docs: expand default user password configuration#238
Merged
GrigoryPervakov merged 4 commits intoJun 19, 2026
Conversation
2 tasks
e6fdc8f to
8014c47
Compare
Remove redundant restatement that the password is never stored in the CR (already stated above), fold the exactly-one rule and its webhook enforcement into a single non-tautological sentence, and drop the duplicated "not protected like Secret data" rationale from the ConfigMap note. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
8014c47 to
dadb2fa
Compare
|
Docs PR opened: ClickHouse/mintlify-docs-dev#232 Synced upstream clickhouse-operator docs, expanding default user password configuration and adding monitoring, scaling, and TLS guides. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Default user password section in the Configuration guide showed a Secret/ConfigMap skeleton but used a misleading key: placeholder, which could make readers think key is the password value rather than the key name inside the resource. It also omitted practical guidance for using spec.settings.defaultUserPassword, including the exactly-one-source rule, password type choices, and the security difference between Secret and ConfigMap.
What
Rewrites the Default user password section to clarify that the password is read from a key in a Secret or ConfigMap and is never stored inline in the CR. The update documents that exactly one of secret or configMap is required, with both name and key; adds guidance for password versus password_sha256_hex, including the operator client configuration behavior; and adds full Secret + CR examples for plaintext and hashed passwords, plus ConfigMap guidance for non-sensitive values and a warning not to store plaintext passwords there. Verified against DefaultPasswordSelector.Validate(), templates.go, and config.go.