deploy: remove obsolete ClickHouse K8s manifest

ci: update workflow for PostgreSQL + OpenSearch deployment
Replace ClickHouse credentials secret with postgres-credentials and opensearch-credentials secrets. Update deploy step to apply postgres.yaml and opensearch.yaml manifests instead of clickhouse.yaml, with appropriate rollout status checks for each StatefulSet. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-16 19:01:26 +01:00 · 2026-03-16 19:00:20 +01:00 · 2026-03-16 18:58:35 +01:00
6 changed files with 204 additions and 120 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -161,10 +161,17 @@ jobs:
            --from-literal=CAMELEER_JWT_SECRET="${CAMELEER_JWT_SECRET}" \
            --dry-run=client -o yaml | kubectl apply -f -

-          kubectl create secret generic clickhouse-credentials \
+          kubectl create secret generic postgres-credentials \
            --namespace=cameleer \
-            --from-literal=CLICKHOUSE_USER="$CLICKHOUSE_USER" \
-            --from-literal=CLICKHOUSE_PASSWORD="$CLICKHOUSE_PASSWORD" \
+            --from-literal=POSTGRES_USER="$POSTGRES_USER" \
+            --from-literal=POSTGRES_PASSWORD="$POSTGRES_PASSWORD" \
+            --from-literal=POSTGRES_DB="${POSTGRES_DB:-cameleer}" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
+          kubectl create secret generic opensearch-credentials \
+            --namespace=cameleer \
+            --from-literal=OPENSEARCH_USER="${OPENSEARCH_USER:-admin}" \
+            --from-literal=OPENSEARCH_PASSWORD="$OPENSEARCH_PASSWORD" \
            --dry-run=client -o yaml | kubectl apply -f -

          kubectl create secret generic authentik-credentials \
@@ -182,8 +189,11 @@ jobs:
            --from-literal=CAMELEER_OIDC_CLIENT_SECRET="${CAMELEER_OIDC_CLIENT_SECRET}" \
            --dry-run=client -o yaml | kubectl apply -f -

-          kubectl apply -f deploy/clickhouse.yaml
-          kubectl -n cameleer rollout status statefulset/clickhouse --timeout=120s
+          kubectl apply -f deploy/postgres.yaml
+          kubectl -n cameleer rollout status statefulset/postgres --timeout=120s
+
+          kubectl apply -f deploy/opensearch.yaml
+          kubectl -n cameleer rollout status statefulset/opensearch --timeout=180s

          kubectl apply -f deploy/authentik.yaml
          kubectl -n cameleer rollout status deployment/authentik-server --timeout=180s
@@ -203,8 +213,11 @@ jobs:
          CAMELEER_JWT_SECRET: ${{ secrets.CAMELEER_JWT_SECRET }}
          CAMELEER_UI_USER: ${{ secrets.CAMELEER_UI_USER }}
          CAMELEER_UI_PASSWORD: ${{ secrets.CAMELEER_UI_PASSWORD }}
-          CLICKHOUSE_USER: ${{ secrets.CLICKHOUSE_USER }}
-          CLICKHOUSE_PASSWORD: ${{ secrets.CLICKHOUSE_PASSWORD }}
+          POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+          POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
+          POSTGRES_DB: ${{ secrets.POSTGRES_DB }}
+          OPENSEARCH_USER: ${{ secrets.OPENSEARCH_USER }}
+          OPENSEARCH_PASSWORD: ${{ secrets.OPENSEARCH_PASSWORD }}
          AUTHENTIK_PG_USER: ${{ secrets.AUTHENTIK_PG_USER }}
          AUTHENTIK_PG_PASSWORD: ${{ secrets.AUTHENTIK_PG_PASSWORD }}
          AUTHENTIK_SECRET_KEY: ${{ secrets.AUTHENTIK_SECRET_KEY }}
--- a/3
+++ b/3
@@ -18,9 +18,10 @@ FROM eclipse-temurin:17-jre
 WORKDIR /app
 COPY --from=build /build/cameleer3-server-app/target/cameleer3-server-app-*.jar /app/server.jar

-ENV SPRING_DATASOURCE_URL=jdbc:ch://clickhouse:8123/cameleer3
+ENV SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/cameleer3
 ENV SPRING_DATASOURCE_USERNAME=cameleer
 ENV SPRING_DATASOURCE_PASSWORD=cameleer_dev
+ENV OPENSEARCH_URL=http://opensearch:9200

 EXPOSE 8081
 ENTRYPOINT exec java -jar /app/server.jar
--- a/deploy/clickhouse.yaml
+++ b/deploy/clickhouse.yaml
@@ -1,107 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: clickhouse
-  namespace: cameleer
-spec:
-  serviceName: clickhouse
-  replicas: 1
-  selector:
-    matchLabels:
-      app: clickhouse
-  template:
-    metadata:
-      labels:
-        app: clickhouse
-    spec:
-      containers:
-        - name: clickhouse
-          image: clickhouse/clickhouse-server:25.3
-          ports:
-            - containerPort: 8123
-              name: http
-            - containerPort: 9000
-              name: native
-          env:
-            - name: CLICKHOUSE_USER
-              valueFrom:
-                secretKeyRef:
-                  name: clickhouse-credentials
-                  key: CLICKHOUSE_USER
-            - name: CLICKHOUSE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: clickhouse-credentials
-                  key: CLICKHOUSE_PASSWORD
-            - name: CLICKHOUSE_DB
-              value: cameleer3
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/clickhouse
-          resources:
-            requests:
-              memory: "1Gi"
-              cpu: "200m"
-            limits:
-              memory: "4Gi"
-              cpu: "1000m"
-          livenessProbe:
-            httpGet:
-              path: /ping
-              port: 8123
-            initialDelaySeconds: 15
-            periodSeconds: 10
-            timeoutSeconds: 3
-            failureThreshold: 3
-          readinessProbe:
-            httpGet:
-              path: /ping
-              port: 8123
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            timeoutSeconds: 3
-            failureThreshold: 3
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      spec:
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 2Gi
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: clickhouse
-  namespace: cameleer
-spec:
-  clusterIP: None
-  selector:
-    app: clickhouse
-  ports:
-    - port: 8123
-      targetPort: 8123
-      name: http
-    - port: 9000
-      targetPort: 9000
-      name: native
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: clickhouse-external
-  namespace: cameleer
-spec:
-  type: NodePort
-  selector:
-    app: clickhouse
-  ports:
-    - port: 8123
-      targetPort: 8123
-      nodePort: 30123
-      name: http
-    - port: 9000
-      targetPort: 9000
-      nodePort: 30900
-      name: native
--- a/deploy/opensearch.yaml
+++ b/deploy/opensearch.yaml
@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: opensearch
+  namespace: cameleer
+spec:
+  serviceName: opensearch
+  replicas: 1
+  selector:
+    matchLabels:
+      app: opensearch
+  template:
+    metadata:
+      labels:
+        app: opensearch
+    spec:
+      containers:
+        - name: opensearch
+          image: opensearchproject/opensearch:2.19.0
+          ports:
+            - containerPort: 9200
+              name: http
+            - containerPort: 9300
+              name: transport
+          env:
+            - name: discovery.type
+              value: single-node
+            - name: DISABLE_SECURITY_PLUGIN
+              value: "true"
+          volumeMounts:
+            - name: data
+              mountPath: /usr/share/opensearch/data
+          resources:
+            requests:
+              memory: "1Gi"
+              cpu: "200m"
+            limits:
+              memory: "4Gi"
+              cpu: "1000m"
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - curl -s http://localhost:9200/_cluster/health
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - curl -s http://localhost:9200/_cluster/health
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: opensearch
+  namespace: cameleer
+spec:
+  clusterIP: None
+  selector:
+    app: opensearch
+  ports:
+    - port: 9200
+      targetPort: 9200
+      name: http
+    - port: 9300
+      targetPort: 9300
+      name: transport
--- a/deploy/postgres.yaml
+++ b/deploy/postgres.yaml
@@ -0,0 +1,91 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: cameleer
+spec:
+  serviceName: postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: timescale/timescaledb:latest-pg16
+          ports:
+            - containerPort: 5432
+              name: postgres
+          env:
+            - name: POSTGRES_DB
+              value: cameleer3
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-credentials
+                  key: POSTGRES_USER
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-credentials
+                  key: POSTGRES_PASSWORD
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+          resources:
+            requests:
+              memory: "1Gi"
+              cpu: "200m"
+            limits:
+              memory: "4Gi"
+              cpu: "1000m"
+          livenessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - cameleer
+                - -d
+                - cameleer3
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          readinessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - cameleer
+                - -d
+                - cameleer3
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: cameleer
+spec:
+  clusterIP: None
+  selector:
+    app: postgres
+  ports:
+    - port: 5432
+      targetPort: 5432
+      name: postgres
--- a/deploy/server.yaml
+++ b/deploy/server.yaml
@@ -22,17 +22,19 @@ spec:
            - containerPort: 8081
          env:
            - name: SPRING_DATASOURCE_URL
-              value: "jdbc:ch://clickhouse:8123/cameleer3"
+              value: "jdbc:postgresql://postgres:5432/cameleer3"
            - name: SPRING_DATASOURCE_USERNAME
              valueFrom:
                secretKeyRef:
-                  name: clickhouse-credentials
-                  key: CLICKHOUSE_USER
+                  name: postgres-credentials
+                  key: POSTGRES_USER
            - name: SPRING_DATASOURCE_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: clickhouse-credentials
-                  key: CLICKHOUSE_PASSWORD
+                  name: postgres-credentials
+                  key: POSTGRES_PASSWORD
+            - name: OPENSEARCH_URL
+              value: "http://opensearch:9200"
            - name: CAMELEER_AUTH_TOKEN
              valueFrom:
                secretKeyRef: