Skip to content

v0.1.0

Latest

Choose a tag to compare

@emiliano-go emiliano-go released this 02 Jul 17:32
f171b10

What is clickvault?

clickvault is a HashiCorp Vault database secrets engine plugin for ClickHouse. It lets Vault manage ClickHouse database credentials by creating ephemeral users on demand and rotating static user passwords.

Features

  • Dynamic roles: create short-lived ClickHouse users with scoped permissions. Each user gets a unique username and a randomized password, valid only for the Vault lease duration.
  • Static roles: rotate passwords of existing ClickHouse users on a configurable schedule. Vault becomes the single source of truth for credentials.
  • Cluster support: specify an ON_CLUSTER clause for all DDL statements so that users and grants are propagated across a ClickHouse cluster.
  • Username template: customize generated usernames with Go templates using Vault helpers like .DisplayName and .RoleName.
  • Password policy: enforce password strength rules via Vault's password policy system.
  • Plugin mode: runs as a Vault plugin served over gRPC using the database plugin v5 interface (dbplugin/v5).
  • Integration tested against ClickHouse 24.8 via docker-compose.