chore(clickhouse): support keeper (#66)

Author: EamonZhang

addons/clickhouse/24/chart/clickhouse/README.md

@@ -475,4 +475,7 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License.
+limitations under the License.
+
+
+https://github.com/ClickHouse/ClickHouse/pull/62366/

addons/clickhouse/24/chart/clickhouse/templates/_helpers.tpl

@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{/*
 Return the proper ClickHouse image name
 */}}
@@ -94,6 +99,18 @@ Get the ClickHouse configuration configmap.
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+Get the ClickHouse configuration users configmap.
+*/}}
+{{- define "clickhouse.usersExtraConfigmapName" -}}
+{{- if .Values.usersExtraOverridesConfigmap -}}
+    {{- .Values.usersExtraOverridesConfigmap -}}
+{{- else }}
+    {{- printf "%s-users-extra" (include "common.names.fullname" . ) -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Get the Clickhouse password secret name
 */}}
@@ -185,17 +202,18 @@ Compile all warnings into a single message.
 {{- end -}}
 {{- end -}}
 
-{{/* Validate values of ClickHouse - Zookeeper */}}
+{{/* Validate values of ClickHouse - [Zoo]keeper */}}
 {{- define "clickhouse.validateValues.zookeeper" -}}
-{{- if and .Values.zookeeper.enabled .Values.externalZookeeper.servers -}}
-clickhouse: Multiple Zookeeper
-    You can only use one zookeeper
-    Please choose installing a Zookeeper chart (--set zookeeper.enabled=true) or
+{{- if or (and .Values.keeper.enabled .Values.zookeeper.enabled) (and .Values.keeper.enabled .Values.externalZookeeper.servers) (and .Values.zookeeper.enabled .Values.externalZookeeper.servers) -}}
+clickhouse: Multiple [Zoo]keeper
+    You can only use one [zoo]keeper
+    Please choose use ClickHouse keeper or
+    installing a Zookeeper chart (--set zookeeper.enabled=true) or
     using an external instance (--set zookeeper.servers )
 {{- end -}}
-{{- if and (not .Values.zookeeper.enabled) (not .Values.externalZookeeper.servers) (ne (int .Values.shards) 1) (ne (int .Values.replicaCount) 1) -}}
-clickhouse: No Zookeeper
-    If you are deploying more than one ClickHouse instance, you need to enable Zookeeper. Please choose installing a Zookeeper chart (--set zookeeper.enabled=true) or
+{{- if and (not .Values.keeper.enabled) (not .Values.zookeeper.enabled) (not .Values.externalZookeeper.servers) (ne (int .Values.shards) 1) (ne (int .Values.replicaCount) 1) -}}
+clickhouse: No [Zoo]keeper
+    If you are deploying more than one ClickHouse instance, you need to enable [Zoo]keeper. Please choose installing a [Zoo]keeper (--set keeper.enabled=true) or (--set zookeeper.enabled=true) or
     using an external instance (--set zookeeper.servers )
 {{- end -}}
 {{- end -}}

addons/clickhouse/24/chart/clickhouse/templates/configmap-extra.yaml

@@ -1,14 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if and .Values.extraOverrides (not .Values.extraOverridesConfigmap) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ printf "%s-extra" (include "common.names.fullname" .) }}
   namespace: {{ include "common.names.namespace" . | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: clickhouse
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}

addons/clickhouse/24/chart/clickhouse/templates/configmap-users-extra.yaml

@@ -0,0 +1,20 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.usersExtraOverrides (not .Values.usersExtraOverridesConfigmap) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-users-extra" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: clickhouse
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  01_users_extra_overrides.xml: |
+    {{- include "common.tplvalues.render" (dict "value" .Values.usersExtraOverrides "context" $) | nindent 4 }}
+{{- end }}

addons/clickhouse/24/chart/clickhouse/templates/configmap.yaml

@@ -1,14 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if not .Values.existingOverridesConfigmap }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "common.names.fullname" . }}
   namespace: {{ include "common.names.namespace" . | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: clickhouse
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}

addons/clickhouse/24/chart/clickhouse/templates/extra-list.yaml

@@ -1,3 +1,8 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- range .Values.extraDeploy }}
 ---
 {{ include "common.tplvalues.render" (dict "value" . "context" $) }}

addons/clickhouse/24/chart/clickhouse/templates/ingress-tls-secrets.yaml

@@ -1,3 +1,8 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.ingress.enabled }}
 {{- if .Values.ingress.secrets }}
 {{- range .Values.ingress.secrets }}
@@ -6,12 +11,9 @@ kind: Secret
 metadata:
   name: {{ .name }}
   namespace: {{ $.Release.Namespace | quote }}
-  labels: {{- include "common.labels.standard" $ | nindent 4 }}
-    {{- if $.Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if $.Values.commonAnnotations }}
-  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}
 type: kubernetes.io/tls
 data:
@@ -21,24 +23,22 @@ data:
 {{- end }}
 {{- end }}
 {{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
+{{- $secretName := printf "%s-tls" .Values.ingress.hostname }}
 {{- $ca := genCA "clickhouse-ca" 365 }}
 {{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ printf "%s-tls" .Values.ingress.hostname }}
+  name: {{ $secretName }}
   namespace: {{ .Release.Namespace | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ $cert.Cert | b64enc | quote }}
-  tls.key: {{ $cert.Key | b64enc | quote }}
-  ca.crt: {{ $ca.Cert | b64enc | quote }}
+  tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
+  tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
+  ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
 {{- end }}
 {{- end }}

addons/clickhouse/24/chart/clickhouse/templates/ingress.yaml

@@ -1,20 +1,19 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.ingress.enabled }}
 apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
 kind: Ingress
 metadata:
   name: {{ include "common.names.fullname" . }}
   namespace: {{ .Release.Namespace | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
-  annotations:
-    {{- if .Values.ingress.annotations }}
-    {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
-    {{- end }}
-    {{- if .Values.commonAnnotations }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
-    {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if or .Values.ingress.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
 spec:
   {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
   ingressClassName: {{ .Values.ingress.ingressClassName | quote }}

addons/clickhouse/24/chart/clickhouse/templates/init-scripts-secret.yaml

@@ -1,14 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if and .Values.initdbScripts (not .Values.initdbScriptsSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ printf "%s-init-scripts" (include "common.names.fullname" .) }}
   namespace: {{ include "common.names.namespace" . | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: clickhouse
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}

addons/clickhouse/24/chart/clickhouse/templates/networkpolicy.yaml

@@ -0,0 +1,135 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: clickhouse
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: clickhouse
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- if .Values.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Allow outbound connections to other cluster pods
+    - ports:
+        - port: {{ .Values.service.ports.http }}
+        {{- if .Values.tls.enabled }}
+        - port: {{ .Values.service.ports.https }}
+        {{- end }}
+        - port: {{ .Values.service.ports.tcp }}
+        {{- if .Values.tls.enabled }}
+        - port: {{ .Values.service.ports.tcpSecure }}
+        {{- end }}
+        {{- if .Values.keeper.enabled }}
+        - port: {{ .Values.service.ports.keeper }}
+        - port: {{ .Values.service.ports.keeperInter }}
+        {{- if .Values.tls.enabled }}
+        - port: {{ .Values.service.ports.keeperSecure }}
+        {{- end }}
+        {{- end }}
+        - port: {{ .Values.service.ports.mysql }}
+        - port: {{ .Values.service.ports.postgresql }}
+        - port: {{ .Values.service.ports.interserver }}
+        {{- if .Values.metrics.enabled }}
+        - port: {{ .Values.service.ports.metrics }}
+        {{- end }}
+      {{- if $.Values.externalAccess.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.http }}
+        {{- if $.Values.tls.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.https }}
+        {{- end }}
+        {{- if $.Values.metrics.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.metrics }}
+        {{- end }}
+        - port: {{ $.Values.externalAccess.service.ports.tcp }}
+        {{- if $.Values.tls.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.tcpSecure }}
+        {{- end }}
+        {{- if $.Values.keeper.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.keeper }}
+        - port: {{ $.Values.externalAccess.service.ports.keeperInter }}
+        {{- if $.Values.tls.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.keeperSecure }}
+        {{- end }}
+        {{- end }}
+        - port: {{ $.Values.externalAccess.service.ports.mysql }}
+        - port: {{ $.Values.externalAccess.service.ports.postgresql }}
+        - port: {{ $.Values.externalAccess.service.ports.interserver }}
+      {{- end }}
+      to:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+    {{- if .Values.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  {{- if eq $.Values.service.type "ClusterIP" }}
+  ingress:
+    - ports:
+        - port: {{ $.Values.containerPorts.http }}
+        - port: {{ $.Values.containerPorts.tcp }}
+        - port: {{ $.Values.containerPorts.mysql }}
+        - port: {{ $.Values.containerPorts.postgresql }}
+        - port: {{ $.Values.containerPorts.interserver }}
+        {{- if $.Values.tls.enabled }}
+        - port: {{ $.Values.containerPorts.tcpSecure }}
+        - port: {{ $.Values.containerPorts.https }}
+        {{- end }}
+        {{- if $.Values.keeper.enabled }}
+        - port: {{ $.Values.containerPorts.keeper }}
+        - port: {{ $.Values.containerPorts.keeperInter }}
+        {{- if $.Values.tls.enabled }}
+        - port : {{ $.Values.containerPorts.keeperSecure }}
+        {{- end }}
+        {{- end }}
+        {{- if $.Values.metrics.enabled }}
+        - port: {{ $.Values.containerPorts.metrics }}
+        {{- end }}
+     
+      {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+      from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  {{- if eq $.Values.service.type "LoadBalancer" }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end }}