Move ClickHouse credentials to K8s Secret and add health probes

- ClickHouse user/password now injected via `clickhouse-credentials` Secret
  instead of hardcoded plaintext in deploy manifests (#33)
- CI deploy step creates the secret idempotently from Gitea CI secrets
- Added liveness/readiness probes: server uses /api/v1/health, ClickHouse
  uses /ping (#35)
- Updated HOWTO.md and CLAUDE.md with new secrets and probe details

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -134,6 +134,12 @@ jobs:
             --from-literal=CAMELEER_AUTH_TOKEN="$CAMELEER_AUTH_TOKEN" \
             --dry-run=client -o yaml | kubectl apply -f -
 
+          kubectl create secret generic clickhouse-credentials \
+            --namespace=cameleer \
+            --from-literal=CLICKHOUSE_USER="$CLICKHOUSE_USER" \
+            --from-literal=CLICKHOUSE_PASSWORD="$CLICKHOUSE_PASSWORD" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
           kubectl apply -f deploy/clickhouse.yaml
           kubectl -n cameleer rollout status statefulset/clickhouse --timeout=120s
 
@@ -144,3 +150,5 @@ jobs:
         env:
           REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
           CAMELEER_AUTH_TOKEN: ${{ secrets.CAMELEER_AUTH_TOKEN }}
+          CLICKHOUSE_USER: ${{ secrets.CLICKHOUSE_USER }}
+          CLICKHOUSE_PASSWORD: ${{ secrets.CLICKHOUSE_PASSWORD }}

CLAUDE.md

@@ -50,5 +50,6 @@ java -jar cameleer3-server-app/target/cameleer3-server-app-1.0-SNAPSHOT.jar
 - Registry: `gitea.siegeln.net/cameleer/cameleer3-server` (container images)
 - K8s manifests in `deploy/` — ClickHouse StatefulSet + server Deployment + NodePort Service (30081)
 - Deployment target: k3s at 192.168.50.86, namespace `cameleer`
-- Secrets managed in CI deploy step (idempotent `--dry-run=client | kubectl apply`)
+- Secrets managed in CI deploy step (idempotent `--dry-run=client | kubectl apply`): `cameleer-auth`, `clickhouse-credentials`
+- K8s probes: server uses `/api/v1/health`, ClickHouse uses `/ping`
 - Docker build uses buildx registry cache + `--provenance=false` for Gitea compatibility

HOWTO.md

@@ -279,7 +279,7 @@ cameleer namespace:
 
 Push to `main` triggers: **build** (Maven, unit tests) → **docker** (buildx cross-compile amd64, push to Gitea registry) → **deploy** (kubectl apply + rolling update).
 
-Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`.
+Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`, `CLICKHOUSE_USER`, `CLICKHOUSE_PASSWORD`.
 
 ### Manual K8s Commands
 

deploy/clickhouse.yaml

@@ -24,9 +24,15 @@ spec:
               name: native
           env:
             - name: CLICKHOUSE_USER
-              value: cameleer
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_USER
             - name: CLICKHOUSE_PASSWORD
-              value: cameleer_dev
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_PASSWORD
             - name: CLICKHOUSE_DB
               value: cameleer3
           volumeMounts:
@@ -39,6 +45,22 @@ spec:
             limits:
               memory: "2Gi"
               cpu: "1000m"
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 8123
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 8123
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
   volumeClaimTemplates:
     - metadata:
         name: data

deploy/server.yaml

@@ -24,9 +24,15 @@ spec:
             - name: SPRING_DATASOURCE_URL
               value: "jdbc:ch://clickhouse:8123/cameleer3"
             - name: SPRING_DATASOURCE_USERNAME
-              value: "cameleer"
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_USER
             - name: SPRING_DATASOURCE_PASSWORD
-              value: "cameleer_dev"
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_PASSWORD
             - name: CAMELEER_AUTH_TOKEN
               valueFrom:
                 secretKeyRef:
@@ -39,6 +45,22 @@ spec:
             limits:
               memory: "512Mi"
               cpu: "500m"
+          livenessProbe:
+            httpGet:
+              path: /api/v1/health
+              port: 8081
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /api/v1/health
+              port: 8081
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
 ---
 apiVersion: v1
 kind: Service