Merge pull request #1840 from DougTidwell/master

alex-zaitsev · web-flow · commit 0cf33cf23815 · 2025-10-07T09:18:17.000+03:00
Added Disable Default User example to the hardening guide
diff --git a/deploy/grafana/grafana-with-helm/install-grafana-via-helm.sh b/deploy/grafana/grafana-with-helm/install-grafana-via-helm.sh
@@ -2,7 +2,7 @@
 # reproduce behavior for https://github.com/Altinity/clickhouse-operator/issues/1721
 kubectl create ns test
 
-helm repo add altinity-clickhouse-operator https://docs.altinity.com/clickhouse-operator/
+helm repo add altinity-clickhouse-operator https://helm.altinity.com
 helm install -n test test-operator --set dashboards.enabled=true altinity-clickhouse-operator/altinity-clickhouse-operator
 
 helm repo add grafana https://grafana.github.io/helm-charts
diff --git a/docs/operator_installation_details.md b/docs/operator_installation_details.md
@@ -59,7 +59,7 @@ since 0.20.1 version official clickhouse-operator helm chart, also available
 
 installation
 ```bash
-helm repo add clickhouse-operator https://docs.altinity.com/clickhouse-operator/
+helm repo add clickhouse-operator https://helm.altinity.com
 helm install clickhouse-operator clickhouse-operator/altinity-clickhouse-operator
 ```
 upgrade
diff --git a/docs/security_hardening.md b/docs/security_hardening.md
@@ -10,7 +10,17 @@ With the default settings, the ClickHouse operator deploys ClickHouse with two u
 
 The '**default**' user is used to connect to ClickHouse instance from a pod where it is running, and also for distributed queries. It is deployed with an **empty password** that was a long-time default for ClickHouse out-of-the-box installation.
 
-To secure it, the operator applies network security rules that restrict connections to the pods running the ClickHouse cluster, and nothing else.
+For security purposes, we recommend that you disable the `default` user altogether. As an example, create a file named `remove_default_user.xml` and place it in the `users.d` directory. This markup does the trick:
+
+```xml
+<clickhouse>
+   <users>
+      <default remove="1"/>
+   </users>
+</clickhouse>
+```
+
+However, if you do use the `default` user, the operator applies network security rules that restrict connections to the pods running the ClickHouse cluster, and nothing else.
 
 Before version **0.19.0**  `hostRegexp` was applied that captured pod names. This did not work correctly in some Kubernetes distributions, such as GKE. In later versions, the operator additionally applies a restrictive set of pod IP addresses and rebuilds this set if the IP address of a pod changes for whatever reason.
 
