Configuration¶
Set with vault write database/config/<name> plugin_name=clickvault ...:
| Field | Required | Description |
|---|---|---|
connection_url |
yes | ClickHouse address. Must include a scheme, e.g. clickhouse://host:9000. A bare host:9000 is rejected. See note below. |
username |
yes | The Vault admin user in ClickHouse. Must have ACCESS MANAGEMENT grant. |
password |
yes | Password for username. |
cluster |
no | If set, all DDL statements get ON CLUSTER '<cluster>' inserted at the grammatically correct position. Leave unset or empty for a single node deployment. |
username_template |
no | Go template for dynamic usernames. See below for default. |
tls |
no | Enable TLS for the ClickHouse connection (default: false). |
tls_skip_verify |
no | Skip TLS certificate verification (default: false, only used when tls=true). |
dial_timeout_seconds |
no | Dial timeout in seconds (default: 5). |
read_timeout_seconds |
no | Read timeout in seconds (default: 30). |
Note on
connection_url: unlike some ClickHouse client libraries (e.g.clickhouse-go's default DSN parsing), clickvault does not accept a barehost:portaddress. A scheme prefix is required. This is intentional: inferring a scheme from context (defaulting toclickhouse://ortcp://) is the kind of ambiguity that makes URL-parsing bugs security-relevant, soparseAddrrejects bare addresses rather than guessing. If you are migrating aconnection_urlfrom another tool, add the scheme explicitly.
Pass verify_connection=true (the default) to have Initialize ping ClickHouse
and confirm the admin user has the ACCESS MANAGEMENT privilege before
accepting the config.
Username template¶
Dynamic usernames are generated with sdk/helper/template. The default
template is:
This produces names like v-token-a1b2c3d4-1719945600. ClickHouse identifiers
are limited to 255 characters. You can override this with username_template in
the connection config.
Collision risk: The default template truncates
DisplayNameto 8 characters. In high-volume deployments or when many Vault entities share a naming prefix (e.g.svc-payments-*,svc-payroll-*), truncated display names can collide. clickvault checks for an existing ClickHouse user with the generated name before runningcreation_statementsand fails with a clear error rather than silently overwriting or erroring opaquely. If you see this error frequently, use a longerusername_template.The Vault role name is intentionally not included in the default template — only
DisplayName— since ClickHouse usernames are visible insystem.users, query logs, connection logs andsystem.query_log, andRoleNameoften encodes more about the credential's purpose (e.g.prod-billing-admin) than you may want exposed there.
Password policy¶
ClickHouse's sha256_password auth type has no hard character set requirement,
but Vault needs a password policy:
length = 20
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
}
rule "charset" {
charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
min-chars = 1
}
rule "charset" {
charset = "0123456789"
min-chars = 1
}
scripts/setup_vault.sh creates this policy as clickhouse-password-policy.