Add a ClickHouse readonly user option (#336)

Fix #333

Signed-off-by: Yanjun Zhou <zhouya@vmware.com>

build/charts/theia/README.md

@@ -26,7 +26,7 @@ Kubernetes: `>= 1.16.0-0`
 | clickhouse.cluster.replicas | int | `1` | Number of ClickHouse replicas in each shard. |
 | clickhouse.cluster.shards | int | `1` | Number of ClickHouse shards in the cluster. |
 | clickhouse.cluster.zookeeperHosts | list | `[]` | To use a pre-installed ZooKeeper for ClickHouse data replication, please provide a list of your ZooKeeper hosts. To install a customized ZooKeeper, refer to <https://github.com/Altinity/clickhouse-operator/blob/master/docs/zookeeper_setup.md> |
-| clickhouse.connectionSecret | object | `{"password":"clickhouse_operator_password","username":"clickhouse_operator"}` | Credentials to connect to ClickHouse. They will be stored in a secret. |
+| clickhouse.connectionSecret | object | `{"password":"clickhouse_operator_password","readOnlyPassword":"readonly_password","readOnlyUsername":"readonly","username":"clickhouse_operator"}` | Credentials to connect to ClickHouse. They will be stored in a secret. |
 | clickhouse.image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/theia-clickhouse-server","tag":""}` | Container image used by ClickHouse. |
 | clickhouse.logger.count | int | `4` | The number of archived log files that ClickHouse stores. |
 | clickhouse.logger.level | string | `"information"` | Logging level. Acceptable values: trace, debug, information, warning, error. |

build/charts/theia/templates/clickhouse/clickhouseinstallation.yaml

@@ -11,6 +11,11 @@ spec:
     users:
       {{ .Values.clickhouse.connectionSecret.username }}/k8s_secret_password: {{ .Release.Namespace }}/clickhouse-secret/password
       {{ .Values.clickhouse.connectionSecret.username }}/networks/ip: "::/0"
+      {{ .Values.clickhouse.connectionSecret.readOnlyUsername }}/k8s_secret_password: {{ .Release.Namespace }}/clickhouse-secret/readOnlyPassword
+      {{ .Values.clickhouse.connectionSecret.readOnlyUsername }}/profile: readonly
+      {{ .Values.clickhouse.connectionSecret.readOnlyUsername }}/networks/ip: "::/0"
+    profiles:
+      readonly/readonly: 1
     clusters:
       - name: "clickhouse"
         layout:

build/charts/theia/templates/clickhouse/secret.yaml

@@ -7,3 +7,5 @@ type: Opaque
 stringData:
   username: {{ .Values.clickhouse.connectionSecret.username }}
   password: {{ .Values.clickhouse.connectionSecret.password }}
+  readOnlyUsername: {{ .Values.clickhouse.connectionSecret.readOnlyUsername }}
+  readOnlyPassword: {{ .Values.clickhouse.connectionSecret.readOnlyPassword }}

build/charts/theia/values.yaml

@@ -35,8 +35,10 @@ clickhouse:
       tag: ""
   # -- Credentials to connect to ClickHouse. They will be stored in a secret.
   connectionSecret:
-    username : "clickhouse_operator"
+    username: "clickhouse_operator"
     password: "clickhouse_operator_password"
+    readOnlyUsername: "readonly"
+    readOnlyPassword: "readonly_password"
   service:
     # -- The type of Service exposing ClickHouse. It can be one of ClusterIP,
     # NodePort or LoadBalancer.

build/yamls/flow-visibility.yml

@@ -6633,6 +6633,8 @@ metadata:
   namespace: flow-visibility
 stringData:
   password: clickhouse_operator_password
+  readOnlyPassword: readonly_password
+  readOnlyUsername: readonly
   username: clickhouse_operator
 type: Opaque
 ---
@@ -7148,13 +7150,18 @@ spec:
         replicasCount: 1
         shardsCount: 1
       name: clickhouse
+    profiles:
+      readonly/readonly: 1
     settings:
       logger/count: 4
       logger/level: information
       logger/size: 100M
     users:
       clickhouse_operator/k8s_secret_password: flow-visibility/clickhouse-secret/password
       clickhouse_operator/networks/ip: ::/0
+      readonly/k8s_secret_password: flow-visibility/clickhouse-secret/readOnlyPassword
+      readonly/networks/ip: ::/0
+      readonly/profile: readonly
     zookeeper:
       nodes:
       - host: zookeeper.flow-visibility