Move ClickHouse credentials to K8s Secret and add health probes

- ClickHouse user/password now injected via `clickhouse-credentials` Secret instead of hardcoded plaintext in deploy manifests (#33) - CI deploy step creates the secret idempotently from Gitea CI secrets - Added liveness/readiness probes: server uses /api/v1/health, ClickHouse uses /ping (#35) - Updated HOWTO.md and CLAUDE.md with new secrets and probe details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 10:59:15 +01:00
parent d229365eaf
commit 9c2391e5d4
5 changed files with 59 additions and 6 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -134,6 +134,12 @@ jobs:
            --from-literal=CAMELEER_AUTH_TOKEN="$CAMELEER_AUTH_TOKEN" \
            --dry-run=client -o yaml | kubectl apply -f -

+          kubectl create secret generic clickhouse-credentials \
+            --namespace=cameleer \
+            --from-literal=CLICKHOUSE_USER="$CLICKHOUSE_USER" \
+            --from-literal=CLICKHOUSE_PASSWORD="$CLICKHOUSE_PASSWORD" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
          kubectl apply -f deploy/clickhouse.yaml
          kubectl -n cameleer rollout status statefulset/clickhouse --timeout=120s

@@ -144,3 +150,5 @@ jobs:
        env:
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
          CAMELEER_AUTH_TOKEN: ${{ secrets.CAMELEER_AUTH_TOKEN }}
+          CLICKHOUSE_USER: ${{ secrets.CLICKHOUSE_USER }}
+          CLICKHOUSE_PASSWORD: ${{ secrets.CLICKHOUSE_PASSWORD }}
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -50,5 +50,6 @@ java -jar cameleer3-server-app/target/cameleer3-server-app-1.0-SNAPSHOT.jar
 - Registry: `gitea.siegeln.net/cameleer/cameleer3-server` (container images)
 - K8s manifests in `deploy/` — ClickHouse StatefulSet + server Deployment + NodePort Service (30081)
 - Deployment target: k3s at 192.168.50.86, namespace `cameleer`
- Secrets managed in CI deploy step (idempotent `--dry-run=client | kubectl apply`)
+- Secrets managed in CI deploy step (idempotent `--dry-run=client | kubectl apply`): `cameleer-auth`, `clickhouse-credentials`
+- K8s probes: server uses `/api/v1/health`, ClickHouse uses `/ping`
 - Docker build uses buildx registry cache + `--provenance=false` for Gitea compatibility
--- a/HOWTO.md
+++ b/HOWTO.md
@@ -279,7 +279,7 @@ cameleer namespace:

 Push to `main` triggers: **build** (Maven, unit tests) → **docker** (buildx cross-compile amd64, push to Gitea registry) → **deploy** (kubectl apply + rolling update).

-Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`.
+Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`, `CLICKHOUSE_USER`, `CLICKHOUSE_PASSWORD`.

 ### Manual K8s Commands

--- a/deploy/clickhouse.yaml
+++ b/deploy/clickhouse.yaml
@@ -24,9 +24,15 @@ spec:
              name: native
          env:
            - name: CLICKHOUSE_USER
-              value: cameleer
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_USER
            - name: CLICKHOUSE_PASSWORD
-              value: cameleer_dev
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_PASSWORD
            - name: CLICKHOUSE_DB
              value: cameleer3
          volumeMounts:
@@ -39,6 +45,22 @@ spec:
            limits:
              memory: "2Gi"
              cpu: "1000m"
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 8123
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 8123
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
  volumeClaimTemplates:
    - metadata:
        name: data
--- a/deploy/server.yaml
+++ b/deploy/server.yaml
@@ -24,9 +24,15 @@ spec:
            - name: SPRING_DATASOURCE_URL
              value: "jdbc:ch://clickhouse:8123/cameleer3"
            - name: SPRING_DATASOURCE_USERNAME
-              value: "cameleer"
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_USER
            - name: SPRING_DATASOURCE_PASSWORD
-              value: "cameleer_dev"
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_PASSWORD
            - name: CAMELEER_AUTH_TOKEN
              valueFrom:
                secretKeyRef:
@@ -39,6 +45,22 @@ spec:
            limits:
              memory: "512Mi"
              cpu: "500m"
+          livenessProbe:
+            httpGet:
+              path: /api/v1/health
+              port: 8081
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /api/v1/health
+              port: 8081
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
 ---
 apiVersion: v1
 kind: Service