eduNEXT · MoisesGSalas · Sep 22, 2025
@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+# check=skip=SecretsUsedInArgOrEnv
 FROM python:3.12-slim-bookworm AS minimal
 ARG DEBIAN_FRONTEND=noninteractive
 

@@ -42,6 +42,9 @@ spec:
                   name: ssh-key
                   subPath: ssh-privatekey
                   readOnly: true
+                {{- with .extraVolumeMounts }}
+                {{- toYaml . | nindent 16 }}
+                {{- end }}
           initContainers:
             - image: registry.k8s.io/git-sync/git-sync:v4.0.0
               name: inventory-git-sync
@@ -93,4 +96,7 @@ spec:
           - name: ssh-key
             secret:
               secretName: ssh-key
+        {{- with .extraVolumes }}
+        {{- toYaml . | nindent 10 }}
+        {{- end }}
 {{- end }}
@@ -49,6 +49,17 @@ jobs:
     # successfulJobsHistoryLimit: 2
     # failedJobsHistoryLimit: 2
     # startingDeadlineSeconds: 300
+    # # -- Extra Volumes for the pod
+    # extraVolumes: #[]
+    #   - name: example
+    #     configMap:
+    #       name: example
+    #
+    # # -- Extra Volume Mounts for the container
+    # extraVolumeMounts: #[]
+    #   - name: example
+    #     mountPath: /example
+
 
 nodeSelector: {}
 

@@ -35,7 +35,9 @@ platforms:
 provisioner:
   name: ansible
   inventory:
-    all:
-      CLICKHOUSE_DEFAULT_USER_PASSWORD: password
+    group_vars:
+      all:
+        CLICKHOUSE_DEFAULT_USER_PASSWORD: password
+        CLICKHOUSE_ENCRYPTION_KEY: ffffffffffffffffffffffffffffffff
 verifier:
   name: ansible
@@ -15,13 +15,28 @@ CLICKHOUSE_USERS:
   - name: stage
     password: stage
 
+CLICKHOUSE_ENABLE_BACKUPS: false
+CLICKHOUSE_BACKUP_ROOT: /mnt/clickhouse-backup
+
 CLICKHOUSE_LISTEN_HOSTS:
   - "::"
   - 0.0.0.0
 
-CLICKHOUSE_HOST_INSECURE_HTTP_PORT: 8123
-CLICKHOUSE_INTERNAL_INSECURE_NATIVE_PORT: 9000
+CLICKHOUSE_ENABLE_TLS: false
+CLICKHOUSE_CERTIFICATES_SOURCE_DIR: /tmp/clickhouse-certs
+
+CLICKHOUSE_HOST_HTTP_PORT: 8123
+CLICKHOUSE_HOST_HTTPS_PORT: 8443
+CLICKHOUSE_TCP_PORT: 9000
+CLICKHOUSE_TCP_PORT_SECURE: 9440
 
 CLICKHOUSE_KEY_SERVER: keyserver.ubuntu.com
 CLICKHOUSE_APT_KEY: 8919F6BD2B48D754
 CLICKHOUSE_REPO: deb https://packages.clickhouse.com/deb stable main
+
+CLICKHOUSE_ENABLE_ENCRYPTION: false
+# Encryption algorithm. Options:
+# - AES_128_CTR (16-byte key)
+# - AES_192_CTR (24-byte key)
+# - AES_256_CTR (32-byte key)
+CLICKHOUSE_ENCRYPTION_ALGORITHM: AES_128_CTR
@@ -26,18 +26,40 @@
     update_cache: true
   become: true
 
-- name: Create /etc/clickhouse-server/config.d/host.xml
+- name: Create configuration files
+  tags:
+    - configuration
   ansible.builtin.template:
-    src: host.xml.j2
-    dest: /etc/clickhouse-server/config.d/host.xml
-    mode: preserve
+    src: "{{ item.src }}"
+    dest: "/etc/clickhouse-server/config.d/{{ item.path }}"
+    mode: "preserve"
+  loop: "{{ lookup('community.general.filetree', 'templates/config.d/') }}"
 
-# - name: Grant default user permissions to create users and groups
-- name: Edit /etc/clickhouse-server/users.xml
+- name: Create users configuration file
+  tags:
+    - configuration
   ansible.builtin.template:
-    src: users.xml.j2
-    dest: /etc/clickhouse-server/users.xml
-    mode: preserve
+    src: "{{ item.src }}"
+    dest: "/etc/clickhouse-server/users.d/{{ item.path }}"
+    owner: "clickhouse"
+    group: "clickhouse"
+    mode: "0600"
+  loop: "{{ lookup('community.general.filetree', 'templates/users.d/', wantlist=True) }}"
+
+- name: Copy TLS certificates
+  when: CLICKHOUSE_ENABLE_TLS
+  tags:
+    - tls
+  ansible.builtin.copy:
+    src: "{{ CLICKHOUSE_CERTIFICATES_SOURCE_DIR }}/{{ item }}"
+    dest: "/etc/clickhouse-server/certs/{{ item }}"
+    owner: clickhouse
+    group: clickhouse
+    mode: '0600'
+    backup: true
+  loop:
+    - "tls.key"
+    - "tls.crt"
 
 - name: Start clickhouse service
   ansible.builtin.service:

@@ -0,0 +1,16 @@
+<clickhouse>
+{% if CLICKHOUSE_ENABLE_BACKUPS %}
+    <storage_configuration>
+        <disks>
+            <backups>
+                <type>local</type>
+                <path>{{ CLICKHOUSE_BACKUP_ROOT }}/</path>
+            </backups>
+        </disks>
+    </storage_configuration>
+    <backups>
+        <allowed_disk>backups</allowed_disk>
+        <allowed_path>{{ CLICKHOUSE_BACKUP_ROOT }}/</allowed_path>
+    </backups>
+{% endif %}
+</clickhouse>
@@ -0,0 +1,31 @@
+<clickhouse>
+    {% if CLICKHOUSE_ENABLE_ENCRYPTION %}
+    <storage_configuration>
+        <disks>
+            <default>
+                <keep_free_space_bytes>0</keep_free_space_bytes>
+            </default>
+            <default_encrypted>
+                <type>encrypted</type>
+                <disk>default</disk>
+                <path>encrypted/</path>
+                <algorithm>{{ CLICKHOUSE_ENCRYPTION_ALGORITHM }}</algorithm>
+                <key_hex id="0">{{ CLICKHOUSE_ENCRYPTION_KEY }}</key_hex>
+                <current_key_id>0</current_key_id>
+            </default_encrypted>
+        </disks>
+        <policies>
+            <encrypted_policy>
+                <volumes>
+                    <main>
+                        <disk>default_encrypted</disk>
+                    </main>
+                </volumes>
+            </encrypted_policy>
+        </policies>
+    </storage_configuration>
+    <merge_tree>
+        <storage_policy>encrypted_policy</storage_policy>
+    </merge_tree>
+    {% endif %}
+</clickhouse>
@@ -0,0 +1,26 @@
+<clickhouse>
+    <http_port>{{ CLICKHOUSE_HOST_HTTP_PORT }}</http_port>
+    <https_port>{{ CLICKHOUSE_HOST_HTTPS_PORT }}</https_port>
+
+    <tcp_port>{{ CLICKHOUSE_TCP_PORT }}</tcp_port>
+    <tcp_port_secure>{{ CLICKHOUSE_TCP_PORT_SECURE }}</tcp_port_secure>
+
+    {% if CLICKHOUSE_ENABLE_TLS %}
+    <openSSL>
+        <server>
+            <certificateFile>/etc/clickhouse-server/certs/tls.crt</certificateFile>
+            <privateKeyFile>/etc/clickhouse-server/certs/tls.key</privateKeyFile>
+            <verificationMode>relaxed</verificationMode>
+            <cacheSessions>true</cacheSessions>
+            <disableProtocols>sslv2,sslv3</disableProtocols>
+            <preferServerCiphers>true</preferServerCiphers>
+        </server>
+    </openSSL>
+    {% endif %}
+
+    {% for host in CLICKHOUSE_LISTEN_HOSTS %}
+    <listen_host>{{ host }}</listen_host>
+    {% endfor %}
+    <listen_try>1</listen_try>
+
+</clickhouse>