fix: add ClickHouse password authentication

ClickHouse default user had no password, causing auth failures on recent CH versions. Set password via from_env in clickhouse-users.xml, pass credentials in JDBC URLs to SaaS services and tenant server containers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 13:59:59 +02:00
parent 879accfc7f
commit da4a263cd7
6 changed files with 10 additions and 4 deletions
--- a/.env.example
+++ b/.env.example
@@ -9,6 +9,9 @@ POSTGRES_USER=cameleer
 POSTGRES_PASSWORD=change_me_in_production
 POSTGRES_DB=cameleer_saas

+# ClickHouse
+CLICKHOUSE_PASSWORD=change_me_in_production
+
 # Public domain (used by Traefik, Logto, and SaaS provisioning)
 PUBLIC_HOST=localhost
 PUBLIC_PROTOCOL=https
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -196,12 +196,14 @@ services:
  clickhouse:
    image: clickhouse/clickhouse-server:latest
    restart: unless-stopped
+    environment:
+      CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-cameleer_ch}
    volumes:
      - chdata:/var/lib/clickhouse
      - ./docker/clickhouse-init.sql:/docker-entrypoint-initdb.d/init.sql:ro
      - ./docker/clickhouse-users.xml:/etc/clickhouse-server/users.d/default-user.xml:ro
    healthcheck:
-      test: ["CMD-SHELL", "clickhouse-client --query 'SELECT 1'"]
+      test: ["CMD-SHELL", "clickhouse-client --password ${CLICKHOUSE_PASSWORD:-cameleer_ch} --query 'SELECT 1'"]
      interval: 10s
      timeout: 5s
      retries: 3
--- a/docker/clickhouse-users.xml
+++ b/docker/clickhouse-users.xml
@@ -1,6 +1,7 @@
 <clickhouse>
  <users>
    <default>
+      <password from_env="CLICKHOUSE_PASSWORD" />
      <networks>
        <ip>::/0</ip>
      </networks>
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
@@ -195,7 +195,7 @@ public class DockerTenantProvisioner implements TenantProvisioner {
            "SPRING_DATASOURCE_URL=" + props.datasourceUrl(),
            "SPRING_DATASOURCE_USERNAME=cameleer",
            "SPRING_DATASOURCE_PASSWORD=cameleer_dev",
-            "CAMELEER_SERVER_CLICKHOUSE_URL=jdbc:clickhouse://clickhouse:8123/cameleer",
+            "CAMELEER_SERVER_CLICKHOUSE_URL=jdbc:clickhouse://clickhouse:8123/cameleer?user=default&password=cameleer_ch",
            "CAMELEER_SERVER_TENANT_ID=" + slug,
            "CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN=" + req.licenseToken(),
            "CAMELEER_SERVER_SECURITY_JWTSECRET=cameleer-dev-jwt-secret-change-in-production",
--- a/src/main/resources/application-local.yml
+++ b/src/main/resources/application-local.yml
@@ -22,4 +22,4 @@ cameleer:
      logtoendpoint: http://localhost:3001
      serverendpoint: http://localhost:8081
    provisioning:
-      clickhouseurl: jdbc:clickhouse://localhost:8123/cameleer
+      clickhouseurl: jdbc:clickhouse://localhost:8123/cameleer?user=default&password=cameleer_ch
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -50,7 +50,7 @@ cameleer:
      publichost: ${CAMELEER_SAAS_PROVISIONING_PUBLICHOST:localhost}
      publicprotocol: ${CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL:https}
      datasourceurl: ${CAMELEER_SAAS_PROVISIONING_DATASOURCEURL:jdbc:postgresql://postgres:5432/cameleer3}
-      clickhouseurl: ${CAMELEER_SAAS_PROVISIONING_CLICKHOUSEURL:jdbc:clickhouse://clickhouse:8123/cameleer}
+      clickhouseurl: ${CAMELEER_SAAS_PROVISIONING_CLICKHOUSEURL:jdbc:clickhouse://clickhouse:8123/cameleer?user=default&password=cameleer_ch}
      oidcissueruri: ${cameleer.saas.provisioning.publicprotocol}://${cameleer.saas.provisioning.publichost}/oidc
      oidcjwkseturi: http://logto:3001/oidc/jwks
      corsorigins: ${cameleer.saas.provisioning.publicprotocol}://${cameleer.saas.provisioning.publichost}