add clickhouse, mongodb, fix env vars and rate limiting config

Author: Polliog

charts/logtide/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: logtide
 description: A Helm chart for LogTide - Open-source log management and SIEM platform
 type: application
-version: 2.0.8
+version: 2.1.0
 appVersion: "0.8.4"
 
 home: https://logtide.dev

charts/logtide/templates/backend-deployment.yaml

@@ -80,6 +80,28 @@ spec:
             - name: REDIS_URL
               value: "redis://$(REDIS_HOST):$(REDIS_PORT)"
             {{- end }}
+            {{- if eq .Values.config.storageEngine "clickhouse" }}
+            - name: CLICKHOUSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.clickhouse.existingSecret }}{{ .Values.clickhouse.existingSecret }}{{ else }}{{ include "logtide.fullname" . }}-clickhouse{{ end }}
+                  key: {{ .Values.clickhouse.existingSecretPasswordKey }}
+            {{- end }}
+            {{- if eq .Values.config.storageEngine "mongodb" }}
+            {{- if .Values.mongodb.uri }}
+            - name: MONGODB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.mongodb.existingSecret }}{{ .Values.mongodb.existingSecret }}{{ else }}{{ include "logtide.fullname" . }}-mongodb{{ end }}
+                  key: {{ if .Values.mongodb.existingSecret }}{{ .Values.mongodb.existingSecretPasswordKey }}{{ else }}uri{{ end }}
+            {{- else }}
+            - name: MONGODB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.mongodb.existingSecret }}{{ .Values.mongodb.existingSecret }}{{ else }}{{ include "logtide.fullname" . }}-mongodb{{ end }}
+                  key: {{ .Values.mongodb.existingSecretPasswordKey }}
+            {{- end }}
+            {{- end }}
           {{- if .Values.backend.livenessProbe.enabled }}
           livenessProbe:
             httpGet:

charts/logtide/templates/configmap.yaml

@@ -8,14 +8,16 @@ data:
   NODE_ENV: {{ .Values.config.nodeEnv | quote }}
   LOG_LEVEL: {{ .Values.config.logLevel | quote }}
 
-  # Rate Limiting
-  RATE_LIMIT_AUTH: {{ .Values.config.rateLimit.auth | quote }}
-  RATE_LIMIT_INGESTION: {{ .Values.config.rateLimit.ingestion | quote }}
+  # Storage engine
+  STORAGE_ENGINE: {{ .Values.config.storageEngine | quote }}
 
-  # Retention
-  RETENTION_LOGS_DAYS: {{ .Values.config.retention.logs | quote }}
-  RETENTION_ALERTS_DAYS: {{ .Values.config.retention.alerts | quote }}
-  RETENTION_INCIDENTS_DAYS: {{ .Values.config.retention.incidents | quote }}
+  # Proxy & URLs
+  TRUST_PROXY: {{ .Values.config.trustProxy | quote }}
+  {{- if .Values.config.frontendUrl }}
+  FRONTEND_URL: {{ .Values.config.frontendUrl | quote }}
+  {{- else if .Values.ingress.enabled }}
+  FRONTEND_URL: "https://{{ (index .Values.ingress.hosts 0).host }}"
+  {{- end }}
 
   # CORS
   {{- if .Values.config.corsOrigins }}
@@ -24,6 +26,24 @@ data:
   CORS_ORIGINS: "https://{{ (index .Values.ingress.hosts 0).host }}"
   {{- end }}
 
+  # Caching
+  CACHE_ENABLED: {{ .Values.config.cache.enabled | quote }}
+  CACHE_TTL: {{ .Values.config.cache.ttl | quote }}
+
+  # General rate limiting
+  RATE_LIMIT_MAX: {{ .Values.config.rateLimit.max | quote }}
+  RATE_LIMIT_WINDOW: {{ .Values.config.rateLimit.window | quote }}
+
+  # Auth rate limiting
+  AUTH_RATE_LIMIT_REGISTER: {{ .Values.config.authRateLimit.register | quote }}
+  AUTH_RATE_LIMIT_LOGIN: {{ .Values.config.authRateLimit.login | quote }}
+  AUTH_RATE_LIMIT_WINDOW: {{ .Values.config.authRateLimit.window | quote }}
+
+  # Retention
+  RETENTION_LOGS_DAYS: {{ .Values.config.retention.logs | quote }}
+  RETENTION_ALERTS_DAYS: {{ .Values.config.retention.alerts | quote }}
+  RETENTION_INCIDENTS_DAYS: {{ .Values.config.retention.incidents | quote }}
+
   # SMTP Configuration
   {{- if .Values.config.smtp.enabled }}
   SMTP_ENABLED: "true"
@@ -32,3 +52,24 @@ data:
   SMTP_SECURE: {{ .Values.config.smtp.secure | quote }}
   SMTP_FROM: {{ .Values.config.smtp.from | quote }}
   {{- end }}
+
+  # ClickHouse (when storageEngine: clickhouse)
+  {{- if eq .Values.config.storageEngine "clickhouse" }}
+  CLICKHOUSE_HOST: {{ .Values.clickhouse.host | quote }}
+  CLICKHOUSE_PORT: {{ .Values.clickhouse.port | quote }}
+  CLICKHOUSE_DATABASE: {{ .Values.clickhouse.database | quote }}
+  CLICKHOUSE_USERNAME: {{ .Values.clickhouse.username | quote }}
+  {{- end }}
+
+  # MongoDB (when storageEngine: mongodb)
+  {{- if eq .Values.config.storageEngine "mongodb" }}
+  {{- if not .Values.mongodb.uri }}
+  MONGODB_HOST: {{ .Values.mongodb.host | quote }}
+  MONGODB_PORT: {{ .Values.mongodb.port | quote }}
+  MONGODB_DATABASE: {{ .Values.mongodb.database | quote }}
+  MONGODB_USERNAME: {{ .Values.mongodb.username | quote }}
+  {{- if .Values.mongodb.authSource }}
+  MONGODB_AUTH_SOURCE: {{ .Values.mongodb.authSource | quote }}
+  {{- end }}
+  {{- end }}
+  {{- end }}

charts/logtide/templates/secrets.yaml

@@ -14,7 +14,12 @@ data:
   API_KEY_SECRET: {{ $apiKeySecret | b64enc | quote }}
   {{- if and .Values.config.smtp.enabled (not .Values.config.smtp.existingSecret) }}
   SMTP_USER: {{ .Values.config.smtp.user | b64enc | quote }}
-  SMTP_PASSWORD: {{ .Values.config.smtp.password | b64enc | quote }}
+  SMTP_PASS: {{ .Values.config.smtp.pass | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.config.initialAdmin.email }}
+  INITIAL_ADMIN_EMAIL: {{ .Values.config.initialAdmin.email | b64enc | quote }}
+  INITIAL_ADMIN_PASSWORD: {{ .Values.config.initialAdmin.password | b64enc | quote }}
+  INITIAL_ADMIN_NAME: {{ .Values.config.initialAdmin.name | b64enc | quote }}
   {{- end }}
 ---
 {{- if .Values.timescaledb.enabled }}
@@ -68,3 +73,31 @@ type: Opaque
 data:
   password: {{ .Values.externalRedis.password | b64enc | quote }}
 {{- end }}
+---
+{{- if and (eq .Values.config.storageEngine "clickhouse") (not .Values.clickhouse.existingSecret) .Values.clickhouse.host }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "logtide.fullname" . }}-clickhouse
+  labels:
+    {{- include "logtide.labels" . | nindent 4 }}
+type: Opaque
+data:
+  password: {{ .Values.clickhouse.password | b64enc | quote }}
+{{- end }}
+---
+{{- if and (eq .Values.config.storageEngine "mongodb") (not .Values.mongodb.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "logtide.fullname" . }}-mongodb
+  labels:
+    {{- include "logtide.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .Values.mongodb.uri }}
+  uri: {{ .Values.mongodb.uri | b64enc | quote }}
+  {{- else }}
+  password: {{ .Values.mongodb.password | b64enc | quote }}
+  {{- end }}
+{{- end }}

charts/logtide/templates/worker-deployment.yaml

@@ -84,6 +84,28 @@ spec:
             - name: REDIS_URL
               value: "redis://$(REDIS_HOST):$(REDIS_PORT)"
             {{- end }}
+            {{- if eq .Values.config.storageEngine "clickhouse" }}
+            - name: CLICKHOUSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.clickhouse.existingSecret }}{{ .Values.clickhouse.existingSecret }}{{ else }}{{ include "logtide.fullname" . }}-clickhouse{{ end }}
+                  key: {{ .Values.clickhouse.existingSecretPasswordKey }}
+            {{- end }}
+            {{- if eq .Values.config.storageEngine "mongodb" }}
+            {{- if .Values.mongodb.uri }}
+            - name: MONGODB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.mongodb.existingSecret }}{{ .Values.mongodb.existingSecret }}{{ else }}{{ include "logtide.fullname" . }}-mongodb{{ end }}
+                  key: {{ if .Values.mongodb.existingSecret }}{{ .Values.mongodb.existingSecretPasswordKey }}{{ else }}uri{{ end }}
+            {{- else }}
+            - name: MONGODB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.mongodb.existingSecret }}{{ .Values.mongodb.existingSecret }}{{ else }}{{ include "logtide.fullname" . }}-mongodb{{ end }}
+                  key: {{ .Values.mongodb.existingSecretPasswordKey }}
+            {{- end }}
+            {{- end }}
           resources:
             {{- toYaml .Values.worker.resources | nindent 12 }}
       {{- with .Values.worker.nodeSelector }}

charts/logtide/values.yaml

@@ -188,7 +188,7 @@ ingress:
     #     - logtide.example.com
 
 # =============================================================================
-# TIMESCALEDB CONFIGURATION
+# TIMESCALEDB CONFIGURATION (embedded - used when storageEngine: timescale)
 # =============================================================================
 timescaledb:
   # Use embedded TimescaleDB StatefulSet
@@ -232,7 +232,7 @@ timescaledb:
   tolerations: []
   affinity: {}
 
-# External database (if timescaledb.enabled: false)
+# External PostgreSQL/TimescaleDB (if timescaledb.enabled: false)
 externalDatabase:
   host: ""
   port: 5432
@@ -243,6 +243,38 @@ externalDatabase:
   existingSecret: ""
   existingSecretPasswordKey: "password"
 
+# =============================================================================
+# CLICKHOUSE CONFIGURATION (used when storageEngine: clickhouse)
+# =============================================================================
+clickhouse:
+  # Connection to an external ClickHouse instance
+  host: ""
+  port: 8123
+  database: logtide
+  username: default
+  password: ""
+  # Use existing secret for the password
+  existingSecret: ""
+  existingSecretPasswordKey: "password"
+
+# =============================================================================
+# MONGODB CONFIGURATION (used when storageEngine: mongodb)
+# =============================================================================
+mongodb:
+  # Option 1: full connection URI (takes precedence over individual settings)
+  # e.g. "mongodb://user:pass@host:27017/logtide?authSource=admin"
+  uri: ""
+  # Option 2: individual connection settings
+  host: ""
+  port: 27017
+  database: logtide
+  username: ""
+  password: ""
+  authSource: ""
+  # Use existing secret for uri or password
+  existingSecret: ""
+  existingSecretPasswordKey: "password"
+
 # =============================================================================
 # REDIS CONFIGURATION
 # =============================================================================
@@ -295,6 +327,20 @@ config:
   # Log level (debug, info, warn, error)
   logLevel: info
 
+  # Storage engine: timescale | clickhouse | mongodb
+  # - timescale: uses the embedded or external TimescaleDB (default)
+  # - clickhouse: uses external ClickHouse (configure clickhouse section)
+  # - mongodb: uses external MongoDB (configure mongodb section)
+  storageEngine: timescale
+
+  # Trust reverse proxy headers (X-Forwarded-For, X-Forwarded-Proto)
+  # Set to true when running behind nginx/traefik ingress
+  trustProxy: true
+
+  # Frontend URL for OIDC redirects
+  # Defaults to https://{ingress-host} when ingress is enabled
+  frontendUrl: ""
+
   # JWT secret for authentication (auto-generated if empty)
   jwtSecret: ""
 
@@ -305,13 +351,24 @@ config:
   # Used to encrypt API keys at rest. Must be at least 32 characters.
   apiKeySecret: ""
 
-  # CORS origins (comma-separated)
+  # CORS origins (comma-separated). Defaults to ingress host when enabled.
   corsOrigins: ""
 
-  # Rate limiting
+  # Response caching
+  cache:
+    enabled: true
+    ttl: 60  # seconds
+
+  # General rate limiting
   rateLimit:
-    auth: 10  # requests per 15 minutes
-    ingestion: 200  # requests per minute
+    max: 1000       # requests per window
+    window: 60000   # window in ms (1 minute)
+
+  # Auth-specific rate limiting
+  authRateLimit:
+    register: 10       # registrations per window
+    login: 20          # login attempts per window
+    window: 900000     # window in ms (15 minutes)
 
   # Retention policy (days)
   retention:
@@ -326,11 +383,17 @@ config:
     port: 587
     secure: false
     user: ""
-    password: ""
+    pass: ""
     from: "noreply@logtide.dev"
     # Use existing secret for SMTP credentials
     existingSecret: ""
 
+  # Initial admin user (created on first deployment if no users exist)
+  initialAdmin:
+    email: ""
+    password: ""
+    name: ""
+
 # =============================================================================
 # MONITORING & OBSERVABILITY
 # =============================================================================