Properly handle secure and verify on clickhouse

[Kinue72]

Summary by CodeRabbit

• New Features
  • Support for custom DSN parameters for ClickHouse (internal and external) and DSN-aware URLs/exporters.
  • Configurable TLS verification via CLICKHOUSE_SKIP_VERIFY; readiness checks and exporters respect skip-verify.
  • Init/readiness commands now conditionally include a no-verify flag for wget when verification is disabled.
• Chores
  • Bumped BusyBox/init container images to 1.37 across charts and tests.
• Documentation
  • Added values for clickhouse.dsnParams and externalClickhouse.dsnParams.

[coderabbitai]

Walkthrough

Adds DSN parameter support for ClickHouse URLs, introduces a reusable wget no-verify flag helper (duplicated definition), propagates that flag into multiple init-container wget readiness checks, adds new DSN param fields in values, and updates BusyBox/init image tags from 1.35 → 1.37.

Changes

Cohort / File(s)	Summary
Helm values & images charts/clickhouse/values.yaml, charts/signoz/values.yaml	Bump BusyBox/init image tags from 1.35 → 1.37. Add clickhouse.dsnParams and externalClickhouse.dsnParams (default ""). Append ?secure={env:CLICKHOUSE_SECURE}&skip_verify={env:CLICKHOUSE_SKIP_VERIFY} to multiple exporter DSN strings.
ClickHouse templating charts/signoz/templates/_clickhouse.tpl	Add define "clickhouse.clickHouseDsnParams" to format DSN params (secure, skip_verify, extra). Inject DSN params into schemamigrator.url and clickhouse.clickHouseUrl (internal and external). Add CLICKHOUSE_SKIP_VERIFY env handling where applicable.
Wget no-verify helper charts/signoz/templates/_helpers.tpl	Add define "wget.clickhouse.noVerifyFlag" that emits --no-check-certificate when CLICKHOUSE_VERIFY == "false". Note: definition appears twice in the diff.
Init-container readiness commands charts/signoz/templates/otel-collector/deployment.yaml, charts/signoz/templates/schema-migrator/migrations-async.yaml, charts/signoz/templates/schema-migrator/migrations-sync.yaml, charts/signoz/templates/signoz/statefulset.yaml	Prefix wget invocations with {{ include "wget.clickhouse.noVerifyFlag" . }} so --no-check-certificate is conditionally included; existing --user, --spider, wait/delay/done flow preserved.
Test manifests & docs charts/k8s-infra/templates/otel-agent/tests/test-connection.yaml, charts/k8s-infra/templates/otel-deployment/tests/test-connection.yaml, charts/signoz/templates/signoz/tests/test-connection.yaml, charts/signoz/README.md	Bump BusyBox image tag references from 1.35 → 1.37 in test pods and README; no behavioral changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Values as Helm values
  participant TPL as _clickhouse.tpl
  participant URL as ClickHouse URL/DSN
  Values->>TPL: provide secure, skip_verify, dsnParams
  TPL->>TPL: clickHouseDsnParams formats "secure=...&skip_verify=...&..."
  TPL->>URL: build host:port?{DSN_PARAMS}
  note right of URL: Used by schemamigrator, exporters, and clients

Loading

sequenceDiagram
  autonumber
  participant ENV as Pod env (CLICKHOUSE_VERIFY)
  participant HELP as _helpers.tpl
  participant INIT as Init container
  participant CH as ClickHouse endpoint
  ENV-->>HELP: CLICKHOUSE_VERIFY value
  HELP-->>INIT: include wget.clickhouse.noVerifyFlag
  INIT->>CH: wget [--no-check-certificate?] --user ... --spider -q <url>
  alt reachable
    INIT->>INIT: proceed
  else unreachable
    INIT->>INIT: retry/sleep loop
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Files/areas to check closely:

• charts/signoz/templates/_clickhouse.tpl (new DSN helper, URL composition, env handling)
• Duplicate definition in charts/signoz/templates/_helpers.tpl (remove one duplicate)
• Init-container wget invocations where the helper is included (parameter ordering and quoting)

Possibly related PRs

• fix: handle signoz envs #703 — overlaps on ClickHouse Helm helpers and DSN/env handling in _clickhouse.tpl.
• chore(schema-migrator): separate job, include helm hooks #539 — touches schema-migrator init-container wget readiness logic (migrations templates).

Suggested labels

safe-to-test

Suggested reviewers

• prashant-shahi
• grandwizard28

Poem

I hop through templates, DSNs in tow,
I add a flag so wget won't woe.
BusyBox bumped and checks run neat,
Init containers wait and greet.
A rabbit cheers — ClickHouse on the go! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding proper handling for secure and verify parameters on ClickHouse connections across the Helm charts.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cae601c and 9735b3f.

📒 Files selected for processing (12)

• charts/clickhouse/values.yaml (1 hunks)
• charts/k8s-infra/templates/otel-agent/tests/test-connection.yaml (1 hunks)
• charts/k8s-infra/templates/otel-deployment/tests/test-connection.yaml (1 hunks)
• charts/signoz/README.md (1 hunks)
• charts/signoz/templates/_clickhouse.tpl (6 hunks)
• charts/signoz/templates/_helpers.tpl (1 hunks)
• charts/signoz/templates/otel-collector/deployment.yaml (1 hunks)
• charts/signoz/templates/schema-migrator/migrations-async.yaml (1 hunks)
• charts/signoz/templates/schema-migrator/migrations-sync.yaml (1 hunks)
• charts/signoz/templates/signoz/statefulset.yaml (1 hunks)
• charts/signoz/templates/signoz/tests/test-connection.yaml (1 hunks)
• charts/signoz/values.yaml (8 hunks)

🚧 Files skipped from review as they are similar to previous changes (6)

• charts/signoz/templates/schema-migrator/migrations-async.yaml
• charts/signoz/templates/signoz/statefulset.yaml
• charts/signoz/templates/schema-migrator/migrations-sync.yaml
• charts/signoz/templates/otel-collector/deployment.yaml
• charts/signoz/README.md
• charts/clickhouse/values.yaml

🔇 Additional comments (13)

charts/k8s-infra/templates/otel-deployment/tests/test-connection.yaml (1)

15-15: LGTM! BusyBox image updated consistently.

The BusyBox image tag update from 1.35 to 1.37 aligns with the broader version update across the PR.

charts/k8s-infra/templates/otel-agent/tests/test-connection.yaml (1)

13-13: LGTM! Consistent image version update.

The BusyBox 1.37 update is consistent with other test connection manifests in this PR.

charts/signoz/templates/_helpers.tpl (1)

527-532: LGTM! Correct wget flag syntax.

The helper correctly emits --no-check-certificate (double dash) when CLICKHOUSE_VERIFY="false". This provides a reusable flag generator for wget commands that need to skip TLS verification when connecting to ClickHouse.

charts/signoz/templates/signoz/tests/test-connection.yaml (1)

12-12: LGTM! Consistent BusyBox version across test manifests.

The image tag update to 1.37 maintains consistency with other test connection pods in the PR.

charts/signoz/values.yaml (4)

253-256: LGTM! Well-designed DSN parameter fields.

The new dsnParams fields for both internal and external ClickHouse configurations provide a clean extension point for additional connection parameters. The empty default ensures backward compatibility, and the symmetric implementation maintains consistency.

Also applies to: 748-751

---

381-381: LGTM! Consistent BusyBox version updates across init containers.

All BusyBox init container images have been consistently updated to version 1.37 across ClickHouse, SigNoz, schema migrator, and OTEL collector components.

Also applies to: 891-891, 915-915, 1146-1146, 1327-1327

---

1091-1091: LGTM! Component version updates aligned.

The schema migrator and OTEL collector images are both updated to v0.129.8, maintaining version consistency across related components.

Also applies to: 1301-1301

---

1912-1912: LGTM! Environment variable interpolation corrected.

The DSN strings now use the correct ${env:...} syntax (with the $ sigil) instead of {env:...}, fixing the critical issue where literal strings were being sent to ClickHouse instead of interpolated environment variable values. This ensures proper TLS negotiation with the secure and skip_verify parameters.

Also applies to: 1916-1916, 1919-1919, 1923-1923, 1929-1929

charts/signoz/templates/_clickhouse.tpl (5)

7-9: LGTM! Schema migrator URL construction with DSN parameters.

The URL construction now properly appends DSN parameters for both internal and external ClickHouse configurations, ensuring consistent connection parameter handling across deployment scenarios.

---

39-40: LGTM! Clear skip_verify semantics.

Adding CLICKHOUSE_SKIP_VERIFY as the logical inverse of CLICKHOUSE_VERIFY provides clearer semantics for DSN parameter construction and aligns with ClickHouse driver expectations.

Also applies to: 72-73

---

96-97: LGTM! Complete credential context.

Adding CLICKHOUSE_VERIFY to the minimized credentials block ensures the verification setting is available in all contexts where ClickHouse credentials are needed.

Also applies to: 121-122

---

236-240: LGTM! Enhanced URL construction with DSN parameters.

The clickHouseUrl template now properly integrates DSN parameters including security settings and custom parameters, while maintaining runtime credential interpolation through environment variables.

---

242-248: LGTM! Robust DSN parameter formatting.

The clickHouseDsnParams template correctly constructs query parameters from security settings and custom DSN parameters. The trimSuffix "&" ensures clean URL formatting even when optional dsnParams is empty. The logic properly computes skip_verify as the inverse of the verify flag.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Kinue72]

fix: #747

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

charts/signoz/templates/_clickhouse.tpl (2)

96-123: Expose CLICKHOUSE_SKIP_VERIFY in the credentials snippet as well.

Workloads that rely on snippet.clickhouse-credentials won’t see the new CLICKHOUSE_SKIP_VERIFY flag, so they’ll keep default behavior instead of honoring the chart setting. Please propagate the same env var here to stay consistent with snippet.clickhouse-env.

 - name: CLICKHOUSE_VERIFY
   value: {{ .Values.clickhouse.verify | quote }}
+- name: CLICKHOUSE_SKIP_VERIFY
+  value: {{ not .Values.clickhouse.verify | quote }}
 {{- else -}}
 …
 - name: CLICKHOUSE_VERIFY
   value: {{ .Values.externalClickhouse.verify | quote }}
+- name: CLICKHOUSE_SKIP_VERIFY
+  value: {{ not .Values.externalClickhouse.verify | quote }}

---

242-247: Avoid leaving a trailing & in the generated DSN.

When dsnParams is empty this helper produces ...?skip_verify=true&, leaving an empty query segment. Let’s trim the trailing ampersand so we never emit malformed parameter pairs.

-{{- printf "secure=%v&skip_verify=%v&%v" ( default false .Values.clickhouse.secure ) ( not ( default false .Values.clickhouse.verify ) ) ( default "" .Values.clickhouse.dsnParams ) -}}
+{{- $raw := printf "secure=%v&skip_verify=%v&%v" ( default false .Values.clickhouse.secure ) ( not ( default false .Values.clickhouse.verify ) ) ( default "" .Values.clickhouse.dsnParams ) -}}
+{{- trimSuffix "&" $raw -}}
 {{- else -}}
-{{- printf "secure=%v&skip_verify=%v&%v" ( default false .Values.externalClickhouse.secure ) ( not ( default false .Values.externalClickhouse.verify ) ) ( default "" .Values.externalClickhouse.dsnParams ) -}}
+{{- $raw := printf "secure=%v&skip_verify=%v&%v" ( default false .Values.externalClickhouse.secure ) ( not ( default false .Values.externalClickhouse.verify ) ) ( default "" .Values.externalClickhouse.dsnParams ) -}}
+{{- trimSuffix "&" $raw -}}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2d07150 and 0dbd07a.

📒 Files selected for processing (8)

• charts/clickhouse/values.yaml (1 hunks)
• charts/signoz/templates/_clickhouse.tpl (6 hunks)
• charts/signoz/templates/_helpers.tpl (1 hunks)
• charts/signoz/templates/otel-collector/deployment.yaml (1 hunks)
• charts/signoz/templates/schema-migrator/migrations-async.yaml (1 hunks)
• charts/signoz/templates/schema-migrator/migrations-sync.yaml (1 hunks)
• charts/signoz/templates/signoz/statefulset.yaml (1 hunks)
• charts/signoz/values.yaml (8 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2024-11-01T05:29:30.302Z

Learnt from: prashant-shahi
PR: SigNoz/charts#544
File: charts/signoz/templates/schema-migrator/migrations-sync.yaml:16-23
Timestamp: 2024-11-01T05:29:30.302Z
Learning: In `charts/signoz/templates/schema-migrator/migrations-sync.yaml`, the `Sync` ArgoCD hook and `pre-upgrade` Helm hook are intentionally used to maintain consistent behavior and prevent issues with Kubernetes Job cleanup.

Applied to files:

• charts/signoz/templates/schema-migrator/migrations-async.yaml
• charts/signoz/templates/schema-migrator/migrations-sync.yaml

🔇 Additional comments (1)

charts/clickhouse/values.yaml (1)

375-376: BusyBox tag 1.37 is available: busybox:1.37 is published on Docker Hub and can be pulled successfully.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

charts/signoz/templates/_clickhouse.tpl (1)

51-58: External env block missing CLICKHOUSE_METER_DATABASE

Parity with internal block is needed for components that depend on meter DB envs.

Apply this diff:

 - name: CLICKHOUSE_LOG_DATABASE
   value: {{ default "signoz_logs" .Values.externalClickhouse.logDatabase | quote }}
+- name: CLICKHOUSE_METER_DATABASE
+  value: {{ default "signoz_meter" .Values.externalClickhouse.meterDatabase | quote }}
 - name: CLICKHOUSE_USER
   value: {{ .Values.externalClickhouse.user | quote }}

🧹 Nitpick comments (3)

charts/signoz/templates/_clickhouse.tpl (3)

242-248: Avoid trailing ampersand in DSN params

When dsnParams is empty, this prints a trailing &. Some parsers tolerate it, but it’s easy to avoid.

Apply this diff:

 {{- define "clickhouse.clickHouseDsnParams" -}}
 {{- if .Values.clickhouse.enabled -}}
-{{- printf "secure=%v&skip_verify=%v&%v" ( default false .Values.clickhouse.secure ) ( not ( default false .Values.clickhouse.verify ) ) ( default "" .Values.clickhouse.dsnParams ) -}}
+{{- $secure := default false .Values.clickhouse.secure -}}
+{{- $skipVerify := not ( default false .Values.clickhouse.verify ) -}}
+{{- $extra := trimAll "& " (default "" .Values.clickhouse.dsnParams) -}}
+{{- if $extra -}}
+{{- printf "secure=%v&skip_verify=%v&%s" $secure $skipVerify $extra -}}
+{{- else -}}
+{{- printf "secure=%v&skip_verify=%v" $secure $skipVerify -}}
+{{- end -}}
 {{- else -}}
-{{- printf "secure=%v&skip_verify=%v&%v" ( default false .Values.externalClickhouse.secure ) ( not ( default false .Values.externalClickhouse.verify ) ) ( default "" .Values.externalClickhouse.dsnParams ) -}}
+{{- $secure := default false .Values.externalClickhouse.secure -}}
+{{- $skipVerify := not ( default false .Values.externalClickhouse.verify ) -}}
+{{- $extra := trimAll "& " (default "" .Values.externalClickhouse.dsnParams) -}}
+{{- if $extra -}}
+{{- printf "secure=%v&skip_verify=%v&%s" $secure $skipVerify $extra -}}
+{{- else -}}
+{{- printf "secure=%v&skip_verify=%v" $secure $skipVerify -}}
+{{- end -}}
 {{- end -}}
 {{- end -}}

---

195-210: Always include scheme in httpUrl (use http:// when not secure)

wget behaves more predictably with explicit schemes. Recommend defaulting to http:// when not secure.

Apply this diff:

 {{- define "clickhouse.httpUrl" -}}
 {{- $httpUrl := "" -}}
-{{- $httpPrefix := "" -}}
+{{- $httpPrefix := "http://" -}}
 {{- if .Values.clickhouse.enabled }}
   {{- $httpUrl = printf "%s:%s" (include "clickhouse.servicename" .) (include "clickhouse.httpPort" .) }}
   {{- if .Values.clickhouse.secure }}
     {{- $httpPrefix = "https://" }}
   {{- end }}
 {{- else }}
   {{- $httpUrl = printf "%s:%s" (required "externalClickhouse.host is required if using external clickhouse" .Values.externalClickhouse.host) ( include "clickhouse.httpPort" .) }}
   {{- if .Values.externalClickhouse.secure }}
     {{- $httpPrefix = "https://" }}
   {{- end }}
 {{- end }}
 {{- printf "%s%s" $httpPrefix $httpUrl }}
 {{- end -}}

---

96-98: Optional: add CLICKHOUSE_SKIP_VERIFY to credentials snippet for parity

Not strictly required here, but keeping both env snippets aligned reduces surprises.

Apply this diff:

 - name: CLICKHOUSE_VERIFY
   value: {{ .Values.clickhouse.verify | quote }}
+# Optional: parity with full env block
+- name: CLICKHOUSE_SKIP_VERIFY
+  value: {{ not .Values.clickhouse.verify | quote }}

And similarly in the external branch.

Also applies to: 121-123

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0dbd07a and 90ee985.

📒 Files selected for processing (7)

• charts/signoz/templates/_clickhouse.tpl (6 hunks)
• charts/signoz/templates/_helpers.tpl (1 hunks)
• charts/signoz/templates/otel-collector/deployment.yaml (1 hunks)
• charts/signoz/templates/schema-migrator/migrations-async.yaml (1 hunks)
• charts/signoz/templates/schema-migrator/migrations-sync.yaml (1 hunks)
• charts/signoz/templates/signoz/statefulset.yaml (1 hunks)
• charts/signoz/values.yaml (8 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• charts/signoz/templates/_helpers.tpl
• charts/signoz/templates/signoz/statefulset.yaml
• charts/signoz/templates/otel-collector/deployment.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2024-11-01T05:29:30.302Z

Learnt from: prashant-shahi
PR: SigNoz/charts#544
File: charts/signoz/templates/schema-migrator/migrations-sync.yaml:16-23
Timestamp: 2024-11-01T05:29:30.302Z
Learning: In `charts/signoz/templates/schema-migrator/migrations-sync.yaml`, the `Sync` ArgoCD hook and `pre-upgrade` Helm hook are intentionally used to maintain consistent behavior and prevent issues with Kubernetes Job cleanup.

Applied to files:

• charts/signoz/templates/schema-migrator/migrations-sync.yaml
• charts/signoz/templates/schema-migrator/migrations-async.yaml

🔇 Additional comments (9)

charts/signoz/templates/schema-migrator/migrations-sync.yaml (2)

45-45: Root scope passed correctly to wget helper — LGTM

Using $ ensures the helper can access .Values. All good here.

---

45-45: Confirmed single helper definition: wget.clickhouse.noVerifyFlag appears only once in charts/signoz/templates/_helpers.tpl.

charts/signoz/templates/schema-migrator/migrations-async.yaml (2)

46-46: Root scope passed correctly to wget helper — LGTM

Same as sync job; correct use of $ here.

---

46-46: Consistent usage confirmed – all wget.clickhouse.noVerifyFlag includes pass $ to the helper across templates.

charts/signoz/values.yaml (3)

253-256: Expose DSN params — good addition

Adds flexibility for custom ClickHouse DSN tuning.

---

748-751: External DSN params — good addition

Matches internal DSN params; consistent API surface.

---

1911-1930: Fix env interpolation in ClickHouse DSNs — LGTM

${env:...} restored for secure/skip_verify across exporters. This unblocks TLS/verification behavior.

charts/signoz/templates/_clickhouse.tpl (2)

5-10: Append DSN params to schema migrator URL — LGTM

The DSN assembly for schema migrator is correct for both internal and external paths.

---

39-41: Env var parity for verify/skip_verify — LGTM

Introducing CLICKHOUSE_SKIP_VERIFY (negation of verify) aligns with driver expectations.

Also applies to: 72-74

[Kinue72]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.