What is clickvault?
clickvault is a HashiCorp Vault database secrets engine plugin for ClickHouse. It lets Vault manage ClickHouse database credentials by creating ephemeral users on demand and rotating static user passwords.
Features
- Dynamic roles: create short-lived ClickHouse users with scoped permissions. Each user gets a unique username and a randomized password, valid only for the Vault lease duration.
- Static roles: rotate passwords of existing ClickHouse users on a configurable schedule. Vault becomes the single source of truth for credentials.
- Cluster support: specify an ON_CLUSTER clause for all DDL statements so that users and grants are propagated across a ClickHouse cluster.
- Username template: customize generated usernames with Go templates using Vault helpers like .DisplayName and .RoleName.
- Password policy: enforce password strength rules via Vault's password policy system.
- Plugin mode: runs as a Vault plugin served over gRPC using the database plugin v5 interface (dbplugin/v5).
- Integration tested against ClickHouse 24.8 via docker-compose.