Option to rotate passwords passed from Kubernetes Secrets

[lambdanis]

I have a CHI with user passwords passed via */k8s_secret_password settings. When I change passwords in the k8s secrets, clickhouse-operator doesn't change them in the database until some change in the CHI spec triggers reconciliation. It would be nice to have an option to force reconciliation, to be able to rotate passwords without modifying the CHI definition itself.

I didn't find any mention of passwords rotation in the docs. If you have any recommendations on how to achieve that, then it would be very useful, I think it's a common use case.

[jun0tpyrc]

same , my workaround is playing this field to add/remove a temp network whitelist on user to trigger reconcile of readonly volume of generated users xml (/etc/clickhouse-server/users.d/chop-generated-users.xml)

    users:
      user-ttttttt/k8s_secret_password_sha256_hex: ns/ch-idx-ttttttt/user-ttttttt_password_sha256_hex
      user-ttttttt/networks/ip:
      - "x.x.x.x/x"
      - "127.0.0.1/32" <= add then apply, verify then remove and apply again

[edwardsmit]

Thanks @jun0tpyrc, your workaround helpt!

[Slach]

you also could change

spec.taskID inside CHI to random string to trigger reconcile from clickhouse-operator side

look kubectl explain chi.spec.taskID for documentation

[Slach]

latest 0.21.x version of operator should just update configmap without rolling restart statefulset