Configuring the external ClickHouse DBMS settings

To configure the Kaspersky Container Security settings to use the external ClickHouse DBMS:

  1. In the values.yaml configuration file, specify that the solution uses the external ClickHouse DBMS:

    default:

    kcs-clickhouse:

    external: true

  2. Specify the variables for using the external ClickHouse DBMS:

    configmap:

    infraconfig:

    type: fromEnvs

    envs:

    ...<ariables for using the external ClickHouse DBMS>

    In this section you must specify the following variables:

    • EXT_CLICKHOUSE_PROTOCOL is the protocol for connection to the external ClickHouse DBMS.
    • EXT_CLICKHOUSE_HOST is the host for connection to the external ClickHouse DBMS.
    • EXT_CLICKHOUSE_PORT is the port for connection to the external ClickHouse DBMS.
    • EXT_CLICKHOUSE_DB_NAME is the name of the database prepared for using with Kaspersky Container Security.
    • EXT_CLICKHOUSE_COLD_STORAGE_NAME is the name of the disk, where ClickHouse will long term store data about incidents.
    • EXT_CLICKHOUSE_STORAGE_POLICY_NAME is the name of the data storage policy according to which ClickHouse will transfer the data about incidents to the disk for long-term storage.

      If you use the same disk for short-term and long-term data storage, the EXT_CLICKHOUSE_COLD_STORAGE_NAME and EXT_CLICKHOUSE_STORAGE_POLICY_NAME values are not specified.

    • EXT_CLICKHOUSE_SSL_AUTH is the variable for SSL authorization of ClickHouse users. If the true value is specified, authorization is performed without passwords using client certificates.

      If TLS_INTERNAL is false, EXT_CLICKHOUSE_SSL_AUTH must also be false.

    • EXT_CLICKHOUSE_ROOT_CA_PATH is the path to the CA certificate, which is specified if the https protocol is used to connect to ClickHouse ( EXT_CLICKHOUSE_PROTOCOL: https). You can specify the path in one of the following ways:
      • Put the ClickHouse CA certificate in the directory specified by the path. In this case, you must uncomment the secret.cert-kcs-clickhouse-ca block.
      • Use Vault to store certificate data. In this case, you must uncomment the cert-kcs-clickhouse-ca block in the vault.certificate section.
  3. Specify values of secrets for using the external ClickHouse DBMS:

    configmap:

    secret:

    infracreds:

    type: fromEnvs

    envs:

    ...<secrets for using the external ClickHouse DBMS>

    In this section you must specify the following:

    • EXT_CLICKHOUSE_WRITE_USER is the name of a user with permissions to write created for using with Kaspersky Container Security.
    • CLICKHOUSE_WRITE_PASSWORD is the password of a user with permissions to write created for using with Kaspersky Container Security.
    • EXT_CLICKHOUSE_READ_USER is the name of a user with read rights prepared for use with Kaspersky Container Security.
    • CLICKHOUSE_READ_PASSWORD is the password of a user with permissions to read created for using with Kaspersky Container Security.

      CLICKHOUSE_READ_PASSWORD and CLICKHOUSE_WRITE_PASSWORD are not used if EXT_CLICKHOUSE_SSL_AUTH is set to true.

    Usernames and passwords can also be specified using the Vault secret storage.

    Example of configuring the external ClickHouse DBMS settings

Page top