Integrations — ClickHouse
This page covers how tdp-clickhouse integrates with S3/MinIO and with other tools in the TDP ecosystem.
Passwords, LDAP, and access control are documented in Security — ClickHouse.
Integration overview
S3 / MinIO
The chart supports two different levels of S3 integration:
- Chart integration with bucket and Secret via
TDPConfigurations.s3Connection - ClickHouse storage policy via
tdp-clickhouse.clickhouse.extraConfig
These levels are complementary: the first helps prepare the bucket and Secret; the second configures ClickHouse to use S3 as a storage disk.
Bucket and Secret via TDPConfigurations.s3Connection
When s3Connection.enabled: true, the chart runs a Job that:
- tries to create the bucket if it does not exist yet;
- creates the
tdp-clickhouse-s3-connectionSecret with the configured credentials.
TDPConfigurations:
s3Connection:
enabled: true
bucket: "<s3-bucket-name>"
accessKey: "<s3-access-key>"
secretKey: "<s3-secret-key>"
uri: "https://<s3-endpoint>"
selfSigned: false
Store accessKey and secretKey in a separate values file outside Git, or in an existing Kubernetes Secret. Never commit them directly in the repository.
S3 storage policy in ClickHouse
To store ClickHouse data on S3/MinIO, add the XML configuration under tdp-clickhouse.clickhouse.extraConfig.
tdp-clickhouse:
clickhouse:
extraConfig: |
<yandex>
<storage_configuration>
<disks>
<default>
<keep_free_space_bytes>1073741824</keep_free_space_bytes>
</default>
<s3>
<type>s3</type>
<endpoint>https://<s3-endpoint>/<s3-bucket-name>/</endpoint>
<access_key_id><S3_ACCESS_KEY></access_key_id>
<secret_access_key><S3_SECRET_KEY></secret_access_key>
<use_https>1</use_https>
<skip_hostname_verification_for_https>1</skip_hostname_verification_for_https>
<bucket><s3-bucket-name></bucket>
<path>data/</path>
<use_environment_credentials>false</use_environment_credentials>
<path_style>true</path_style>
</s3>
</disks>
<policies>
<default>
<volumes>
<main>
<disk>default</disk>
</main>
</volumes>
</default>
<s3>
<volumes>
<main>
<disk>s3</disk>
</main>
</volumes>
</s3>
</policies>
</storage_configuration>
<openSSL>
<client>
<loadDefaultCAFile>false</loadDefaultCAFile>
<verificationMode>none</verificationMode>
<invalidCertificateHandler>
<name>AcceptCertificateHandler</name>
</invalidCertificateHandler>
</client>
</openSSL>
</yandex>
After applying this policy, you can create tables with storage_policy = 's3':
CREATE TABLE my_table (id UInt64, value String)
ENGINE = MergeTree()
ORDER BY id
SETTINGS storage_policy = 's3';
In the example above, verificationMode: none and AcceptCertificateHandler are intended for controlled environments. In production, prefer proper TLS validation whenever the S3 endpoint supports trusted certificates.
Main S3 parameters
| Parameter | Description | Default |
|---|---|---|
TDPConfigurations.s3Connection.enabled | Enable S3 integration | false |
TDPConfigurations.s3Connection.bucket | Bucket name | — |
TDPConfigurations.s3Connection.accessKey | Access key | — |
TDPConfigurations.s3Connection.secretKey | Secret key | — |
TDPConfigurations.s3Connection.uri | S3 endpoint | — |
TDPConfigurations.s3Connection.selfSigned | Accept self-signed certificate | false |
Consistency between the S3 Job and extraConfig
If you use both mechanisms at once, keep the following values aligned:
- bucket
- endpoint
- access key
- secret key
- TLS/certificate policy
That avoids cases where the bucket is created against one endpoint while ClickHouse writes to another.
Other ecosystem integrations
CloudBeaver
CloudBeaver can use ClickHouse as a datasource. Configuration is done in the tdp-cloudbeaver chart — see Integrations — CloudBeaver.
Superset
Superset can query ClickHouse via the SQLAlchemy driver. Configuration is done in the tdp-superset chart — see Integrations — Superset.
Trino
Trino can consume ClickHouse data via its dedicated connector. Configuration is done in the tdp-trino chart — see Integrations — Trino.
Combining values files
helm upgrade --install <release> \
oci://registry.tecnisys.com.br/tdp/charts/tdp-clickhouse \
-n <namespace> \
-f my-values.yaml \
-f values-integration.yaml