fix: ClickHouse auth credentials and non-fatal schema init

- Set CLICKHOUSE_USER/PASSWORD via k8s secret (fixes "disabling network access for user 'default'" when no password is set) - Add clickhouse-credentials secret to CI deploy + feature branch copy - Pass CLICKHOUSE_USERNAME/PASSWORD env vars to server pod - Make schema initializer non-fatal so server starts even if CH is temporarily unavailable Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 17:54:44 +02:00
parent aa5fc1b830
commit f8505401d7
4 changed files with 49 additions and 14 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -222,6 +222,12 @@ jobs:
            --from-literal=AUTHENTIK_SECRET_KEY="${AUTHENTIK_SECRET_KEY}" \
            --dry-run=client -o yaml | kubectl apply -f -

+          kubectl create secret generic clickhouse-credentials \
+            --namespace=cameleer \
+            --from-literal=CLICKHOUSE_USER="${CLICKHOUSE_USER:-default}" \
+            --from-literal=CLICKHOUSE_PASSWORD="$CLICKHOUSE_PASSWORD" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
          kubectl apply -f deploy/postgres.yaml
          kubectl -n cameleer rollout status statefulset/postgres --timeout=120s

@@ -256,6 +262,8 @@ jobs:
          AUTHENTIK_PG_USER: ${{ secrets.AUTHENTIK_PG_USER }}
          AUTHENTIK_PG_PASSWORD: ${{ secrets.AUTHENTIK_PG_PASSWORD }}
          AUTHENTIK_SECRET_KEY: ${{ secrets.AUTHENTIK_SECRET_KEY }}
+          CLICKHOUSE_USER: ${{ secrets.CLICKHOUSE_USER }}
+          CLICKHOUSE_PASSWORD: ${{ secrets.CLICKHOUSE_PASSWORD }}

  deploy-feature:
    needs: docker
@@ -295,7 +303,7 @@ jobs:
        run: kubectl create namespace "$BRANCH_NS" --dry-run=client -o yaml | kubectl apply -f -
      - name: Copy secrets from cameleer namespace
        run: |
-          for SECRET in gitea-registry postgres-credentials opensearch-credentials cameleer-auth; do
+          for SECRET in gitea-registry postgres-credentials opensearch-credentials clickhouse-credentials cameleer-auth; do
            kubectl get secret "$SECRET" -n cameleer -o json \
              | jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp, .metadata.managedFields)' \
              | kubectl apply -n "$BRANCH_NS" -f -
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/config/ClickHouseSchemaInitializer.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/config/ClickHouseSchemaInitializer.java
@@ -30,7 +30,8 @@ public class ClickHouseSchemaInitializer {
    }

    @EventListener(ApplicationReadyEvent.class)
-    public void initializeSchema() throws IOException {
+    public void initializeSchema() {
+        try {
            PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver();
            Resource[] scripts = resolver.getResources("classpath:clickhouse/*.sql");

@@ -48,5 +49,8 @@ public class ClickHouseSchemaInitializer {
            }

            log.info("ClickHouse schema initialization complete ({} scripts)", scripts.length);
+        } catch (Exception e) {
+            log.error("ClickHouse schema initialization failed — server will continue but ClickHouse features may not work", e);
+        }
    }
 }
--- a/deploy/base/server.yaml
+++ b/deploy/base/server.yaml
@@ -79,6 +79,16 @@ spec:
              value: "true"
            - name: CLICKHOUSE_URL
              value: "jdbc:clickhouse://clickhouse.cameleer.svc.cluster.local:8123/cameleer?async_insert=1&wait_for_async_insert=0"
+            - name: CLICKHOUSE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_USER
+            - name: CLICKHOUSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_PASSWORD
            - name: CAMELEER_STORAGE_METRICS
              value: "postgres"

--- a/deploy/clickhouse.yaml
+++ b/deploy/clickhouse.yaml
@@ -17,6 +17,19 @@ spec:
      containers:
        - name: clickhouse
          image: clickhouse/clickhouse-server:24.12
+          env:
+            - name: CLICKHOUSE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_USER
+            - name: CLICKHOUSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: clickhouse-credentials
+                  key: CLICKHOUSE_PASSWORD
+            - name: CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT
+              value: "1"
          ports:
            - containerPort: 8123
              name: http