clickhouse-operator

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

namespaceOverride: ""

# commonLabels -- set of labels that will be applied to all the resources for the operator

commonLabels: {}

# commonAnnotations -- set of annotations that will be applied to all the resources for the operator

commonAnnotations: {}

deployment:

# look details in `kubectl explain deployment.spec.strategy`

strategy:

type: Recreate

crdHook:

# crdHook.enabled -- enable automatic CRD installation/update via pre-install/pre-upgrade hooks

# when disabled, CRDs must be installed manually using kubectl apply

enabled: true

image:

# crdHook.image.repository -- image repository for CRD installation job

repository: chainreg.biz/chainguard-private/kubectl

# crdHook.image.tag -- image tag for CRD installation job

tag: latest-dev@sha256:19c23266240686468098e30d6160fe904135c8820fa012ece3ee16265b2f1bab

# crdHook.image.pullPolicy -- image pull policy for CRD installation job

pullPolicy: IfNotPresent

# crdHook.imagePullSecrets -- image pull secrets for CRD installation job

# possible value format `[{"name":"your-secret-name"}]`,

# check `kubectl explain pod.spec.imagePullSecrets` for details

imagePullSecrets: []

# crdHook.resources -- resource limits and requests for CRD installation job

resources: {}

# limits:

# cpu: 100m

# memory: 128Mi

# requests:

# cpu: 100m

# memory: 128Mi

# crdHook.nodeSelector -- node selector for CRD installation job

nodeSelector: {}

# crdHook.tolerations -- tolerations for CRD installation job

tolerations: []

# crdHook.affinity -- affinity for CRD installation job

affinity: {}

# crdHook.annotations -- additional annotations for CRD installation job

annotations: {}

# crdHook.containerSecurityContext -- container security context for CRD installation job

# check `kubectl explain pod.spec.containers.securityContext` for details

containerSecurityContext: {}

# allowPrivilegeEscalation: false

# capabilities:

# drop:

# - ALL

# runAsNonRoot: true

# seccompProfile:

# type: RuntimeDefault

operator:

image:

# operator.image.registry -- optional image registry prefix (e.g. 1234567890.dkr.ecr.us-east-1.amazonaws.com)

registry: ""

# operator.image.repository -- image repository

repository: chainreg.biz/chainguard-private/clickhouse-operator

# operator.image.tag -- image tag (chart's appVersion value will be used if not set)

tag: latest@sha256:3c0fdf2ccaecc508f614209be709e594018027e21906795ab4f572796ef9c997

# operator.image.pullPolicy -- image pull policy

pullPolicy: IfNotPresent

containerSecurityContext: {}

# operator.resources -- custom resource configuration, check `kubectl explain pod.spec.containers.resources` for details

resources: {}

# limits:

# cpu: 100m

# memory: 128Mi

# requests:

# cpu: 100m

# memory: 128Mi

# operator.priorityClassName -- priority class name for the clickhouse-operator deployment, check `kubectl explain pod.spec.priorityClassName` for details

# @default -- ""

priorityClassName: ""

# operator.env -- additional environment variables for the clickhouse-operator container in deployment

# possible format value `[{"name": "SAMPLE", "value": "text"}]`

env: []

# operator.livenessProbe -- optional liveness probe for the clickhouse-operator container

# check `kubectl explain pod.spec.containers.livenessProbe` for details

# example:

# httpGet:

# path: /metrics

# port: op-metrics

# initialDelaySeconds: 10

# periodSeconds: 10

livenessProbe: null

# operator.readinessProbe -- optional readiness probe for the clickhouse-operator container

# check `kubectl explain pod.spec.containers.readinessProbe` for details

# example:

# httpGet:

# path: /metrics

# port: op-metrics

# initialDelaySeconds: 5

# periodSeconds: 5

readinessProbe: null

metrics:

enabled: true

image:

# metrics.image.registry -- optional image registry prefix (e.g. 1234567890.dkr.ecr.us-east-1.amazonaws.com)

registry: ""

100

# metrics.image.repository -- image repository

101

repository: chainreg.biz/chainguard-private/clickhouse-operator-metrics-exporter

102

# metrics.image.tag -- image tag (chart's appVersion value will be used if not set)

103

tag: latest@sha256:d716977557dd5a74b7266ae685b0fd3675d01bd79ced5169c3fd16e1e683593d

104

# metrics.image.pullPolicy -- image pull policy

105

pullPolicy: IfNotPresent

106

containerSecurityContext: {}

107

# metrics.resources -- custom resource configuration

108

resources: {}

109

# limits:

110

# cpu: 100m

111

# memory: 128Mi

112

# requests:

113

# cpu: 100m

114

# memory: 128Mi

115

116

# metrics.env -- additional environment variables for the deployment of metrics-exporter containers

117

# possible format value `[{"name": "SAMPLE", "value": "text"}]`

118

env: []

119

# metrics.livenessProbe -- optional liveness probe for the metrics-exporter container

120

# check `kubectl explain pod.spec.containers.livenessProbe` for details

121

# example:

122

# httpGet:

123

# path: /metrics

124

# port: ch-metrics

125

# initialDelaySeconds: 10

126

# periodSeconds: 10

127

livenessProbe: null

128

# metrics.readinessProbe -- optional readiness probe for the metrics-exporter container

129

# check `kubectl explain pod.spec.containers.readinessProbe` for details

130

# example:

131

# httpGet:

132

# path: /metrics

133

# port: ch-metrics

134

# initialDelaySeconds: 5

135

# periodSeconds: 5

136

readinessProbe: null

137

# imagePullSecrets -- image pull secret for private images in clickhouse-operator pod

138

# possible value format `[{"name":"your-secret-name"}]`,

139

# check `kubectl explain pod.spec.imagePullSecrets` for details

140

imagePullSecrets: []

141

# podLabels -- labels to add to the clickhouse-operator pod

142

podLabels: {}

143

# podAnnotations -- annotations to add to the clickhouse-operator pod, check `kubectl explain pod.spec.annotations` for details

144

# @default -- check the `values.yaml` file

145

podAnnotations:

146

prometheus.io/port: '8888'

147

prometheus.io/scrape: 'true'

148

clickhouse-operator-metrics/port: '9999'

149

clickhouse-operator-metrics/scrape: 'true'

150

# nameOverride -- override name of the chart

151

nameOverride: ""

152

# fullnameOverride -- full name of the chart.

153

fullnameOverride: ""

154

serviceAccount:

155

# serviceAccount.create -- specifies whether a service account should be created

156

create: true

157

# serviceAccount.annotations -- annotations to add to the service account

158

annotations: {}

159

# serviceAccount.name -- the name of the service account to use; if not set and create is true, a name is generated using the fullname template

160

name:

161

rbac:

162

# rbac.create -- specifies whether rbac resources should be created

163

create: true

164

# rbac.namespaceScoped -- specifies whether to create roles and rolebindings at the cluster level or namespace level

165

namespaceScoped: false

166

secret:

167

# secret.create -- create a secret with operator credentials

168

create: true

169

# secret.username -- operator credentials username

170

username: clickhouse_operator

171

# secret.password -- operator credentials password

172

password: clickhouse_operator_password

173

# nodeSelector -- node for scheduler pod assignment, check `kubectl explain pod.spec.nodeSelector` for details

174

nodeSelector: {}

175

# tolerations -- tolerations for scheduler pod assignment, check `kubectl explain pod.spec.tolerations` for details

176

tolerations: []

177

# affinity -- affinity for scheduler pod assignment, check `kubectl explain pod.spec.affinity` for details

178

affinity: {}

179

# podSecurityContext - operator deployment SecurityContext, check `kubectl explain pod.spec.securityContext` for details

180

podSecurityContext: {}

181

# topologySpreadConstraints - topologySpreadConstraints affinity for scheduler pod assignment, check `kubectl explain pod.spec.topologySpreadConstraints` for details

182

topologySpreadConstraints: []

183

serviceMonitor:

184

# serviceMonitor.enabled -- ServiceMonitor Custom resource is created for a [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator)

185

# In serviceMonitor will be created two endpoints ch-metrics on port 8888 and op-metrics # 9999. Ypu can specify interval, scrapeTimeout, relabelings, metricRelabelings for each endpoint below

186

enabled: false

187

# serviceMonitor.additionalLabels -- additional labels for service monitor

188

additionalLabels: {}

189

clickhouseMetrics:

190

# serviceMonitor.interval for ch-metrics endpoint --

191

interval: 30s

192

# serviceMonitor.scrapeTimeout for ch-metrics endpoint -- Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used.

193

scrapeTimeout: ""

194

# serviceMonitor.relabelings for ch-metrics endpoint -- Prometheus [RelabelConfigs] to apply to samples before scraping

195

relabelings: []

196

# serviceMonitor.metricRelabelings for ch-metrics endpoint -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestio

197

metricRelabelings: []

198

operatorMetrics:

199

# serviceMonitor.interval for op-metrics endpoint --

200

interval: 30s

201

# serviceMonitor.scrapeTimeout for op-metrics endpoint -- Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used.

202

scrapeTimeout: ""

203

# serviceMonitor.relabelings for op-metrics endpoint -- Prometheus [RelabelConfigs] to apply to samples before scraping

204

relabelings: []

205

# serviceMonitor.metricRelabelings for op-metrics endpoint -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestio

206

metricRelabelings: []

207

# configs -- clickhouse operator configs

208

# @default -- check the `values.yaml` file for the config content (auto-generated from latest operator release)

209

configs:

210

confdFiles: null

211

configdFiles:

212

01-clickhouse-01-listen.xml: |

213

214

215

216

217

218

219

220

221

<listen_host>::</listen_host>

222

<listen_host>0.0.0.0</listen_host>

223

<listen_try>1</listen_try>

224

</yandex>

225

01-clickhouse-02-logger.xml: |

226

227

228

229

230

231

232

233

234

235

<level>debug</level>

236

<log>/var/log/clickhouse-server/clickhouse-server.log</log>

237

<errorlog>/var/log/clickhouse-server/clickhouse-server.err.log</errorlog>

238

239

240

241

242

</logger>

243

</yandex>

244

01-clickhouse-03-query_log.xml: |

245

246

247

248

249

250

251

252

<query_log replace="1">

253

<database>system</database>

254

<table>query_log</table>

255

<engine>Engine = MergeTree PARTITION BY event_date ORDER BY event_time TTL event_date + interval 30 day</engine>

256

<flush_interval_milliseconds>7500</flush_interval_milliseconds>

257

</query_log>

258

<query_thread_log remove="1"/>

259

</yandex>

260

01-clickhouse-04-part_log.xml: |

261

262

263

264

265

266

267

268

<part_log replace="1">

269

<database>system</database>

270

271

<engine>Engine = MergeTree PARTITION BY event_date ORDER BY event_time TTL event_date + interval 30 day</engine>

272

<flush_interval_milliseconds>7500</flush_interval_milliseconds>

273

</part_log>

274

</yandex>

275

01-clickhouse-05-trace_log.xml: |-

276

277

278

279

280

281

282

283

<trace_log replace="1">

284

<database>system</database>

285

<table>trace_log</table>

286

<engine>Engine = MergeTree PARTITION BY event_date ORDER BY event_time TTL event_date + interval 30 day</engine>

287

<flush_interval_milliseconds>7500</flush_interval_milliseconds>

288

</trace_log>

289

</yandex>

290

files:

291

config.yaml:

292

# IMPORTANT

293

# This file is auto-generated

294

# Do not edit this file - all changes would be lost

295

# Edit appropriate template in the following folder:

296

# deploy/builder/templates-config

297

# IMPORTANT

298

299

# Template parameters available:

300

# WATCH_NAMESPACES=

301

# CH_USERNAME_PLAIN=

302

# CH_PASSWORD_PLAIN=

303

# CH_CREDENTIALS_SECRET_NAMESPACE=

304

# CH_CREDENTIALS_SECRET_NAME=clickhouse-operator

305

# VERBOSITY=1

306

307

################################################

308

309

## Watch section

310

311

################################################

312

watch:

313

# Namespaces where clickhouse-operator watches for events.

314

# Concurrently running operators should watch on different namespaces.

315

# `include` and `exclude` accept literal namespace names or regexp patterns.

316

# Empty `include` watches the operator's own namespace (or all namespaces when

317

# the operator runs in `kube-system`); use [".*"] to force watch-all elsewhere.

318

# Empty `exclude` matches none. `exclude` is applied after `include`.

319

namespaces:

320

include: []

321

322

# Behavior when ClickHouseOperatorConfiguration changes: none | restart

323

configuration:

324

onChange: restart

325

clickhouse:

326

configuration:

327

################################################

328

329

## Configuration files section

330

331

################################################

332

file:

333

# Each 'path' can be either absolute or relative.

334

# In case path is absolute - it is used as is

335

# In case path is relative - it is relative to the folder where configuration file you are reading right now is located.

336

path:

337

# Path to the folder where ClickHouse configuration files common for all instances within a CHI are located.

338

common: chi/config.d

339

# Path to the folder where ClickHouse configuration files unique for each instance (host) within a CHI are located.

340

host: chi/conf.d

341

# Path to the folder where ClickHouse configuration files with users' settings are located.

342

# Files are common for all instances within a CHI.

343

user: chi/users.d

344

################################################

345

346

## Configuration users section

347

348

################################################

349

user:

350

# Default settings for user accounts, created by the operator.

351

# IMPORTANT. These are not access credentials or settings for 'default' user account,

352

# it is a template for filling out missing fields for all user accounts to be created by the operator,

353

# with the following EXCEPTIONS:

354

# 1. 'default' user account DOES NOT use provided password, but uses all the rest of the fields.

355

# Password for 'default' user account has to be provided explicitly, if to be used.

356

# 2. CHOP user account DOES NOT use:

357

# - profile setting. It uses predefined profile called 'clickhouse_operator'

358

# - quota setting. It uses empty quota name.

359

# - networks IP setting. Operator specifies 'networks/ip' user setting to match operators' pod IP only.

360

# - password setting. Password for CHOP account is used from 'clickhouse.access.*' section

361

default:

362

# Default values for ClickHouse user account(s) created by the operator

363

# 1. user/profile - string

364

# 2. user/quota - string

365

# 3. user/networks/ip - multiple strings

366

# 4. user/password - string

367

# These values can be overwritten on per-user basis.

368

profile: "default"

369

quota: "default"

370

networksIP:

371

- "::1"

372

- "127.0.0.1"

373

password: "default"

374

################################################

375

376

## Configuration network section

377

378

################################################

379

network:

380

# Default host_regexp to limit network connectivity from outside

381

hostRegexpTemplate: "(chi-{chi}-[^.]+\\d+-\\d+|clickhouse\\-{chi})\\.{namespace}\\.svc\\.cluster\\.local$"

382

################################################

383

384

## Configuration restart policy section

385

## Configuration restart policy describes what configuration changes require ClickHouse restart

386

387

################################################

388

configurationRestartPolicy:

389

rules:

390

# IMPORTANT!

391

# Special version of "*" - default version - has to satisfy all ClickHouse versions.

392

# Default version will also be used in case ClickHouse version is unknown.

393

# ClickHouse version may be unknown due to host being down - for example, because of incorrect "settings" section.

394

# ClickHouse is not willing to start in case incorrect/unknown settings are provided in config file.

395

- version: "*"

396

rules:

397

# see https://kb.altinity.com/altinity-kb-setup-and-maintenance/altinity-kb-server-config-files/#server-config-configxml-sections-which-dont-require-restart

398

# to be replaced with "select * from system.server_settings where changeable_without_restart = 'No'"

399

- settings/*: "yes"

400

# single values

401

- settings/access_control_path: "no"

402

- settings/dictionaries_config: "no"

403

- settings/max_server_memory_*: "no"

404

- settings/max_*_to_drop: "no"

405

- settings/max_concurrent_queries: "no"

406

- settings/models_config: "no"

407

- settings/user_defined_executable_functions_config: "no"

408

# structured XML

409

- settings/logger/*: "no"

410

- settings/macros/*: "no"

411

- settings/remote_servers/*: "no"

412

- settings/user_directories/*: "no"

413

# these settings should not lead to pod restarts

414

- settings/display_secrets_in_show_and_select: "no"

415

- zookeeper/*: "no"

416

- files/*.xml: "yes"

417

- files/config.d/*.xml: "yes"

418

- files/config.d/*dict*.xml: "no"

419

- files/config.d/*no_restart*: "no"

420

# exceptions in default profile

421

- profiles/default/background_*_pool_size: "yes"

422

- profiles/default/max_*_for_server: "yes"

423

- version: "21.*"

424

rules:

425

- settings/logger: "yes"

426

#################################################

427

428

## Access to ClickHouse instances

429

430

################################################

431

access:

432

# Possible values for 'scheme' are:

433

# 1. http - force http to be used to connect to ClickHouse instances

434

# 2. https - force https to be used to connect to ClickHouse instances

435

# 3. auto - either http or https is selected based on open ports

436

scheme: "auto"

437

# ClickHouse credentials (username, password and port) to be used by the operator to connect to ClickHouse instances.

438

# These credentials are used for:

439

# 1. Metrics requests

440

# 2. Schema maintenance

441

# User with these credentials can be specified in additional ClickHouse .xml config files,

442

# located in 'clickhouse.configuration.file.path.user' folder

443

username: ""

444

password: ""

445

rootCA: ""

446

# Location of the k8s Secret with username and password to be used by the operator to connect to ClickHouse instances.

447

# Can be used instead of explicitly specified username and password available in sections:

448

# - clickhouse.access.username

449

# - clickhouse.access.password

450

# Secret should have two keys:

451

# 1. username

452

# 2. password

453

secret:

454

# Empty `namespace` means that k8s secret would be looked in the same namespace where operator's pod is running.

455

namespace: ""

456

# Empty `name` means no k8s Secret would be looked for

457

458

# Port where to connect to ClickHouse instances to

459

port: 8123

460

# Timeouts used to limit connection and queries from the operator to ClickHouse instances

461

# Specified in seconds.

462

timeouts:

463

# Timout to setup connection from the operator to ClickHouse instances. In seconds.

464

connect: 5

465

# Timout to perform SQL query from the operator to ClickHouse instances. In seconds.

466

query: 4

467

################################################

468

469

## Addons specifies additional configuration sections

470

## Should it be called something like "templates"?

471

472

################################################

473

addons:

474

rules:

475

- version: "*"

476

spec:

477

configuration:

478

users:

479

profiles:

480

quotas:

481

settings:

482

files:

483

- version: ">= 23.3"

484

spec:

485

configuration:

486

###

487

### users.d is global while description depends on CH version which may vary on per-host basis

488

### In case of global-ness this may be better to implement via auto-templates

489

###

490

### As a solution, this may be applied on the whole cluster based on any of its hosts

491

###

492

### What to do when host is just created? CH version is not known prior to CH started and user config is required before CH started.

493

### We do not have any info about the cluster on initial creation

494

###

495

users:

496

"{clickhouseOperatorUser}/access_management": 1

497

"{clickhouseOperatorUser}/named_collection_control": 1

498

"{clickhouseOperatorUser}/show_named_collections": 1

499

"{clickhouseOperatorUser}/show_named_collections_secrets": 1

500

profiles:

501

quotas:

502

settings:

503

files:

504

- version: ">= 23.5"

505

spec:

506

configuration:

507

users:

508

profiles:

509

clickhouse_operator/format_display_secrets_in_show_and_select: 1

510

quotas:

511

settings:

512

513

## this may be added on per-host basis into host's conf.d folder

514

515

display_secrets_in_show_and_select: 1

516

files:

517

#################################################

518

519

## Metrics collection

520

521

################################################

522

metrics:

523

# Timeouts used to limit connection and queries from the metrics exporter to ClickHouse instances

524

# Specified in seconds.

525

timeouts:

526

# Timeout used to limit metrics collection request. In seconds.

527

# Upon reaching this timeout metrics collection is aborted and no more metrics are collected in this cycle.

528

# All collected metrics are returned.

529

collect: 9

530

# Regexp to match tables in system database to fetch metrics from.

531

# Multiple tables can be matched using regexp. Matched tables are merged using merge() table function.

532

# Default is "^(metrics|custom_metrics)$" which fetches from both system.metrics and system.custom_metrics.

533

tablesRegexp: "^(metrics|custom_metrics)$"

534

# List of regexps to match ClickHouse metrics to exclude from export.

535

# Regexps match internal metric names before Prometheus normalization and prefixing.

536

# Default is the per-CPU OS metrics filter shown below; set to [] to disable.

537

excludeRegexp:

538

- "^metric\\.(OS.*CPU[0-9]+|CPUFrequencyMHz_[0-9]+)$"

539

keeper:

540

configuration:

541

################################################

542

543

## Configuration files section

544

545

################################################

546

file:

547

# Each 'path' can be either absolute or relative.

548

# In case path is absolute - it is used as is

549

# In case path is relative - it is relative to the folder where configuration file you are reading right now is located.

550

path:

551

# Path to the folder where Keeper configuration files common for all instances within a CHK are located.

552

common: chk/keeper_config.d

553

# Path to the folder where Keeper configuration files unique for each instance (host) within a CHK are located.

554

host: chk/conf.d

555

# Path to the folder where Keeper configuration files with users' settings are located.

556

# Files are common for all instances within a CHI.

557

user: chk/users.d

558

################################################

559

560

## Security Section

561

562

## Operator-wide security toggles. All fields default to unset / permissive so

563

## upgrades from earlier versions preserve identical behavior. Set explicit

564

## values here to tighten the operator's outbound TLS posture; CHIs may further

565

## override per-cluster via spec.configuration.clusters[].security.

566

567

## Three orthogonal axes govern this section:

568

## 1. security.policy — TLS-hardening master switch (Permissive | Enforced)

569

## 2. security.fips.enforced — FIPS cryptographic-module gate (bool)

570

## 3. security.images.policy — Workload image-tag governance (Permissive | FIPSRequired)

571

## Each axis is independent: enabling one does not enable the others.

572

573

## See docs/chi-examples/70-chop-config.yaml for a fully-annotated example

574

## and docs/security_hardening.md for the design + per-knob semantics.

575

576

################################################

577

security:

578

clickhouse:

579

tls:

580

# Strict | None | "" (preserve legacy InsecureSkipVerify=true)

581

verify: ""

582

# "1.2" | "1.3" | "" (Go stdlib default)

583

minVersion: ""

584

# SNI / cert-name override; default = dial host

585

serverName: ""

586

# Inline PEM CA bundle (or base64-wrapped)

587

rootCA: ""

588

# Alternate source — Secret in operator namespace. Mutually exclusive

589

# with the inline rootCA above. Empty `name` = not used (no-op).

590

# When `key` is empty, the operator tries "ca.crt" then "tls.crt".

591

rootCASecretRef:

592

593

key: ""

594

zookeeper:

595

tls:

596

verify: ""

597

minVersion: ""

598

kubernetes:

599

tls:

600

# Strict refuses an insecure kubeconfig at startup

601

verify: ""

602

# Reserved — not yet enforced on K8s API transport

603

minVersion: ""

604

ipc:

605

# Plain (default) | Secure (loopback + X-CHOP-Token)

606

mode: Plain

607

# Defaults to 127.0.0.1 when mode=Secure

608

bindHost: ""

609

# Defaults to /etc/clickhouse-operator-ipc/token

610

tokenPath: ""

611

# Operator-wide TLS-hardening master switch. ONLY governs TLS posture across

612

# CH / ZK / K8s transports — NOT the FIPS cryptographic-module gate (see

613

# security.fips.enforced below for that, orthogonal axis).

614

615

# Permissive (default) preserves 0.27.0 behavior — no coercion, no rejection.

616

# Enforced coerces all TLS knobs above to their Strict positions at startup:

617

# - clickhouse.tls.verify=Strict, clickhouse.tls.minVersion=1.3

618

# - zookeeper.tls.verify=Strict, zookeeper.tls.minVersion=1.3

619

# - kubernetes.tls.verify=Strict, kubernetes.tls.minVersion=1.3

620

# - ipc.mode=Secure

621

# - clickhouse.access.scheme: http is coerced to https

622

# Enforced also rejects CHIs that cannot be served in a hardened posture

623

# (e.g. plaintext external ZooKeeper, ZK digest auth).

624

625

# Independent of the Go FIPS toolchain — works on non-FIPS builds for pure

626

# TLS hardening. Combine with security.fips.enforced=true for full FIPS

627

# cryptographic-module enforcement.

628

policy: Permissive

629

# FIPS cryptographic-module enforcement. Orthogonal to security.policy.

630

# Default operator and metrics-exporter images are FIPS-compatible —

631

# built with GOFIPS140=v1.0.0 and run with GODEBUG=fips140=on, so

632

# crypto/fips140.Enabled() returns true at runtime.

633

# When enforced=true, the operator Fatals at startup unless the binary

634

# reports crypto/fips140 Enabled — guards against accidentally running

635

# a non-FIPS rebuild in a hardened deployment.

636

fips:

637

enforced: false

638

images:

639

# Workload image-tag governance gate. Today's only non-default value is

640

# FIPSRequired (admission rejects CRs whose CH/Keeper images lack 'fips'

641

# in tag; post-Ready SELECT version() must contain 'fips' or CR aborts).

642

# Orthogonal to security.policy and security.fips.enforced.

643

# See docs/security_hardening_fips.md → "security.images.policy: FIPSRequired"

644

# for the full policy matrix + detection details + recovery procedure.

645

policy: Permissive

646

################################################

647

648

## Template(s) management section

649

650

################################################

651

template:

652

chi:

653

# CHI template updates handling policy

654

# Possible policy values:

655

# - ReadOnStart. Accept CHIT updates on the operator's start only.

656

# - ApplyOnNextReconcile. Accept CHIT updates at all time. Apply new CHITs on next regular reconcile of the CHI

657

policy: ApplyOnNextReconcile

658

# Path to the folder where ClickHouseInstallation templates .yaml manifests are located.

659

# Templates are added to the list of all templates and used when CHI is reconciled.

660

# Templates are applied in sorted alpha-numeric order.

661

path: chi/templates.d

662

chk:

663

# CHK template updates handling policy

664

# Possible policy values:

665

# - ReadOnStart. Accept CHIT updates on the operators start only.

666

# - ApplyOnNextReconcile. Accept CHIT updates at all time. Apply new CHITs on next regular reconcile of the CHI

667

policy: ApplyOnNextReconcile

668

# Path to the folder where ClickHouseInstallation templates .yaml manifests are located.

669

# Templates are added to the list of all templates and used when CHI is reconciled.

670

# Templates are applied in sorted alpha-numeric order.

671

path: chk/templates.d

672

################################################

673

674

## Reconcile section

675

676

################################################

677

reconcile:

678

# Reconcile runtime settings

679

runtime:

680

# Max number of concurrent CHI reconciles in progress

681

reconcileCHIsThreadsNumber: 10

682

# The operator reconciles shards concurrently in each CHI with the following limitations:

683

# 1. Number of shards being reconciled (and thus having hosts down) in each CHI concurrently

684

# can not be greater than 'reconcileShardsThreadsNumber'.

685

# 2. Percentage of shards being reconciled (and thus having hosts down) in each CHI concurrently

686

# can not be greater than 'reconcileShardsMaxConcurrencyPercent'.

687

# 3. The first shard is always reconciled alone. Concurrency starts from the second shard and onward.

688

# Thus limiting number of shards being reconciled (and thus having hosts down) in each CHI by both number and percentage

689

690

# Max number of concurrent shard reconciles within one cluster in progress

691

reconcileShardsThreadsNumber: 5

692

# Max percentage of concurrent shard reconciles within one cluster in progress

693

reconcileShardsMaxConcurrencyPercent: 50

694

# Reconcile StatefulSet scenario

695

statefulSet:

696

# Create StatefulSet scenario

697

create:

698

# What to do in case created StatefulSet is not in 'Ready' after `reconcile.statefulSet.update.timeout` seconds

699

# Possible options:

700

# 1. abort - abort the process, do nothing with the problematic StatefulSet, leave it as it is,

701

# do not try to fix or delete or update it, just abort reconcile cycle.

702

# Do not proceed to the next StatefulSet(s) and wait for an admin to assist.

703

# 2. delete - delete newly created problematic StatefulSet and follow 'abort' path afterwards.

704

# 3. ignore - ignore an error, pretend nothing happened, continue reconcile and move on to the next StatefulSet.

705

onFailure: ignore

706

# Update StatefulSet scenario

707

update:

708

# How many seconds to wait for created/updated StatefulSet to be 'Ready'

709

timeout: 300

710

# How many seconds to wait between checks/polls for created/updated StatefulSet status

711

pollInterval: 5

712

# What to do in case updated StatefulSet is not in 'Ready' after `reconcile.statefulSet.update.timeout` seconds

713

# Possible options:

714

# 1. abort - abort the process, do nothing with the problematic StatefulSet, leave it as it is,

715

# do not try to fix or delete or update it, just abort reconcile cycle.

716

# Do not proceed to the next StatefulSet(s) and wait for an admin to assist.

717

# 2. rollback - delete Pod and rollback StatefulSet to previous Generation.

718

# Pod would be recreated by StatefulSet based on rollback-ed StatefulSet configuration.

719

# Follow 'abort' path afterwards.

720

# 3. ignore - ignore an error, pretend nothing happened, continue reconcile and move on to the next StatefulSet.

721

onFailure: abort

722

# Recreate StatefulSet scenario

723

recreate:

724

# What to do in case operator is in need to recreate StatefulSet?

725

# Possible options:

726

# 1. abort - abort the process, do nothing with the problematic StatefulSet, leave it as it is,

727

# do not try to fix or delete or update it, just abort reconcile cycle.

728

# Do not proceed to the next StatefulSet(s) and wait for an admin to assist.

729

# 2. recreate - proceed and recreate StatefulSet.

730

731

# Triggered when PVC data loss or missing volumes are detected

732

onDataLoss: recreate

733

# Triggered when StatefulSet update fails or StatefulSet is not ready

734

onUpdateFailure: recreate

735

# Reconcile Host scenario

736

host:

737

# The operator during reconcile procedure should wait for a ClickHouse host to achieve the following conditions:

738

wait:

739

# Whether the operator during reconcile procedure should wait for a ClickHouse host:

740

# - to be excluded from a ClickHouse cluster

741

# - to complete all running queries

742

# - to be included into a ClickHouse cluster

743

# respectfully before moving forward with host reconcile

744

745

queries: true

746

include: false

747

# The operator during reconcile procedure should wait for replicas to catch-up

748

# replication delay a.k.a replication lag for the following replicas

749

replicas:

750

# All replicas (new and known earlier) are explicitly requested to wait for replication to catch-up

751

all: no

752

# New replicas only are requested to wait for replication to catch-up

753

new: yes

754

# Replication catch-up is considered to be completed as soon as replication delay

755

# a.k.a replication lag - calculated as "MAX(absolute_delay) FROM system.replicas"

756

# is within this specified delay (in seconds)

757

delay: 10

758

probes:

759

# Whether the operator during host launch procedure should wait for startup probe to succeed.

760

# In case probe is unspecified wait is assumed to be completed successfully.

761

# Default option value is to do not wait.

762

startup: no

763

# Whether the operator during host launch procedure should wait for readiness probe to succeed.

764

# In case probe is unspecified wait is assumed to be completed successfully.

765

# Default option value is to wait.

766

readiness: yes

767

# The operator during reconcile procedure should drop the following entities:

768

drop:

769

replicas:

770

# Whether the operator during reconcile procedure should drop replicas when replica is deleted

771

onDelete: yes

772

# Whether the operator during reconcile procedure should drop replicas when replica volume is lost

773

onLostVolume: yes

774

# Whether the operator during reconcile procedure should drop active replicas when replica is deleted or recreated

775

active: no

776

################################################

777

778

## Coordination with external systems during reconcile

779

780

################################################

781

coordination:

782

keeper:

783

# How long the operator waits for a referenced ClickHouseKeeper to become ready

784

# before aborting CHI reconcile. In seconds.

785

readyTimeout: 120

786

# Reaction when a referenced CHK resource changes:

787

# none — do nothing (default, backward-compatible)

788

# reconcile — trigger CHI reconcile

789

# onKeeperResourceUpdate: none

790

################################################

791

792

## Auto-recovery from aborted reconcile

793

794

################################################

795

recovery:

796

# Recovery scopes keyed by CHI state being recovered from.

797

# Each scope contains on<Event>: <action> mappings that apply while the CHI

798

# is in that state. Multi-scope design anticipates future states beyond Aborted

799

# (e.g. Failed, Broken).

800

from:

801

# Recovery from Status=Aborted

802

aborted:

803

# Action when a pod belonging to an Aborted CHI transitions to Ready:

804

# retry (default) — re-enqueue the CHI for reconcile

805

# none — do nothing, CHI stays Aborted

806

onPodReady: retry

807

# Future events (not yet implemented):

808

# onKeeperReady: retry — retry when a referenced CHK becomes ready

809

# onOperatorRestart: retry — sweep Aborted CHIs on operator startup

810

# Future scopes (not yet implemented):

811

# failed:

812

# onPodReady: retry

813

# broken:

814

# onPodReady: retry

815

# Future global policy knobs (not yet implemented) — flat peers of `from`,

816

# apply across all recovery scopes:

817

818

# Global kill-switch for auto-recovery:

819

# enabled: true

820

821

# Cap on consecutive auto-recovery attempts before giving up:

822

# retries: 5

823

824

# Minimum time between auto-recovery attempts for the same CHI:

825

# cooldown: 30s

826

827

# Exponential backoff for auto-recovery attempts:

828

# backoff:

829

# duration: 5s

830

# factor: 2

831

# maxDuration: 2m

832

################################################

833

834

## Annotations management section

835

836

################################################

837

annotation:

838

# Applied when:

839

# 1. Propagating annotations from the CHI's `metadata.annotations` to child objects' `metadata.annotations`,

840

# 2. Propagating annotations from the CHI Template's `metadata.annotations` to CHI's `metadata.annotations`,

841

# Include annotations from the following list:

842

# Applied only when not empty. Empty list means "include all, no selection"

843

include: []

844

# Exclude annotations from the following list:

845

846

################################################

847

848

## Labels management section

849

850

################################################

851

label:

852

# Applied when:

853

# 1. Propagating labels from the CHI's `metadata.labels` to child objects' `metadata.labels`,

854

# 2. Propagating labels from the CHI Template's `metadata.labels` to CHI's `metadata.labels`,

855

# Include labels from the following list:

856

# Applied only when not empty. Empty list means "include all, no selection"

857

include: []

858

# Exclude labels from the following list:

859

# Applied only when not empty. Empty list means "nothing to exclude, no selection"

860

861

# Whether to append *Scope* labels to StatefulSet and Pod.

862

# Full list of available *scope* labels check in 'labeler.go'

863

# LabelShardScopeIndex

864

# LabelReplicaScopeIndex

865

# LabelCHIScopeIndex

866

# LabelCHIScopeCycleSize

867

# LabelCHIScopeCycleIndex

868

# LabelCHIScopeCycleOffset

869

# LabelClusterScopeIndex

870

# LabelClusterScopeCycleSize

871

# LabelClusterScopeCycleIndex

872

# LabelClusterScopeCycleOffset

873

appendScope: "no"

874

################################################

875

876

## Metrics management section

877

878

################################################

879

metrics:

880

labels:

881

882

################################################

883

884

## Status management section

885

886

################################################

887

status:

888

fields:

889

action: false

890

actions: false

891

error: true

892

errors: true

893

################################################

894

895

## StatefulSet management section

896

897

################################################

898

statefulSet:

899

revisionHistoryLimit: 0

900

################################################

901

902

## Pod management section

903

904

################################################

905

pod:

906

# Grace period for Pod termination.

907

# How many seconds to wait between sending

908

# SIGTERM and SIGKILL during Pod termination process.

909

# Increase this number is case of slow shutdown.

910

terminationGracePeriod: 30

911

################################################

912

913

## Log parameters section

914

915

################################################

916

logger:

917

logtostderr: "true"

918

alsologtostderr: "false"

919

v: "1"

920

stderrthreshold: ""

921

vmodule: ""

922

log_backtrace_at: ""

923

templatesdFiles:

924

001-templates.json.example: |

925

{

926

"apiVersion": "clickhouse.altinity.com/v1",

927

"kind": "ClickHouseInstallationTemplate",

928

"metadata": {

929

"name": "01-default-volumeclaimtemplate"

930

931

"spec": {

932

"templates": {

933

"volumeClaimTemplates": [

934

{

935

"name": "chi-default-volume-claim-template",

936

"spec": {

937

"accessModes": [

938

"ReadWriteOnce"

939

940

"resources": {

941

"requests": {

942

"storage": "2Gi"

943

}

944

}

945

}

946

}

947

948

"podTemplates": [

949

{

950

"name": "chi-default-oneperhost-pod-template",

951

"distribution": "OnePerHost",

952

"spec": {

953

"containers" : [

954

{

955

"name": "clickhouse",

956

"image": "clickhouse/clickhouse-server:23.8",

957

"ports": [

958

{

959

"name": "http",

960

"containerPort": 8123

961

962

{

963

"name": "client",

964

"containerPort": 9000

965

966

{

967

"name": "interserver",

968

"containerPort": 9009

969

}

970

]

971

}

972

]

973

}

974

}

975

]

976

}

977

}

978

}

979

default-pod-template.yaml.example: |

980

apiVersion: "clickhouse.altinity.com/v1"

981

kind: "ClickHouseInstallationTemplate"

982

metadata:

983

984

spec:

985

templates:

986

podTemplates:

987

- name: default-oneperhost-pod-template

988

distribution: "OnePerHost"

989

default-storage-template.yaml.example: |

990

apiVersion: "clickhouse.altinity.com/v1"

991

kind: "ClickHouseInstallationTemplate"

992

metadata:

993

994

spec:

995

templates:

996

volumeClaimTemplates:

997

- name: default-storage-template-2Gi

998

spec:

999

accessModes:

1000

- ReadWriteOnce

1001

resources:

1002

requests:

1003

storage: 2Gi

1004

readme: |-

1005

Templates in this folder are packaged with an operator and available via 'useTemplate'

1006

usersdFiles:

1007

01-clickhouse-operator-profile.xml: |

1008

1009

1010

1011

1012

1013

1014

<!--

1015

1016

# Template parameters available:

1017

1018

-->

1019

1020

1021

1022

<clickhouse_operator>

1023

<log_queries>0</log_queries>

1024

<skip_unavailable_shards>1</skip_unavailable_shards>

1025

<http_connection_timeout>10</http_connection_timeout>

1026

<max_concurrent_queries_for_all_users>0</max_concurrent_queries_for_all_users>

1027

<os_thread_priority>0</os_thread_priority>

1028

</clickhouse_operator>

1029

</profiles>

1030

</yandex>

1031

02-clickhouse-default-profile.xml: |-

1032

1033

1034

1035

1036

1037

1038

1039

1040

1041

<os_thread_priority>2</os_thread_priority>

1042

<log_queries>1</log_queries>

1043

<connect_timeout_with_failover_ms>1000</connect_timeout_with_failover_ms>

1044

<distributed_aggregation_memory_efficient>1</distributed_aggregation_memory_efficient>

1045

<parallel_view_processing>1</parallel_view_processing>

1046

<do_not_merge_across_partitions_select_final>1</do_not_merge_across_partitions_select_final>

1047

<load_balancing>nearest_hostname</load_balancing>

1048

<prefer_localhost_replica>0</prefer_localhost_replica>

1049

1050

</default>

1051

</profiles>

1052

</yandex>

1053

keeperConfdFiles: null

1054

keeperConfigdFiles:

1055

01-keeper-01-default-config.xml: |

1056

1057

1058

1059

1060

1061

1062

1063

<asynchronous_metrics_keeper_metrics_only>1</asynchronous_metrics_keeper_metrics_only>

1064

<keeper_server>

1065

<coordination_settings>

1066

<async_replication>1</async_replication>

1067

<min_session_timeout_ms>10000</min_session_timeout_ms>

1068

<operation_timeout_ms>10000</operation_timeout_ms>

1069

<raft_logs_level>information</raft_logs_level>

1070

<session_timeout_ms>100000</session_timeout_ms>

1071

<use_xid_64>1</use_xid_64>

1072

</coordination_settings>

1073

<hostname_checks_enabled>true</hostname_checks_enabled>

1074

<log_storage_path>/var/lib/clickhouse-keeper/coordination/logs</log_storage_path>

1075

<snapshot_storage_path>/var/lib/clickhouse-keeper/coordination/snapshots</snapshot_storage_path>

1076

<storage_path>/var/lib/clickhouse-keeper</storage_path>

1077

<tcp_port>2181</tcp_port>

1078

<!--

1079

Four-letter-word command allowlist.

1080

1081

Set explicitly to the upstream-default list so the operator-rendered

1082

liveness probe (which sends `ruok` over TCP and expects `imok`) keeps

1083

working even if a user adds their own keeper_server settings.

1084

1085

Without this, a user override that restricts the allowlist

1086

(e.g. `four_letter_word_white_list: "mntr,stat"` for security)

1087

would silently disable `ruok` → liveness probe always fails → CrashLoopBackOff.

1088

1089

The list mirrors ClickHouse Keeper's compiled-in default; users who want a

1090

stricter list can override this value, but they must keep `ruok` if they

1091

also use the default operator probes.

1092

-->

1093

<four_letter_word_white_list>conf,cons,crst,envi,ruok,srst,srvr,stat,wchs,dirs,mntr,isro</four_letter_word_white_list>

1094

</keeper_server>

1095

<listen_host>::</listen_host>

1096

<listen_host>0.0.0.0</listen_host>

1097

<listen_try>1</listen_try>

1098

1099

1100

<level>information</level>

1101

</logger>

1102

<max_connections>4096</max_connections>

1103

</clickhouse>

1104

01-keeper-02-readiness.xml: |

1105

1106

1107

1108

1109

1110

1111

1112

<keeper_server>

1113

<http_control>

1114

1115

1116

<endpoint>/ready</endpoint>

1117

</readiness>

1118

</http_control>

1119

</keeper_server>

1120

</clickhouse>

1121

01-keeper-03-enable-reconfig.xml: |-

1122

1123

1124

1125

1126

1127

1128

1129

<keeper_server>

1130

<enable_reconfiguration>false</enable_reconfiguration>

1131

</keeper_server>

1132

</clickhouse>

1133

keeperTemplatesdFiles:

1134

readme: |-

1135

Templates in this folder are packaged with an operator and available via 'useTemplate'

1136

keeperUsersdFiles: null

1137

# additionalResources -- list of additional resources to create (processed via `tpl` function),

1138

# useful for create ClickHouse clusters together with clickhouse-operator.

1139

# check `kubectl explain chi` for details

1140

additionalResources: []

1141

# - |

1142

# apiVersion: v1

1143

# kind: ConfigMap

1144

# metadata:

1145

# name: {{ include "altinity-clickhouse-operator.fullname" . }}-cm

1146

# namespace: {{ include "altinity-clickhouse-operator.namespace" . }}

1147

# - |

1148

# apiVersion: v1

1149

# kind: Secret

1150

# metadata:

1151

# name: {{ include "altinity-clickhouse-operator.fullname" . }}-s

1152

# namespace: {{ include "altinity-clickhouse-operator.namespace" . }}

1153

# stringData:

1154

# mykey: my-value

1155

# - |

1156

# apiVersion: clickhouse.altinity.com/v1

1157

# kind: ClickHouseInstallation

1158

# metadata:

1159

# name: {{ include "altinity-clickhouse-operator.fullname" . }}-chi

1160

# namespace: {{ include "altinity-clickhouse-operator.namespace" . }}

1161

# spec:

1162

# configuration:

1163

# clusters:

1164

# - name: default

1165

# layout:

1166

# shardsCount: 1

1167

1168

dashboards:

1169

# dashboards.enabled -- provision grafana dashboards as configMaps (can be synced by grafana dashboards sidecar https://github.com/grafana/helm-charts/blob/grafana-8.3.4/charts/grafana/values.yaml#L778 )

1170

enabled: false

1171

# dashboards.additionalLabels -- labels to add to a secret with dashboards

1172

additionalLabels:

1173

# dashboards.additionalLabels.grafana_dashboard - will watch when official grafana helm chart sidecar.dashboards.enabled=true

1174

grafana_dashboard: ""

1175

# dashboards.annotations -- annotations to add to a secret with dashboards

1176

annotations:

1177

# dashboards.annotations.grafana_folder -- folder where will place dashboards, requires define values in official grafana helm chart sidecar.dashboards.folderAnnotation: grafana_folder

1178

grafana_folder: clickhouse-operator

1179

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

clickhouse-operator

The trusted source for open source

Product

Solutions

Customers

Resources

Company