fix: Improve ClickHouse configuration and health checks

- Update ClickHouse cluster configuration with comprehensive settings
- Improve health checks for ClickHouse replicas using clickhouse-client
- Add network, logging, HTTP server, and storage configurations
- Add ZooKeeper, Kafka, and PostgreSQL integration settings
- Remove read-only flags from ClickHouse config volumes for better compatibility
- Update Kafka advertised listeners IP address
- Add missing SSL filename variables to env.example

Fixes:
- ClickHouse health check failures on different servers
- Configuration compatibility issues
- SSL configuration problems

Author: Сергей Антропов
Site: https://devops.org.ru

clickhouse-config/01-cluster.xml

@@ -97,6 +97,6 @@
         <port>5432</port>
         <database>sensus</database>
         <user>sensus</user>
-        <password>sensus_secure_password_2024</password>
+        <password>sensus</password>
     </postgresql>
 </yandex>

docker-compose.yml

@@ -36,7 +36,7 @@ services:
       KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
       KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT,SSL:SSL
       KAFKA_LISTENERS: PLAINTEXT://0.0.0.0:29092,PLAINTEXT_HOST://0.0.0.0:9092,SSL://0.0.0.0:9093
-      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:29092,PLAINTEXT_HOST://10.99.0.90:9092,SSL://10.99.0.90:9093
+      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:29092,PLAINTEXT_HOST://10.29.91.4:9092,SSL://10.29.91.4:9093
       KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
       KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
@@ -49,9 +49,11 @@ services:
       KAFKA_LOG_RETENTION_CHECK_INTERVAL_MS: ${KAFKA_LOG_RETENTION_CHECK_INTERVAL_MS:-300000}
       # SSL настройки
       KAFKA_SSL_KEYSTORE_LOCATION: /var/ssl/private/kafka.server.keystore.jks
+      KAFKA_SSL_KEYSTORE_FILENAME: kafka.server.keystore.jks
       KAFKA_SSL_KEYSTORE_PASSWORD: ${KAFKA_SSL_KEYSTORE_PASSWORD:-kafka123}
       KAFKA_SSL_KEY_PASSWORD: ${KAFKA_SSL_KEY_PASSWORD:-kafka123}
       KAFKA_SSL_TRUSTSTORE_LOCATION: /var/ssl/private/kafka.server.truststore.jks
+      KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.server.truststore.jks
       KAFKA_SSL_TRUSTSTORE_PASSWORD: ${KAFKA_SSL_TRUSTSTORE_PASSWORD:-kafka123}
       KAFKA_SSL_CLIENT_AUTH: ${KAFKA_SSL_CLIENT_AUTH:-none}
       KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ${KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM:-https}
@@ -139,8 +141,8 @@ services:
       CLICKHOUSE_SECURE: ${CLICKHOUSE_SECURE:-true}
     volumes:
       - clickhouse-1-data:/var/lib/clickhouse
-      - ./clickhouse-config:/etc/clickhouse-server/config.d:ro
-      - ./clickhouse-users:/etc/clickhouse-server/users.d:ro
+      - ./clickhouse-config:/etc/clickhouse-server/config.d
+      - ./clickhouse-users:/etc/clickhouse-server/users.d
     ports:
       - "${CLICKHOUSE_1_PORT:-8123}:8123"
       - "${CLICKHOUSE_1_HTTP_PORT:-9000}:9000"
@@ -148,7 +150,8 @@ services:
       - sensus-network
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8123/ping"]
+      #test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8123/ping"]
+      test: ["CMD", "clickhouse-client", "--query", "SELECT 1"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -165,8 +168,8 @@ services:
       CLICKHOUSE_SECURE: ${CLICKHOUSE_SECURE:-true}
     volumes:
       - clickhouse-2-data:/var/lib/clickhouse
-      - ./clickhouse-config:/etc/clickhouse-server/config.d:ro
-      - ./clickhouse-users:/etc/clickhouse-server/users.d:ro
+      - ./clickhouse-config:/etc/clickhouse-server/config.d
+      - ./clickhouse-users:/etc/clickhouse-server/users.d
     ports:
       - "${CLICKHOUSE_2_PORT:-8124}:8123"
       - "${CLICKHOUSE_2_HTTP_PORT:-9001}:9000"
@@ -174,7 +177,8 @@ services:
       - sensus-network
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8123/ping"]
+      #test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8123/ping"]
+      test: ["CMD", "clickhouse-client", "--query", "SELECT 1"]
       interval: 30s
       timeout: 10s
       retries: 3

env.example

@@ -13,7 +13,7 @@ ZOOKEEPER_TICK_TIME=2000
 # =============================================================================
 KAFKA_BROKER_ID=1
 KAFKA_LISTENER_SECURITY_PROTOCOL_MAP=PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT,SSL:SSL
-KAFKA_ADVERTISED_LISTENERS=PLAINTEXT://kafka:29092,PLAINTEXT_HOST://10.99.0.90:9092,SSL://10.99.0.90:9093
+KAFKA_ADVERTISED_LISTENERS=PLAINTEXT://kafka:29092,PLAINTEXT_HOST://10.29.91.4:9092,SSL://10.29.91.4:9093
 KAFKA_EXTERNAL_PORT=9092
 KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR=1
 KAFKA_TRANSACTION_STATE_LOG_MIN_ISR=1
@@ -45,8 +45,10 @@ KAFKA_CLIENT_ID=sensus-worker
 
 # Kafka SSL
 KAFKA_SSL_PORT=9093
+KAFKA_SSL_KEYSTORE_FILENAME=kafka.server.keystore.jks
 KAFKA_SSL_KEYSTORE_PASSWORD=kafka123
 KAFKA_SSL_KEY_PASSWORD=kafka123
+KAFKA_SSL_TRUSTSTORE_FILENAME=kafka.server.truststore.jks
 KAFKA_SSL_TRUSTSTORE_PASSWORD=kafka123
 KAFKA_SSL_CLIENT_AUTH=none
 KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=https
@@ -59,7 +61,7 @@ KAFKA_SSL_ENABLED=false
 # =============================================================================
 POSTGRES_DB=sensus
 POSTGRES_USER=sensus
-POSTGRES_PASSWORD=sensus_secure_password_2024
+POSTGRES_PASSWORD=sensus
 POSTGRES_PORT=5432
 
 # PostgreSQL SSL
@@ -74,7 +76,7 @@ POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
 # =============================================================================
 CLICKHOUSE_DB=sensus_metrics
 CLICKHOUSE_USER=sensus
-CLICKHOUSE_PASSWORD=clickhouse_secure_password_2024
+CLICKHOUSE_PASSWORD=sensus
 CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT=1
 CLICKHOUSE_SECURE=true