ClickHouse
ClickHouse is the columnar analytics database that stores observability data — logs, traces, and metrics — and serves ad-hoc analytical queries. It is deployed via the Altinity ClickHouse Operator, which manages ClickHouse clusters as Kubernetes custom resources.
Deployment
Section titled “Deployment”| Field | Value |
|---|---|
| Flux path | flux-clusters/stefanzhelev/apps/clickhouse |
| Base path | flux-apps/clickhouse |
| Namespace | clickhouse |
| Sync wave | 5 |
| Depends on | external-secrets-config |
What it deploys
Section titled “What it deploys”clickhouse-crds— HelmRelease for the Altinity ClickHouse Operator chart>= 0.26.0clickhouse-vault-secrets— Terraform CR that generates a 32-char admin password and stores it atsecret/clickhousein Vaultclickhouse-external-secrets— ExternalSecret syncingadmin-username/admin-passwordfrom Vault into theclickhouse-credentialsSecretclickhouse-database— a single-shard, single-replicaClickHouseInstallationCR namedclickhouse, plus an internal Ingress atclickhouse.internal.stefanzhelev.com
Configuration highlights
Section titled “Configuration highlights”- Topology: 1 shard × 1 replica (non-HA starter)
- Storage: 20Gi per replica on the default
hcloud-volumes-encryptedclass - Per-pod resources: 500m CPU / 1Gi memory request, 2Gi memory limit
- Admin user: password pulled by the operator from
clickhouse-credentialsviaadmin/k8s_secret_password— never materializes in the CHI manifest - Default user: disabled (no network access)
Endpoint
Section titled “Endpoint”| Hostname | clickhouse.internal.stefanzhelev.com |
| Port | 443 (HTTPS, terminated at Traefik) |
| Backend | ClickHouse HTTP interface on 8123 |
| TLS | cert-manager, letsencrypt-prod (DNS-01) |
| Reachable from | NetBird VPN only (internalsecure entrypoint) |
| Username | admin |
| Password | kubectl get secret -n clickhouse clickhouse-credentials -o jsonpath='{.data.admin-password}' | base64 -d |
Connecting from PyCharm / DataGrip
Section titled “Connecting from PyCharm / DataGrip”- Connect to the NetBird VPN.
- Database tool window → + → Data Source → ClickHouse.
- Fill in:
- Host:
clickhouse.internal.stefanzhelev.com - Port:
443 - User:
admin - Password: (from the command above)
- URL:
jdbc:ch://clickhouse.internal.stefanzhelev.com:443/default?ssl=true
- Host:
- Download the ClickHouse JDBC driver when prompted.
The native TCP protocol (port 9000) is reachable only in-cluster via the clickhouse-clickhouse Service — there is no external TCP ingress today.
Integrations
Section titled “Integrations”- Vault: admin password lives in Vault and is synced into the namespace by External Secrets
- Tofu Controller: Vault secret generation runs as a Terraform CR
- Consumers: Grafana (via the ClickHouse datasource), and — when re-enabled — ClickStack
Key commands
Section titled “Key commands”# Operator and installation statuskubectl get pods -n clickhousekubectl get clickhouseinstallations -n clickhouse
# Shell into the ClickHouse podkubectl exec -n clickhouse -it chi-clickhouse-default-0-0-0 -- \ clickhouse-client --user admin --password "$(kubectl get secret -n clickhouse clickhouse-credentials -o jsonpath='{.data.admin-password}' | base64 -d)"
# Database sizeskubectl exec -n clickhouse -it chi-clickhouse-default-0-0-0 -- \ clickhouse-client -q "SELECT database, formatReadableSize(sum(bytes_on_disk)) FROM system.parts GROUP BY database"