prerequisites

  • A Kubernetes cluster with the operator installed using helm, kubectl or kind (for local development).
  • A Kubernetes Secret with an Aiven authentication token.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# This example demonstrates how to use ClickhouseUser with connInfoSecretSource
# for credential management. The ClickhouseUser will use a
# predefined password from an existing secret.

apiVersion: v1
kind: Secret
metadata:
  name: predefined-credentials
data:
  # MyCustomPassword123! base64 encoded
  PASSWORD: TXlDdXN0b21QYXNzd29yZDEyMyE= # gitleaks:allow

---

apiVersion: aiven.io/v1alpha1
kind: Clickhouse
metadata:
  name: my-clickhouse
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: aiven-project-name
  cloudName: google-europe-west1
  plan: startup-16

  connInfoSecretTarget:
    name: clickhouse-connection
    prefix: CH_
    annotations:
      example: clickhouse-service
    labels:
      service: clickhouse

---

apiVersion: aiven.io/v1alpha1
kind: ClickhouseUser
metadata:
  name: my-clickhouse-user
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: clickhouse-user-secret
    prefix: MY_CLICKHOUSE_PREFIX_
    annotations:
      foo: bar
    labels:
      baz: egg

  # Use existing secret for credential management
  connInfoSecretSource:
    name: predefined-credentials
    # namespace: my-namespace  # Optional: defaults to same namespace as ClickhouseUser
    passwordKey: PASSWORD

  project: aiven-project-name
  serviceName: my-clickhouse
  username: example-username

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
apiVersion: aiven.io/v1alpha1
kind: ClickhouseUser
metadata:
  name: my-clickhouse-user
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: clickhouse-user-secret
    annotations:
      foo: bar
    labels:
      baz: egg

  project: my-aiven-project
  serviceName: my-clickhouse
  username: example-username

---

apiVersion: aiven.io/v1alpha1
kind: Clickhouse
metadata:
  name: my-clickhouse
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: my-aiven-project
  cloudName: google-europe-west1
  plan: startup-16

Apply the resource with:

kubectl apply -f example.yaml

Verify the newly created ClickhouseUser:

kubectl get clickhouseusers my-clickhouse-user

The output is similar to the following: 

Name                  Username            Service Name     Project               
my-clickhouse-user    example-username    my-clickhouse    aiven-project-name

To view the details of the Secret, use the following command: 

kubectl describe secret clickhouse-user-secret

You can use the jq to quickly decode the Secret:

kubectl get secret clickhouse-user-secret -o json | jq '.data | map_values(@base64d)'

The output is similar to the following:

{
    "CLICKHOUSEUSER_HOST": "<secret>",
    "CLICKHOUSEUSER_PORT": "<secret>",
    "CLICKHOUSEUSER_USER": "<secret>",
    "CLICKHOUSEUSER_PASSWORD": "<secret>",
}

ClickhouseUser

ClickhouseUser is the Schema for the clickhouseusers API.

Exposes secret keys

CLICKHOUSEUSER_HOST, CLICKHOUSEUSER_PORT, CLICKHOUSEUSER_USER, CLICKHOUSEUSER_PASSWORD.

Required

  • apiVersion (string). Value aiven.io/v1alpha1.
  • kind (string). Value ClickhouseUser.
  • metadata (object). Data that identifies the object, including a name string and optional namespace.
  • spec (object). ClickhouseUserSpec defines the desired state of ClickhouseUser. See below for nested schema.

spec

Appears on ClickhouseUser.

ClickhouseUserSpec defines the desired state of ClickhouseUser.

Required

  • project (string, Immutable, Pattern: ^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.
  • serviceName (string, Immutable, Pattern: ^[a-z][-a-z0-9]+$, MaxLength: 63). Specifies the name of the service that this resource belongs to.

Optional

  • authSecretRef (object). Authentication reference to Aiven token in a secret. See below for nested schema.

  • connInfoSecretSource (object). ConnInfoSecretSource allows specifying an existing secret to read credentials from. The password from this secret will be used to modify the ClickHouse user credentials. Password must be 8-256 characters long as per Aiven API requirements. This can be used to set passwords for new users or modify passwords for existing users.

    Note

    This secret is not watched - changes to the source secret require manual reconciliation. To apply password changes, trigger reconciliation by adding/updating an annotation on the ClickhouseUser. See below for nested schema.

    • connInfoSecretTarget (object). Secret configuration. See below for nested schema.
    • connInfoSecretTargetDisabled (boolean, Immutable). When true, the secret containing connection information will not be created, defaults to false. This field cannot be changed after resource creation.
    • username (string, Immutable, MaxLength: 63). Name of the Clickhouse user. Defaults to metadata.name if omitted.

    Note

    metadata.name is ASCII-only. For UTF-8 names, use spec.username, but ASCII is advised for compatibility.

authSecretRef

Appears on spec.

Authentication reference to Aiven token in a secret.

Required

  • key (string, MinLength: 1).
  • name (string, MinLength: 1).

connInfoSecretSource

Appears on spec.

ConnInfoSecretSource allows specifying an existing secret to read credentials from. The password from this secret will be used to modify the ClickHouse user credentials. Password must be 8-256 characters long as per Aiven API requirements. This can be used to set passwords for new users or modify passwords for existing users.

Note

This secret is not watched - changes to the source secret require manual reconciliation. To apply password changes, trigger reconciliation by adding/updating an annotation on the ClickhouseUser.

Required

  • name (string, MinLength: 1). Name of the secret resource to read connection parameters from.
  • passwordKey (string, MinLength: 1). Key in the secret containing the password to use for authentication.

Optional

  • namespace (string). Namespace of the source secret. If not specified, defaults to the same namespace as the resource.

connInfoSecretTarget

Appears on spec.

Secret configuration.

Required

  • name (string, Immutable). Name of the secret resource to be created. By default, it is equal to the resource name.

Optional

  • annotations (object, AdditionalProperties: string). Annotations added to the secret.
  • labels (object, AdditionalProperties: string). Labels added to the secret.
  • prefix (string). Prefix for the secret's keys. Added "as is" without any transformations. By default, is equal to the kind name in uppercase + underscore, e.g. KAFKA_, REDIS_, etc.