feat(clickouse-instance): allow Clickhouse instance to be disable #740
Conversation
Signed-off-by: Nicolas Lamirault <[email protected]>
WalkthroughMigrates ClickHouse Helm chart values to a per-instance namespace under .Values.clickhouseInstance. Adds a top-level enable gate for rendering instance resources. Updates helpers and templates to reference the new paths, adjusts namespace resolution via helper, and introduces nested gating for logs and storage-class rendering. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant U as Helm User
participant H as Helm Engine
participant V as Values
participant T as Templates
U->>H: helm install/upgrade
H->>V: Read .Values
H->>T: Render templates
alt clickhouseInstance.enabled == true
note over T: Instance resources render
alt logs.system.enabled == true
note over T: Render exporter-configmap
else logs.system.enabled == false
note over T: Skip exporter-configmap
end
alt installCustomStorageClass == true
note over T: Render StorageClass
else
note over T: Skip StorageClass
end
else clickhouseInstance.enabled == false
note over T: Skip all clickhouse-instance resources
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Suggested reviewers
Poem
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
charts/clickhouse/values.yaml (1)
568-571: Move installCustomStorageClass under clickhouseInstance in values.yaml. Ensure theinstallCustomStorageClasskey is defined asclickhouseInstance.installCustomStorageClassso it meshes with the gating incharts/clickhouse/templates/clickhouse-instance/storage-class.yaml(which checks.Values.clickhouseInstance.installCustomStorageClass).
🧹 Nitpick comments (3)
charts/clickhouse/templates/clickhouse-instance/scripts-configmap.yaml (1)
21-33: Avoid infinite wait and wget dependency in postStart script.
If wget is missing in the image, postStart will fail; also the loop is unbounded. Add a max attempts and prefer curl (more commonly present) with a short timeout.Apply this diff within the script body:
- while true; do - response=$(wget --spider -S "http://${HOST}:${PORT}/ping" 2>&1) - exit_code=$? + MAX_ATTEMPTS=${MAX_ATTEMPTS:-60} + attempt=0 + while [ "$attempt" -lt "$MAX_ATTEMPTS" ]; do + if command -v curl >/dev/null 2>&1; then + curl -fsS --max-time 2 "http://${HOST}:${PORT}/ping" >/dev/null + exit_code=$? + else + wget -q --spider "http://${HOST}:${PORT}/ping" + exit_code=$? + fi if [ $exit_code -eq 0 ]; then echo "Clickhouse is ready!" exit 0 else echo "Clickhouse is not ready yet. Retrying in ${DELAY} seconds..." sleep $DELAY + attempt=$((attempt+1)) fi done + echo "Clickhouse did not become ready after ${MAX_ATTEMPTS} attempts." + exit 1charts/clickhouse/templates/clickhouse-instance/exporter-configmap.yaml (1)
11-14: Defensive default for config to avoid “null”.
If users leave logs.system.config unset, toYaml on a nil value can yield undesirable output.Apply:
- {{- toYaml .Values.clickhouseInstance.logs.system.config | nindent 4 }} + {{- toYaml (default (dict) .Values.clickhouseInstance.logs.system.config) | nindent 4 }}charts/clickhouse/templates/clickhouse-instance/clickhouse-instance.yaml (1)
61-116: Consider using Secrets or env-based credentials for cold storage.
Avoid embedding static access keys directly in the CR. You already support role-based creds; as a fallback, reference K8s Secrets or env vars.I can propose a variant using from_env and mounting a Secret if desired.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (8)
charts/clickhouse/templates/_helper.tpl(8 hunks)charts/clickhouse/templates/clickhouse-instance/clickhouse-instance.yaml(11 hunks)charts/clickhouse/templates/clickhouse-instance/configmap.yaml(2 hunks)charts/clickhouse/templates/clickhouse-instance/exporter-configmap.yaml(1 hunks)charts/clickhouse/templates/clickhouse-instance/scripts-configmap.yaml(2 hunks)charts/clickhouse/templates/clickhouse-instance/serviceaccount.yaml(2 hunks)charts/clickhouse/templates/clickhouse-instance/storage-class.yaml(3 hunks)charts/clickhouse/values.yaml(1 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2024-12-16T16:15:01.460Z
Learnt from: prashant-shahi
PR: SigNoz/charts#565
File: charts/clickhouse/values.yaml:261-264
Timestamp: 2024-12-16T16:15:01.460Z
Learning: In `charts/clickhouse/values.yaml`, the `customStartupProbe`, `customLivenessProbe`, and `customReadinessProbe` configurations are provided for advanced users to specify custom probe types such as HTTP, Exec, TCP, and gRPC.
Applied to files:
charts/clickhouse/templates/clickhouse-instance/clickhouse-instance.yaml
🪛 YAMLlint (1.37.1)
charts/clickhouse/templates/clickhouse-instance/scripts-configmap.yaml
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
charts/clickhouse/templates/clickhouse-instance/exporter-configmap.yaml
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
charts/clickhouse/templates/clickhouse-instance/serviceaccount.yaml
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
charts/clickhouse/templates/clickhouse-instance/configmap.yaml
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
charts/clickhouse/templates/clickhouse-instance/storage-class.yaml
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
charts/clickhouse/templates/clickhouse-instance/clickhouse-instance.yaml
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
[warning] 10-10: wrong indentation: expected 2 but found 4
(indentation)
[warning] 11-11: wrong indentation: expected 2 but found 4
(indentation)
charts/clickhouse/values.yaml
[error] 161-161: trailing spaces
(trailing-spaces)
🪛 Gitleaks (8.27.2)
charts/clickhouse/values.yaml
176-176: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
🪛 GitHub Check: lint-chart
charts/clickhouse/values.yaml
[failure] 161-161:
161:1 [trailing-spaces] trailing spaces
🪛 GitHub Actions: Lint Charts
charts/clickhouse/values.yaml
[error] 161-161: [trailing-spaces] trailing spaces
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: test-chart
🔇 Additional comments (21)
charts/clickhouse/templates/clickhouse-instance/scripts-configmap.yaml (3)
1-1: Good: per-instance enable gate added.
This matches the PR goal and prevents stray resources when disabled.
6-6: Namespace helper usage looks consistent.
Assuming the helper resolves to either .Values.clickhouseInstance.namespace or .Release.Namespace, this is fine.Please confirm helper "clickhouse.namespace" now honors per-instance overrides.
1-1: YAMLlint “syntax error” is a false positive.
Go templates with leading trim markers confuse yamllint; helm lint should be authoritative here.charts/clickhouse/templates/clickhouse-instance/exporter-configmap.yaml (2)
1-2: Good: nested gating aligns with per-instance toggles.
Ensures the ConfigMap renders only when both the instance and logs.system are enabled.
1-1: YAMLlint “syntax error” is expected with templates.
Safe to ignore; rely on helm lint.charts/clickhouse/templates/clickhouse-instance/storage-class.yaml (2)
1-3: Gating structure LGTM.
Outer enable + installCustomStorageClass guard correctly scopes cluster-scoped resources.Also applies to: 34-36
1-1: YAMLlint “syntax error” is template-related.
Ignore in favor of helm lint.charts/clickhouse/templates/clickhouse-instance/configmap.yaml (3)
1-1: Good: per-instance enable gate added.
Prevents emitting config when instance is disabled.
6-6: Namespace helper usage looks fine.
Consistent with other templates; just ensure helper supports per-instance overrides.
1-1: YAMLlint “syntax error” is due to templating.
Not actionable.charts/clickhouse/templates/clickhouse-instance/clickhouse-instance.yaml (5)
186-206: Log sidecar/config gating looks consistent.
Volumes and sidecar are wrapped in logs.system.enabled checks; matches exporter-configmap gating.Also applies to: 300-345
150-156: Helpers and image pull policies: verify helper paths.
Ensure helpers like clickhouse.imagePullSecrets, clickhouse.serviceAccountName, logs.system.image read from .Values.clickhouseInstance.* after this refactor.Also applies to: 220-221, 309-310
354-374: Service template ‘with’ scoping and includes look correct.
Passing $ to labels include avoids scope bleed; include for ifClusterIP receives .type as intended.
376-394: PVC template defaulting uses global.storageClass; verify compatibility.
Good use of default, but confirm the fallback path remains intentional with per-instance refactor.
1-1: YAMLlint template-related warnings can be ignored.
The indentation warnings around template blocks are benign in Helm.charts/clickhouse/templates/clickhouse-instance/serviceaccount.yaml (1)
1-2: Ignore the proposed validation block. Theserviceaccount.yamltemplate doesn’t define or use a$saCreatevariable, and it already conditionally creates the ServiceAccount when.Values.clickhouseInstance.coldStorage.role.enabledor.Values.clickhouseInstance.serviceAccount.createis true. The suggested diff doesn’t apply to this template.Likely an incorrect or invalid review comment.
charts/clickhouse/templates/_helper.tpl (5)
60-64: Confirm SA name behavior when not creating a SA.When serviceAccount.create=false, this helper returns "default" unless a name is provided. With the adjusted gating, we won’t render a SA named "default", but pods may still reference it. Verify this matches intended UX (external/pre-existing SA vs default SA).
105-113: LGTM: image helpers now read from .Values.clickhouseInstance. with global override.*Construction and precedence look consistent.
Also applies to: 119-127, 133-141, 147-155
170-179: LGTM: imagePullSecrets merge (global + per-instance).
186-191: LGTM: SA annotations merged only when coldStorage.enabled && role.enabled.This matches the updated gating suggested in serviceaccount.yaml.
214-217: LGTM: files helper now sources per-instance files.
| {{ .Values.user }}/password: {{ .Values.password }} | ||
| {{ .Values.user }}/networks/ip: | ||
| {{- range $.Values.allowedNetworkIps }} | ||
| {{ .Values.clickhouseInstance.user }}/password: {{ .Values.clickhouseInstance.password }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Quote the password to avoid YAML parsing issues.
Special characters may break unquoted scalars.
- {{ .Values.clickhouseInstance.user }}/password: {{ .Values.clickhouseInstance.password }}
+ {{ .Values.clickhouseInstance.user }}/password: {{ .Values.clickhouseInstance.password | quote }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{ .Values.clickhouseInstance.user }}/password: {{ .Values.clickhouseInstance.password }} | |
| {{ .Values.clickhouseInstance.user }}/password: {{ .Values.clickhouseInstance.password | quote }} |
🤖 Prompt for AI Agents
In charts/clickhouse/templates/clickhouse-instance/clickhouse-instance.yaml
around line 27, the password scalar is unquoted which can break YAML parsing for
passwords containing special characters; wrap the password value in double
quotes (or single quotes if preferred) in the template so the rendered secret
contains a properly quoted string (e.g., change to {{
.Values.clickhouseInstance.user }}/password: "{{
.Values.clickhouseInstance.password }}" ), ensuring any embedded quotes are
escaped or use appropriate quote style.
|
|
||
| profiles: | ||
| {{- merge dict .Values.profiles .Values.defaultProfiles | toYaml | nindent 6 }} | ||
| {{- merge dict .Values.clickhouseInstance.profiles .Values.clickhouseInstance.defaultProfiles | toYaml | nindent 6 }} |
There was a problem hiding this comment.
Bug: merge order overrides user profiles with defaults.
sprig’s merge applies later maps over earlier ones. Passing defaultProfiles last will override user-provided profiles.
Apply:
- {{- merge dict .Values.clickhouseInstance.profiles .Values.clickhouseInstance.defaultProfiles | toYaml | nindent 6 }}
+ {{- merge (dict) .Values.clickhouseInstance.defaultProfiles .Values.clickhouseInstance.profiles | toYaml | nindent 6 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{- merge dict .Values.clickhouseInstance.profiles .Values.clickhouseInstance.defaultProfiles | toYaml | nindent 6 }} | |
| {{- merge (dict) .Values.clickhouseInstance.defaultProfiles .Values.clickhouseInstance.profiles | toYaml | nindent 6 }} |
🤖 Prompt for AI Agents
charts/clickhouse/templates/clickhouse-instance/clickhouse-instance.yaml around
line 36: the merge call currently passes user profiles first then
defaultProfiles, causing defaults to override user values; swap the merge
argument order so defaultProfiles are merged first and user
.Values.clickhouseInstance.profiles are merged over them (i.e., call merge dict
.Values.clickhouseInstance.defaultProfiles .Values.clickhouseInstance.profiles)
so user-provided profiles take precedence.
|
|
||
| settings: | ||
| {{- merge dict .Values.settings .Values.defaultSettings | toYaml | nindent 6 }} | ||
| {{- merge dict .Values.clickhouseInstance.settings .Values.clickhouseInstance.defaultSettings | toYaml | nindent 6 }} |
There was a problem hiding this comment.
Bug: merge order overrides user settings with defaults.
Same issue as profiles; users’ settings should win.
Apply:
- {{- merge dict .Values.clickhouseInstance.settings .Values.clickhouseInstance.defaultSettings | toYaml | nindent 6 }}
+ {{- merge (dict) .Values.clickhouseInstance.defaultSettings .Values.clickhouseInstance.settings | toYaml | nindent 6 }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{- merge dict .Values.clickhouseInstance.settings .Values.clickhouseInstance.defaultSettings | toYaml | nindent 6 }} | |
| {{- merge (dict) .Values.clickhouseInstance.defaultSettings .Values.clickhouseInstance.settings | toYaml | nindent 6 }} |
🤖 Prompt for AI Agents
In charts/clickhouse/templates/clickhouse-instance/clickhouse-instance.yaml
around line 46, the merge currently passes user settings then defaults which
causes defaults to override user values; change the merge argument order so
defaults are first and user settings second (e.g., merge dict
.Values.clickhouseInstance.defaultSettings .Values.clickhouseInstance.settings)
so user-provided settings win; keep the toYaml and nindent unchanged.
| {{- if .Values.clickhouseInstance.enabled }} | ||
| {{- if or .Values.clickhouseInstance.coldStorage.role.enabled .Values.clickhouseInstance.serviceAccount.create }} |
There was a problem hiding this comment.
Fix SA creation gating to avoid creating/overwriting the "default" SA and to match annotations gating.
Current logic renders a ServiceAccount when either coldStorage.role.enabled or serviceAccount.create is true. If create=false and role.enabled=true, the chart will try to create a ServiceAccount named "default" (from the helper), which will conflict. Also, annotations are only merged when coldStorage.enabled AND role.enabled, so gating should align.
Apply:
-{{- if .Values.clickhouseInstance.enabled }}
-{{- if or .Values.clickhouseInstance.coldStorage.role.enabled .Values.clickhouseInstance.serviceAccount.create }}
+{{- if .Values.clickhouseInstance.enabled }}
+{{- $saCreate := .Values.clickhouseInstance.serviceAccount.create }}
+{{- $roleEnabled := and .Values.clickhouseInstance.coldStorage.enabled .Values.clickhouseInstance.coldStorage.role.enabled }}
+{{- $hasCustomSA := and .Values.clickhouseInstance.serviceAccount.name (ne .Values.clickhouseInstance.serviceAccount.name "default") }}
+{{- if or $saCreate (and $roleEnabled $hasCustomSA) }}This ensures we only create a SA when explicitly requested, or when a non-default, named SA is needed for IAM role annotations.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{- if .Values.clickhouseInstance.enabled }} | |
| {{- if or .Values.clickhouseInstance.coldStorage.role.enabled .Values.clickhouseInstance.serviceAccount.create }} | |
| # charts/clickhouse/templates/clickhouse-instance/serviceaccount.yaml | |
| {{- if .Values.clickhouseInstance.enabled }} | |
| {{- $saCreate := .Values.clickhouseInstance.serviceAccount.create }} | |
| {{- $roleEnabled := and .Values.clickhouseInstance.coldStorage.enabled .Values.clickhouseInstance.coldStorage.role.enabled }} | |
| {{- $hasCustomSA := and .Values.clickhouseInstance.serviceAccount.name (ne .Values.clickhouseInstance.serviceAccount.name "default") }} | |
| {{- if or $saCreate (and $roleEnabled $hasCustomSA) }} | |
| # … rest of the ServiceAccount template … | |
| {{- end }} | |
| {{- end }} |
🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
🤖 Prompt for AI Agents
In charts/clickhouse/templates/clickhouse-instance/serviceaccount.yaml around
lines 1-2, the current conditional creates a ServiceAccount whenever
coldStorage.role.enabled OR serviceAccount.create is true, which can
unintentionally attempt to create/overwrite the "default" SA and differs from
the annotation gating; change the condition to only render the ServiceAccount
when serviceAccount.create is true OR when a role is enabled AND a non-default
serviceAccount.name is provided (i.e., role.enabled and serviceAccount.name !=
"default"), and update the annotation merge gating to use the same role-enabled
+ non-default-SA condition so annotations are only added when a named SA is
actually needed for IAM role annotations.
| {{- if hasPrefix "gcp" .Values.clickhouseInstance.global.cloud -}} | ||
| # |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Potential regression: cloud provider path moved under clickhouseInstance.global.cloud.
If existing users set global.cloud at the top level, this change will break provider detection. Add a safe fallback.
Proposed diff:
-{{- if hasPrefix "gcp" .Values.clickhouseInstance.global.cloud -}}
+{{- $cloud := default .Values.global.cloud .Values.clickhouseInstance.global.cloud -}}
+{{- if hasPrefix "gcp" $cloud -}}
...
-{{- else if hasPrefix "aws" .Values.clickhouseInstance.global.cloud -}}
+{{- else if hasPrefix "aws" $cloud -}}🏁 Script executed:
#!/bin/bash
# Search for any usage of .Values.global.cloud across the repo
rg -n "\.Values\.global\.cloud" -C3 . || true
# Search for usage of .Values.clickhouseInstance.global.cloud across the repo
rg -n "\.Values\.clickhouseInstance\.global\.cloud" -C3 . || true
# Inspect hasPrefix invocations in clickhouse templates for cloud detection
rg -n "hasPrefix" -C3 charts/clickhouse/templates || trueLength of output: 8639
🏁 Script executed:
#!/bin/bash
# Locate clickhouse chart values.yaml
chart_values=$(fd -t f -I -e yaml charts/clickhouse | grep -i values.yaml)
echo "Values file: $chart_values"
# Show definitions of global.cloud and clickhouseInstance.global.cloud
grep -n "global.cloud" -C3 "$chart_values" || true
grep -n "clickhouseInstance:" -C10 "$chart_values" || trueLength of output: 639
Ensure cloud detection falls back to top-level global.cloud
Use default to source .Values.global.cloud when .Values.clickhouseInstance.global.cloud is unset, preventing breaks for existing users. For example, in charts/clickhouse/templates/clickhouse-instance/storage-class.yaml:
-{{- if hasPrefix "gcp" .Values.clickhouseInstance.global.cloud -}}
+{{- $cloud := default .Values.global.cloud .Values.clickhouseInstance.global.cloud -}}
+{{- if hasPrefix "gcp" $cloud -}}
…
-{{- else if hasPrefix "aws" .Values.clickhouseInstance.global.cloud -}}
+{{- else if hasPrefix "aws" $cloud -}}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{- if hasPrefix "gcp" .Values.clickhouseInstance.global.cloud -}} | |
| # | |
| {{- $cloud := default .Values.global.cloud .Values.clickhouseInstance.global.cloud -}} | |
| {{- if hasPrefix "gcp" $cloud -}} | |
| # | |
| … # rest of your GCP-specific block | |
| {{- else if hasPrefix "aws" $cloud -}} | |
| … # rest of your AWS-specific block | |
| {{- end -}} |
🤖 Prompt for AI Agents
In charts/clickhouse/templates/clickhouse-instance/storage-class.yaml around
lines 4-5, the hasPrefix check uses .Values.clickhouseInstance.global.cloud
directly which breaks when that value is unset; change it to use Helm's default
to fall back to .Values.global.cloud, e.g. replace hasPrefix "gcp"
.Values.clickhouseInstance.global.cloud with hasPrefix "gcp" (default
.Values.global.cloud .Values.clickhouseInstance.global.cloud) so cloud detection
uses the top-level global.cloud when the per-instance value is missing.
| # ClickHouse Instance Configuration | ||
| clickhouseInstance: | ||
| # -- Whether to install clickhouse instance. If false, only the operator will be installed | ||
| enabled: true | ||
|
|
There was a problem hiding this comment.
Fix trailing whitespace (pipeline is failing).
Line 161 is a whitespace-only line. Remove trailing spaces to satisfy lint-chart:
-
+📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # ClickHouse Instance Configuration | |
| clickhouseInstance: | |
| # -- Whether to install clickhouse instance. If false, only the operator will be installed | |
| enabled: true | |
| # ClickHouse Instance Configuration | |
| clickhouseInstance: | |
| # -- Whether to install clickhouse instance. If false, only the operator will be installed | |
| enabled: true | |
🧰 Tools
🪛 GitHub Check: lint-chart
[failure] 161-161:
161:1 [trailing-spaces] trailing spaces
🪛 YAMLlint (1.37.1)
[error] 161-161: trailing spaces
(trailing-spaces)
🪛 GitHub Actions: Lint Charts
[error] 161-161: [trailing-spaces] trailing spaces
🤖 Prompt for AI Agents
In charts/clickhouse/values.yaml around lines 157 to 161 there is a trailing
whitespace on line 161 (a whitespace-only line) causing the lint-chart pipeline
to fail; remove the trailing spaces from that empty line (or delete the empty
whitespace-only line) and ensure the file ends with a single newline to satisfy
the linter.
| user: admin | ||
| # -- Clickhouse password | ||
| password: 27ff0399-0d3a-4bd8-919d-17c2181e6fb9 |
There was a problem hiding this comment.
Do not ship a real-looking password in values; integrate with a Secret.
Embedding a UUID-like default triggers secret scanners and encourages insecure defaults.
Minimum safe change now:
- # -- Clickhouse password
- password: 27ff0399-0d3a-4bd8-919d-17c2181e6fb9
+ # -- Clickhouse password (set via --set or use an existing Secret; leave empty by default)
+ password: ""Optionally add support for an existing Secret to avoid putting credentials in values at all:
clickhouseInstance:
auth:
existingSecret: "" # name of Secret containing 'password' key
existingSecretKey: passwordThen wire this in the template rendering.
🧰 Tools
🪛 Gitleaks (8.27.2)
176-176: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
🤖 Prompt for AI Agents
In charts/clickhouse/values.yaml around lines 174 to 176, remove the embedded
UUID-like password value and replace it with a non-sensitive placeholder (e.g.
empty string or "<set-via-Secret>"); instead add configuration to reference a
Kubernetes Secret (e.g. add clickhouseInstance.auth.existingSecret and
existingSecretKey fields) and update chart templates to read the password from
that Secret when provided so credentials are not stored in values.yaml. Ensure
templates fall back to the placeholder only if no Secret is supplied and
document the new fields in values.yaml comments.
1 participant
Summary by CodeRabbit
New Features
Refactor