feat: Add clickhouse operator and base cluster

Author: LukeRepko

base-helm-configs/clickhouse/clickhouse-helm-overrides.yaml

@@ -0,0 +1,34 @@
+# Operator goes in the clickhouse namespace and watches that namespace only.
+createCRDs: true
+watchNamespaces:
+  - clickhouse
+
+affinity:
+  # Schedule the operator only on worker nodes.
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+          - key: node-role.kubernetes.io/worker
+            operator: In
+            values:
+            - worker
+  # Spread away from other operator pods (if HA operator is enabled later).
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values: ["altinity-clickhouse-operator"]
+          topologyKey: "kubernetes.io/hostname"
+
+# Keep it quiet-ish but observable
+env:
+  - name: LOG_LEVEL
+    value: "info"
+
+metrics:
+  enabled: true

base-kustomize/clickhouse/base/chi-cluster.yaml

@@ -0,0 +1,127 @@
+apiVersion: clickhouse.altinity.com/v1
+kind: ClickHouseInstallation
+metadata:
+  name: ch
+  namespace: clickhouse
+spec:
+  taskID: "1"
+
+  configuration:
+    # Use Keeper for replication
+    zookeeper:
+      nodes:
+        - host: keeper-ck
+          port: 2181
+
+    users:
+      # Disable dangerous defaults; create reader/writer explicitly.
+      default/readonly: 1
+
+      writer/password_sha256_hex:
+        valueFrom:
+          secretKeyRef:
+            name: clickhouse-db-passwords
+            key: writer_password_sha256
+      writer/profile: default
+      writer/quota: default
+      writer/networks/ip: "::/0"
+
+      reader/password_sha256_hex:
+        valueFrom:
+          secretKeyRef:
+            name: clickhouse-db-passwords
+            key: reader_password_sha256
+      reader/profile: readonly
+      reader/quota: default
+      reader/networks/ip: "::/0"
+
+    profiles:
+      readonly/readonly: 1
+
+    clusters:
+      - name: main
+        layout:
+          shardsCount: 1
+          replicasCount: 3
+        templates:
+          podTemplate: ch-pod
+          volumeClaimTemplate: ch-data
+
+    # Create DB + tables for IPFIX rollups on first boot.
+    files:
+      10-init-ipfix.sql: |
+        CREATE DATABASE IF NOT EXISTS ipfix;
+
+        -- Raw hourly rollups coming from edge nodes (per node).
+        CREATE TABLE IF NOT EXISTS ipfix.vip_hourly_node
+        (
+          hour_ts   DateTime,
+          vip       LowCardinality(String),  -- store IP as text to support v4/v6 uniformly
+          dir       LowCardinality(String),  -- 'to' | 'from'
+          bytes     UInt64,
+          packets   UInt64,
+          node      LowCardinality(String)
+        )
+        ENGINE = ReplicatedReplacingMergeTree('/clickhouse/tables/{shard}/vip_hourly_node','{replica}')
+        PARTITION BY toYYYYMMDD(hour_ts)
+        ORDER BY (hour_ts, vip, dir, node);
+
+        -- Cluster-wide aggregation (fast to query).
+        CREATE TABLE IF NOT EXISTS ipfix.vip_hourly_mv
+        (
+          hour_ts   DateTime,
+          vip       LowCardinality(String),
+          dir       LowCardinality(String),
+          bytes     UInt64,
+          packets   UInt64
+        )
+        ENGINE = ReplicatedSummingMergeTree('/clickhouse/tables/{shard}/vip_hourly_mv','{replica}')
+        PARTITION BY toYYYYMMDD(hour_ts)
+        ORDER BY (hour_ts, vip, dir);
+
+        -- Materialized View to keep vip_hourly_mv in sync.
+        CREATE MATERIALIZED VIEW IF NOT EXISTS ipfix.vip_hourly_mv__mv
+        TO ipfix.vip_hourly_mv
+        AS
+        SELECT
+          hour_ts,
+          vip,
+          dir,
+          sum(bytes)   AS bytes,
+          sum(packets) AS packets
+        FROM ipfix.vip_hourly_node
+        GROUP BY hour_ts, vip, dir;
+
+  templates:
+    podTemplates:
+      - name: ch-pod
+        spec:
+          nodeSelector:
+            node-role.kubernetes.io/worker: ""
+          affinity:
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchLabels:
+                      clickhouse.altinity.com/chi: ch
+                  topologyKey: "kubernetes.io/hostname"
+          containers:
+            - name: clickhouse
+              # Injected by envsubst in install script from helm-chart-versions.yaml
+              image: ${CLICKHOUSE_SERVER_IMAGE}
+              imagePullPolicy: IfNotPresent
+              ports:
+                - name: http
+                  containerPort: 8123
+                - name: native
+                  containerPort: 9000
+                - name: inter
+                  containerPort: 9009
+    volumeClaimTemplates:
+      - name: ch-data
+        spec:
+          accessModes: ["ReadWriteOnce"]
+          storageClassName: general
+          resources:
+            requests:
+              storage: 80Gi

base-kustomize/clickhouse/base/chk-keeper.yaml

@@ -0,0 +1,42 @@
+apiVersion: clickhouse-keeper.altinity.com/v1
+kind: ClickHouseKeeperInstallation
+metadata:
+  name: keeper
+  namespace: clickhouse
+spec:
+  configuration:
+    clusters:
+      - name: ck
+        layout:
+          replicasCount: 3
+  templates:
+    podTemplates:
+      - name: keeper-pod
+        spec:
+          nodeSelector:
+            node-role.kubernetes.io/worker: ""
+          affinity:
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchLabels:
+                      clickhouse-keeper.altinity.com/chi: keeper
+                  topologyKey: "kubernetes.io/hostname"
+          containers:
+            - name: clickhouse-keeper
+              # Injected by envsubst in install script
+              image: ${CLICKHOUSE_KEEPER_IMAGE}
+              imagePullPolicy: IfNotPresent
+              command: ["/usr/bin/clickhouse-keeper","--config-file=/etc/clickhouse-keeper/keeper-config.xml"]
+    volumeClaimTemplates:
+      - name: keeper-data
+        spec:
+          accessModes: ["ReadWriteOnce"]
+          storageClassName: general
+          resources:
+            requests:
+              storage: 80Gi
+  defaults:
+    templates:
+      podTemplate: keeper-pod
+      volumeClaimTemplate: keeper-data

base-kustomize/clickhouse/base/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+sortOptions:
+  order: fifo
+resources:
+  - all.yaml
+  - chk-keeper.yaml
+  - chi-cluster.yaml
+  - svc-clickhouse-http.yaml

base-kustomize/clickhouse/base/svc-clickhouse-http.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: clickhouse-http
+  namespace: clickhouse
+  labels:
+    app: clickhouse
+spec:
+  type: ClusterIP
+  selector:
+    clickhouse.altinity.com/chi: ch
+  ports:
+    - name: http
+      port: 8123
+      targetPort: 8123

bin/install-clickhouse.sh

@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Service paths
+GLOBAL_OVERRIDES_DIR="/etc/genestack/helm-configs/global_overrides"
+SERVICE_CONFIG_DIR="/etc/genestack/helm-configs/clickhouse-helm-overrides.yaml"
+BASE_OVERRIDES="/opt/genestack/base-helm-configs/clickhouse/clickhouse-helm-overrides.yaml"
+KUSTOMIZE_DIR="/etc/genestack/kustomize/clickhouse/overlay"
+VERSIONS_FILE="/etc/genestack/helm-chart-versions.yaml"
+
+NS="clickhouse"
+OP_RELEASE="altinity-operator"
+
+need() { command -v "$1" >/dev/null || { echo "Missing required command: $1" >&2; exit 1; }; }
+need helm
+need kubectl
+need awk
+need sha256sum
+need openssl
+need envsubst
+
+echo "==> Ensuring namespace '${NS}' exists"
+kubectl get ns "${NS}" >/dev/null 2>&1 || kubectl create ns "${NS}"
+
+# --- Create/reuse DB password secret ---
+echo "==> Ensuring DB password secret exists in namespace '${NS}'"
+if ! kubectl -n "${NS}" get secret clickhouse-db-passwords >/dev/null 2>&1; then
+  WRITER_PLAIN="$(openssl rand -hex 16)"
+  READER_PLAIN="$(openssl rand -hex 16)"
+  WRITER_SHA256="$(printf "%s" "${WRITER_PLAIN}" | sha256sum | awk "{print \$1}")"
+  READER_SHA256="$(printf "%s" "${READER_PLAIN}" | sha256sum | awk "{print \$1}")"
+  kubectl -n "${NS}" apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: clickhouse-db-passwords
+type: Opaque
+stringData:
+  writer_password_sha256: "${WRITER_SHA256}"
+  reader_password_sha256: "${READER_SHA256}"
+  writer_password_plain: "${WRITER_PLAIN}"
+  reader_password_plain: "${READER_PLAIN}"
+EOF
+else
+  echo "    Secret 'clickhouse-db-passwords' already exists; reusing."
+fi
+
+# --- Read versions from YAML without yq ---
+# Simple awk-based extractor: get "key: value" lines.
+get_yaml_val() {
+  local key="$1"
+  awk -v k="$key" '
+    $1 ~ k ":" {
+      # value may have quotes
+      sub(/^[^:]+:[[:space:]]*/,"")
+      gsub(/"/,"")
+      print
+      exit
+    }' "${VERSIONS_FILE}"
+}
+
+OP_CHART="altinity/altinity-clickhouse-operator"
+OP_VERSION="$(get_yaml_val "clickhouse-operator")"
+CH_SERVER_IMAGE="altinity/clickhouse-server:$(get_yaml_val "clickhouse-server")"
+CH_KEEPER_IMAGE="clickhouse/clickhouse-keeper:$(get_yaml_val "clickhouse-keeper")"
+
+if [[ -z "${OP_VERSION}" || -z "${CH_SERVER_IMAGE}" || -z "${CH_KEEPER_IMAGE}" ]]; then
+  echo "Failed to parse ${VERSIONS_FILE}. Please verify keys." >&2
+  exit 1
+fi
+
+echo "==> Helm repo add/update for operator chart: ${OP_CHART} @ ${OP_VERSION}"
+helm repo add altinity https://helm.altinity.com >/dev/null
+helm repo update >/dev/null
+
+echo "==> Installing/Upgrading ClickHouse Operator release '${OP_RELEASE}'"
+HELM_CMD="helm upgrade --install ${OP_RELEASE} ${OP_CHART} \
+  --version ${OP_VERSION} \
+  -n ${NS}"
+
+HELM_CMD+=" -f ${BASE_OVERRIDES}"
+
+for dir in "$GLOBAL_OVERRIDES_DIR" "$SERVICE_CONFIG_DIR"; do
+    if compgen -G "${dir}/*.yaml" > /dev/null; then
+        for yaml_file in "${dir}"/*.yaml; do
+            HELM_CMD+=" -f ${yaml_file}"
+        done
+    fi
+done
+
+HELM_CMD+=" $@"
+
+echo "==> Executing Helm command:"
+echo "${HELM_CMD}"
+eval "${HELM_CMD}"
+
+echo "==> Waiting for operator to be ready"
+kubectl -n "${NS}" rollout status deploy/altinity-operator-altinity-clickhouse-operator --timeout=300s
+
+# --- Apply Kustomize with envsubsted images from versions file ---
+export CLICKHOUSE_SERVER_IMAGE="${CH_SERVER_IMAGE}"
+export CLICKHOUSE_KEEPER_IMAGE="${CH_KEEPER_IMAGE}"
+
+echo "==> Applying ClickHouse Keeper + Cluster (kustomize + envsubst)"
+# We envsubst only image placeholders present in manifests.
+kubectl kustomize "${KUSTOMIZE_DIR}" | envsubst '${CLICKHOUSE_SERVER_IMAGE} ${CLICKHOUSE_KEEPER_IMAGE}' | kubectl apply -n "${NS}" -f -
+
+echo "==> Waiting for ClickHouse cluster pods (CHI=ch) to be Ready"
+kubectl -n "${NS}" wait --for=condition=Ready pod -l clickhouse.altinity.com/chi=ch --timeout=900s
+
+echo "==> Service endpoint (HTTP 8123)"
+kubectl -n "${NS}" get svc clickhouse-http -o wide
+
+# Print connection hints using stored plaintext (if present)
+WRITER_PLAIN="$(kubectl -n "${NS}" get secret clickhouse-db-passwords -o jsonpath='{.data.writer_password_plain}' 2>/dev/null | base64 -d || true)"
+READER_PLAIN="$(kubectl -n "${NS}" get secret clickhouse-db-passwords -o jsonpath='{.data.reader_password_plain}' 2>/dev/null | base64 -d || true)"
+
+# Print out the in-cluster endpoint, and various service info
+cat <<EOF
+
+ClickHouse installed.
+
+In-cluster HTTP endpoint:
+  http://clickhouse-http.${NS}.svc.cluster.local:8123
+
+Example queries:
+  kubectl -n ${NS} port-forward svc/clickhouse-http 8123:8123 &
+  curl -s "http://localhost:8123/?user=reader&password=${READER_PLAIN}&query=SELECT%201"
+
+Users (from Secret clickhouse-db-passwords):
+  reader / ${READER_PLAIN}
+  writer / ${WRITER_PLAIN}
+
+To rotate passwords: update the Secret and bump taskID in chi-cluster.yaml (or patch):
+  kubectl -n ${NS} patch chi ch --type=merge -p '{"spec":{"taskID":"2"}}'
+
+EOF