cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

Move ClickHouse credentials to K8s Secret #33

New Issue
Closed
opened 2026-03-12 21:23:08 +01:00 by claude · 2 comments
claude commented 2026-03-12 21:23:08 +01:00
Owner
Copy Link

Problem

ClickHouse credentials are hardcoded in plaintext in deploy/clickhouse.yaml (CLICKHOUSE_USER=cameleer, CLICKHOUSE_PASSWORD=cameleer_dev). With the new NodePort service (30123, 30900), ClickHouse is now reachable from the network, making this a security concern.

Solution

  • Create a K8s Secret for ClickHouse credentials (similar to cameleer-auth secret pattern)
  • Update the ClickHouse StatefulSet to reference the secret via secretKeyRef
  • Add the secret creation to the CI deploy step (idempotent --dry-run=client | kubectl apply)
  • Consider also adding a NetworkPolicy to restrict ClickHouse access to known pods/IPs

Priority

High — exposed credentials on the network.

## Problem ClickHouse credentials are hardcoded in plaintext in `deploy/clickhouse.yaml` (`CLICKHOUSE_USER=cameleer`, `CLICKHOUSE_PASSWORD=cameleer_dev`). With the new NodePort service (`30123`, `30900`), ClickHouse is now reachable from the network, making this a security concern. ## Solution - Create a K8s Secret for ClickHouse credentials (similar to `cameleer-auth` secret pattern) - Update the ClickHouse StatefulSet to reference the secret via `secretKeyRef` - Add the secret creation to the CI deploy step (idempotent `--dry-run=client | kubectl apply`) - Consider also adding a NetworkPolicy to restrict ClickHouse access to known pods/IPs ## Priority High — exposed credentials on the network.
claude commented 2026-03-12 22:10:01 +01:00
Author
Owner
Copy Link

Priority increased: ClickHouse is now exposed externally via NodePort (30123/30900) with plaintext credentials (cameleer/cameleer_dev) in the StatefulSet env vars. Moving to K8s Secrets should be done before any production use.

Priority increased: ClickHouse is now exposed externally via NodePort (30123/30900) with plaintext credentials (`cameleer`/`cameleer_dev`) in the StatefulSet env vars. Moving to K8s Secrets should be done before any production use.
claude commented 2026-03-13 10:57:48 +01:00
Author
Owner
Copy Link

Implemented: ClickHouse credentials moved to K8s secret clickhouse-credentials. Both deploy/server.yaml and deploy/clickhouse.yaml now use secretKeyRef. CI deploy step creates the secret idempotently from CLICKHOUSE_USER and CLICKHOUSE_PASSWORD Gitea CI secrets.

Prerequisite: Add CLICKHOUSE_USER and CLICKHOUSE_PASSWORD as Gitea CI secrets before next deploy.

Implemented: ClickHouse credentials moved to K8s secret `clickhouse-credentials`. Both `deploy/server.yaml` and `deploy/clickhouse.yaml` now use `secretKeyRef`. CI deploy step creates the secret idempotently from `CLICKHOUSE_USER` and `CLICKHOUSE_PASSWORD` Gitea CI secrets. **Prerequisite:** Add `CLICKHOUSE_USER` and `CLICKHOUSE_PASSWORD` as Gitea CI secrets before next deploy.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
Accessibility (a11y) improvements
 bug
Something isn't working correctly
 cleanup
Code cleanup, dead code removal, refactoring
 epic
Epic: groups related issues
 feature
New functionality
 pmf
Product-market fit: critical for first market offer
 route-diagram
Route diagram page and execution overlay
 security
Authentication, authorization, RBAC
 ui
Frontend / React UI
 ux
UX/usability improvements
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claude
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: cameleer/cameleer-server#33
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?