Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong env variable defined in config when using password secret #1344

Closed
adrianNEMO opened this issue Feb 13, 2024 · 4 comments
Closed

Wrong env variable defined in config when using password secret #1344

adrianNEMO opened this issue Feb 13, 2024 · 4 comments
Assignees
@sunsingerus

Comments

@adrianNEMO
Copy link

When I am loading a user password from a k8s secret the generated users chop-generated-users.xml references the wrong environment variable.

My config:

apiVersion: clickhouse.altinity.com/v1
kind: ClickHouseInstallation
metadata:
  name: instance
  namespace: clickhouse
spec:
  configuration:
    clusters:
    - layout:
        replicasCount: 1
        shardsCount: 1
      name: instance
      templates:
        podTemplate: clickhouse-stable
        serviceTemplate: chi-service-template
        volumeClaimTemplate: storage-vc-template
    files:
      users.d/ro_role.xml: |
        <clickhouse>
          <roles>
            <ro_role>
              <grants>
                <query>REVOKE ALL ON *.*</query>
                <query>GRANT SELECT,SHOW,dictGet ON *.*</query>
              </grants>
            </ro_role>
          </roles>
         </clickhouse>
    users:
      clickhouse_operator/networks/ip:
      - 0.0.0.0/0
      grafana/grants/query:
      - GRANT ro_role
      grafana/networks/ip:
      - 0.0.0.0/0
      grafana/password:
        valueFrom:
          secretKeyRef:
            key: grafana
            name: passwords
      foo/allow_databases/database:
      - foo
      foo/networks/ip:
      - 0.0.0.0/0
      foo/password:
        valueFrom:
          secretKeyRef:
            key: foo
            name: passwords
  defaults:
    templates:
      serviceTemplate: chi-service-template
  templates:
    podTemplates:
    - metadata:
        labels:
          app.kubernetes.io/name: clickhouse-instance
      name: clickhouse-stable
      spec:
        containers:
        - image: altinity/clickhouse-server:23.8.8.21.altinitystable
          name: clickhouse
        serviceAccountName: instance
    serviceTemplates:
    - generateName: '{chi}'
      name: chi-service-template
      spec:
        ports:
        - name: http
          port: 8123
          protocol: TCP
          targetPort: http
        - name: tcp
          port: 9000
          protocol: TCP
          targetPort: tcp
        type: ClusterIP
    volumeClaimTemplates:
    - name: storage-vc-template
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
        storageClassName: standard

which generates chop-generated-users.xml

<yandex>
    <users>
        <clickhouse_operator>
            <networks>
                <ip>10.35.19.198</ip>
                <ip>0.0.0.0/0</ip>
            </networks>
            <password_sha256_hex>716b36073a90c6fe1d445ac1af85f4777c5b7a155cea359961826a030513e448</password_sha256_hex>
            <profile>clickhouse_operator</profile>
        </clickhouse_operator>
        <default>
            <networks>
                <host_regexp>(chi-instance-[^.]+\d+-\d+|clickhouse\-instance)\.clickhouse\.svc\.cluster\.local$</host_regexp>
                <ip>::1</ip>
                <ip>127.0.0.1</ip>
                <ip>10.35.19.225</ip>
            </networks>
            <profile>default</profile>
            <quota>default</quota>
        </default>
        <grafana>
            <grants>
                <query>GRANT ro_role</query>
            </grants>
            <networks>
                <host_regexp>(chi-instance-[^.]+\d+-\d+|clickhouse\-instance)\.clickhouse\.svc\.cluster\.local$</host_regexp>
                <ip>::1</ip>
                <ip>127.0.0.1</ip>
                <ip>0.0.0.0/0</ip>
            </networks>
            <password from_env="CONFIGURATION_USERS_VAR_5_GRAFANA_PASSWORD"></password>
            <profile>default</profile>
            <quota>default</quota>
        </grafana>
        <foo>
            <allow_databases>
                <database>foo</database>
            </allow_databases>
            <networks>
                <host_regexp>(chi-instance-[^.]+\d+-\d+|clickhouse\-instance)\.clickhouse\.svc\.cluster\.local$</host_regexp>
                <ip>::1</ip>
                <ip>127.0.0.1</ip>
                <ip>0.0.0.0/0</ip>
            </networks>
            <password from_env="CONFIGURATION_USERS_VAR_12_FOO_PASSWORD"></password>
            <profile>default</profile>
            <quota>default</quota>
        </foo>
    </users>
</yandex>

but the defined env variables in the pods are:
CONFIGURATION_USERS_VAR_8_GRAFANA_PASSWORD=...
CONFIGURATION_USERS_VAR_7_FOO_PASSWORD=...

So when I connect to the instance I get a wrong password error

Best Adrian
@Slach
Copy link
Collaborator

Slach commented Feb 13, 2024

which clickouse-operator version do you use?
is your ClickHouseInstallation in Completed status now?

@adrianNEMO
Copy link
Author

I am using the release-0.23.1 and the status is Completed

alex-zaitsev added a commit that referenced this issue Feb 14, 2024
@alex-zaitsev
Test for #1344
8229143
@alex-zaitsev
Copy link
Member

Reproduced in tests and fixed in 0.23.2

@alex-zaitsev
Copy link
Member

https://github.com/Altinity/clickhouse-operator/releases/tag/release-0.23.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sunsingerus sunsingerus

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Slach @sunsingerus @alex-zaitsev @adrianNEMO