Add support for external password secrets in ClickHouse Helm chart (#64)

dcaputo-harmoni · web-flow · commit 3d7c21e839e0 · 2025-10-10T10:43:04.000-04:00
- Add password_secret_name parameter to allow using existing K8s secrets
- Update chi.yaml template to reference external secret when specified
- Make credentials.yaml creation conditional based on external secret usage
- Maintain backward compatibility with existing password configurations
- Add documentation for new parameter in README and values.yaml
diff --git a/charts/clickhouse/README.md b/charts/clickhouse/README.md
@@ -167,6 +167,7 @@ EOSQL
 | clickhouse.defaultUser.allowExternalAccess | bool | `false` | Allow the default user to access ClickHouse from any IP. If set, will override `hostIP` to always be `0.0.0.0/0`. |
 | clickhouse.defaultUser.hostIP | string | `"127.0.0.1/32"` |  |
 | clickhouse.defaultUser.password | string | `""` |  |
+| clickhouse.defaultUser.password_secret_name | string | `""` | Name of an existing Kubernetes secret containing the default user password. If set, the password will be read from the secret instead of using the password field. The secret should contain a key named 'password'. |
 | clickhouse.extraConfig | string | `"<clickhouse>\n</clickhouse>\n"` | Miscellanous config for ClickHouse (in xml format) |
 | clickhouse.extraUsers | string | `"<clickhouse>\n</clickhouse>\n"` | Additional users config for ClickHouse (in xml format) |
 | clickhouse.image.pullPolicy | string | `"IfNotPresent"` |  |
diff --git a/charts/clickhouse/templates/chi.yaml b/charts/clickhouse/templates/chi.yaml
@@ -128,7 +128,7 @@ spec:
       default/password:
         valueFrom:
           secretKeyRef:
-            name: {{ include "clickhouse.credentialsName" . }}
+            name: {{ .Values.clickhouse.defaultUser.password_secret_name | default (include "clickhouse.credentialsName" .) | quote }}
             key: password
       {{- range .Values.clickhouse.users }}
       {{ required "A user must have a name" .name }}/access_management: {{ .accessManagement | default 0}}
diff --git a/charts/clickhouse/templates/credentials.yaml b/charts/clickhouse/templates/credentials.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.clickhouse.defaultUser.password_secret_name }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,3 +7,4 @@ type: Opaque
 stringData:
   user: "default"
   password: "{{ .Values.clickhouse.defaultUser.password }}"
+{{- end }}
diff --git a/charts/clickhouse/values.yaml b/charts/clickhouse/values.yaml
@@ -14,6 +14,10 @@ namespaceDomainPattern: ""
 clickhouse:
   defaultUser:
     password: ""
+    # -- Name of an existing Kubernetes secret containing the default user password.
+    # If set, the password will be read from the secret instead of using the password field.
+    # The secret should contain a key named 'password'.
+    password_secret_name: ""
     # -- Allow the default user to access ClickHouse from any IP.
     # If set, will override `hostIP` to always be `0.0.0.0/0`.
     allowExternalAccess: false
