- Altinity ClickHouse Operator: Enterprise-grade ClickHouse management for Kubernetes.
- ClickHouse Keeper: Distributed coordination service (replaces ZooKeeper).
- ClickHouse Cluster: High-availability database cluster for trace storage.
- S3-compatible storage: Object storage for ClickHouse data persistence.
Important setup notes
The configuration examples in this guide are for reference only. Because each organization’s Kubernetes environment is unique, your self-hosted instance likely requires you to adjust:- Security and compliance: Security contexts,
runAsUserorfsGroupvalues, and other security settings according to your organization’s security policies and Kubernetes or OpenShift requirements. - Resource sizing: The resource allocations shown are starting points. Consult with your W&B Solutions Architect team for proper sizing based on your expected trace volume and performance requirements.
- Infrastructure specifics: Update storage classes, node selectors, and other infrastructure-specific settings to match your environment.
Architecture
The following diagram shows how the W&B Platform, the ClickHouse cluster, the ClickHouse Keeper coordination service, and S3 storage fit together in a self-managed Weave deployment.Prerequisites
Before you begin, ensure your environment meets the following requirements. Self-managed Weave instances require the following resources:- Kubernetes cluster: Version 1.29 or later.
- Kubernetes nodes: Multi-node cluster (minimum 3 nodes recommended for high availability).
- Storage class: A working StorageClass for persistent volumes (for example,
gp3,standard, ornfs-csi). - S3 bucket: Pre-configured S3 or S3-compatible bucket with appropriate access permissions.
- W&B Platform: Already installed and running. See the W&B Self-Managed Deployment Guide.
- W&B license: Weave-enabled license from W&B Support.
Required tools
To set up your instance, you need the following tools:kubectlconfigured with cluster access.helmversion 3.0 or later.- AWS credentials (if using S3) or access to S3-compatible storage.
Network requirements
Your Kubernetes cluster requires the following network setup:- Pods in the
clickhousenamespace must communicate with pods in thewandbnamespace. - ClickHouse nodes must communicate with each other on ports
8123,9000,9009, and2181.
Deploy your self-managed Weave instance
The following steps walk you through deploying the operator, preparing storage, deploying ClickHouse Keeper and the ClickHouse cluster, and enabling Weave in the W&B Platform. Complete the steps in order, since each one builds on the resources created in the previous step.Deploy the Altinity ClickHouse Operator
The Altinity ClickHouse Operator manages ClickHouse installations in Kubernetes. Installing the operator first lets the later steps declare ClickHouse Keeper and ClickHouse cluster resources that the operator reconciles for you.Add the Altinity Helm repository
Create the operator configuration
Create a file namedch-operator.yaml. This file defines the security context and metadata for the operator deployment:
containerSecurityContext values shown here work for most Kubernetes distributions. For OpenShift, you may need to adjust runAsUser and fsGroup to match your project’s assigned UID range.
Install the operator
Verify the operator installation
Prepare S3 storage
ClickHouse requires S3 or S3-compatible storage for data persistence. In this step you create the bucket and configure how ClickHouse authenticates to it.Create an S3 bucket
Create an S3 bucket in your AWS account or S3-compatible storage provider. Replace[BUCKET-NAME] with your bucket name and [REGION] with your AWS region:
Configure S3 credentials
ClickHouse requires credentials to read from and write to the bucket. You have two options for providing S3 access credentials. W&B recommends Option A (IRSA) on AWS because it avoids storing long-lived secrets in the cluster.Option A: Use AWS IAM roles (IRSA, recommended for AWS)
If your Kubernetes nodes have an IAM role with S3 access, ClickHouse can use the EC2 instance metadata:Option B: Use access keys
If you prefer using static credentials, create a Kubernetes secret: Replace[ACCESS-KEY] with your AWS access key and [SECRET-KEY] with your AWS secret key:
Deploy ClickHouse Keeper
ClickHouse Keeper provides the coordination system for data replication and distributed DDL queries execution. You must deploy Keeper before the ClickHouse cluster, since the ClickHouse servers in Step 4 connect to Keeper at startup.Create the Keeper configuration
Create a file namedch-keeper.yaml. This manifest defines a three-replica Keeper cluster with anti-affinity, persistent storage, and the settings used by the Altinity operator to provision Keeper pods:
- StorageClass: Update
storageClassName: gp3to match your cluster’s available StorageClass. - Security context: Adjust
runAsUserandfsGroupvalues to comply with your organization’s security policies. - Anti-affinity: Customize or remove the
affinitysection based on your cluster topology and HA requirements. - Resources: The CPU and memory values are examples. Consult with W&B Solutions Architects for proper sizing.
- Naming: If you change
metadata.nameorconfiguration.clusters[0].name, you must update the Keeper hostnames inch-server.yaml(Step 4) to match.
Deploy ClickHouse Keeper resources
Verify the Keeper deployment
Deploy the ClickHouse cluster
Now deploy the ClickHouse server cluster that stores Weave trace data. This is the largest step in the guide, since the cluster connects to both the Keeper service from Step 3 and the S3 bucket from Step 2.Create the ClickHouse server configuration
Create a file namedch-server.yaml. This manifest declares the ClickHouse cluster, its connection to Keeper, the Weave user account, and the S3 storage policy used for trace data:
- StorageClass: Update
storageClassName: gp3to match your cluster’s StorageClass. - S3 endpoint: Replace
[BUCKET-NAME]and[REGION]with your actual values. - Cache size: The
<max_size>40Gi</max_size>must be smaller than the persistent volume size (50Gi). - Security context: Adjust
runAsUser,fsGroup, and other security settings to match your organization’s policies. - Resource allocation: The CPU and memory values are examples. Consult with your W&B Solutions Architect for proper sizing based on your expected trace volume.
- Anti-affinity rules: Customize or remove based on your cluster topology and high-availability needs.
- Keeper hostnames: The Keeper node hostnames must match your Keeper deployment naming from Step 3 (see “Keeper naming”).
- Cluster naming: The cluster name
weaveclustercan be changed, but it must match theWF_CLICKHOUSE_REPLICATED_CLUSTERvalue in Step 5. - Credentials:
- For IRSA: Keep
<use_environment_credentials>true</use_environment_credentials>or access your secret keys mapped to environment variables.
- For IRSA: Keep
Update the S3 configuration
Edit thestorage_configuration.xml section in ch-server.yaml.
Example for AWS S3:
Configure credentials (Option B only)
If using Option B (access keys) from Step 2, ensure theenv section in ch-server.yaml references the secret:
env section.
Keeper naming
Getting the Keeper hostnames right is critical. If they don’t match the services created in Step 3, ClickHouse won’t start. The Keeper node hostnames in thezookeeper.nodes section follow a specific pattern based on your Keeper deployment from Step 3.
Hostname pattern: chk-[INSTALLATION-NAME]-[CLUSTER-NAME]-[CLUSTER-INDEX]-[REPLICA-INDEX].[NAMESPACE].svc.cluster.local
Where:
chkis the ClickHouseKeeperInstallation prefix (fixed).[INSTALLATION-NAME]is themetadata.namefromch-keeper.yaml(for example,wandb).[CLUSTER-NAME]is theconfiguration.clusters[0].namefromch-keeper.yaml(for example,keeper).[CLUSTER-INDEX]is the cluster index, typically0for a single cluster.[REPLICA-INDEX]is the replica number:0,1, or2for 3 replicas.[NAMESPACE]is the Kubernetes namespace (for example,clickhouse).
metadata.name: myweave):
clusters[0].name: coordination):
The Keeper hostnames in
ch-server.yaml must exactly match the actual service names created by the Keeper deployment, or ClickHouse servers fail to connect to the coordination service.Deploy the ClickHouse cluster resources
Verify the ClickHouse deployment
Enable Weave in the W&B Platform
Now configure the W&B Platform to use the ClickHouse cluster for Weave traces. This step informs the W&B operator where to find your externally managed ClickHouse and turns on theweave-trace service.
Gather ClickHouse connection information
You’ll need:- Host:
clickhouse-wandb.clickhouse.svc.cluster.local - Port:
8123 - User:
weave(as configured inch-server.yaml) - Password: The password you set in
ch-server.yaml - Database:
weave(created automatically) - Cluster name:
weavecluster(as configured inch-server.yaml)
clickhouse-[INSTALLATION-NAME].[NAMESPACE].svc.cluster.local
Update the W&B Custom Resource
Edit your W&B Platform Custom Resource (CR) to add Weave configuration:clickhouse.replicated: true: Required when using 3 replicas.WF_CLICKHOUSE_REPLICATED: "true": Required for replicated setup.WF_CLICKHOUSE_REPLICATED_CLUSTER: "weavecluster": Must match the cluster name inch-server.yaml.
The security contexts, resource allocations, and other Kubernetes-specific configurations shown here are reference examples. Customize them according to your organization’s requirements and consult with your W&B Solutions Architect team for proper resource sizing.
Apply the updated configuration
Verify the Weave Trace deployment
Initialize the Weave database
The weave-trace service automatically creates the required database schema on first startup. In this step you confirm that the migration completed successfully before exposing Weave to end users.Monitor the database migration
Verify database creation
Verify that Weave is enabled
This final step confirms that Weave is licensed, reachable from the W&B Console, and able to record traces from a client SDK.Access the W&B Console
Navigate to your W&B instance URL in a web browser.Check the Weave license status
In the W&B Console:- Go to Top Right Menu > Organization Dashboard.
- Verify that Weave access is enabled.
Test Weave functionality
Create a Python test to verify that Weave is working:Troubleshooting
The following sections describe common deployment problems and how to resolve them, grouped by the component where the symptom first appears.ClickHouse Keeper issues
Problem: Keeper pods stuck inPending state
Solution: Check multiple possible causes:
- PVC and StorageClass issues:
- Anti-affinity and node availability:
- Anti-affinity requires 3 separate nodes, but the cluster has fewer nodes.
- Nodes don’t have sufficient CPU or memory to meet pod requests.
- Node taints prevent pod scheduling.
- Remove or adjust anti-affinity rules if you have fewer than 3 nodes.
- Use
preferredDuringSchedulingIgnoredDuringExecutioninstead ofrequiredDuringSchedulingIgnoredDuringExecutionfor softer anti-affinity. - Reduce resource requests if nodes are constrained.
- Add more nodes to your cluster.
Problem: Keeper pods in
CrashLoopBackOff
Solution: Check logs and verify configuration:
- Incorrect security context (check
runAsUserandfsGroup). - Volume permission issues.
- Port conflicts.
- Configuration errors in
ch-keeper.yaml.
ClickHouse server issues
Problem: ClickHouse can’t connect to S3 Solution: Verify S3 credentials and permissions:Problem: ClickHouse can’t connect to Keeper Solution: Verify Keeper endpoints and naming:
ch-server.yaml likely don’t match your actual Keeper deployment. See “Keeper naming” in Step 4 for the naming pattern.
Weave Trace issues
Problem:weave-trace pod fails to start
Solution: Check ClickHouse connectivity:
Problem: Weave not showing as enabled in Console Solution: Verify configuration:
-
Check license includes Weave:
-
Ensure that
weave-trace.enabled: trueandclickhouse.replicated: trueare set inwandb-cr.yaml. -
Check W&B operator logs:
Problem: Database migration fails Solution: Check cluster name matches: The
WF_CLICKHOUSE_REPLICATED_CLUSTER environment variable must match the cluster name in ch-server.yaml:
Resource requirements
This section provides example resource allocations for two common deployment profiles. Use them as starting points when planning your cluster, and refine the numbers based on your observed workload.Minimum production setup
Suitable for development, testing, or low-volume production environments.
Recommended production setup
For production workloads with high trace volume:
Suitable for high-volume production environments.
For ultra-high volume deployments, contact your W&B Solutions Architect team for custom sizing recommendations based on your specific trace volume and performance requirements.
Advanced configuration
This section covers customization options for self-managed Weave deployments, including scaling ClickHouse capacity through vertical scaling or horizontal scaling, updating ClickHouse versions by modifying image tags in both keeper and server configurations, and monitoring ClickHouse health. W&B recommends consulting with your W&B Solutions Architect team when making advanced changes to your instance to ensure that they align with your performance and reliability requirements.Scale ClickHouse
To increase ClickHouse capacity, you can:-
Vertical scaling: Increase resources per pod (straightforward approach).
Recommendation: monitor actual resource usage and scale accordingly. For ultra-high volume deployments, contact your W&B Solutions Architect team.
-
Horizontal scaling: Add more replicas (requires careful planning).
- Increasing replicas requires data rebalancing.
- Consult ClickHouse’s documentation for shard management.
- Contact a W&B Solutions Architect before implementing horizontal scaling in production.
Use a different ClickHouse version
To use a different ClickHouse version, update the image tag in bothch-keeper.yaml and ch-server.yaml:
Monitor ClickHouse
Access ClickHouse system tables for monitoring:Backup and recovery
ClickHouse stores data in S3, providing inherent backup capabilities through S3 versioning and bucket replication features. For backup strategies specific to your deployment, consult with your W&B Solutions Architect team and refer to the ClickHouse backup documentation.Security considerations
Production deployments should harden the defaults shown in this guide. The following list highlights the most important areas to review with your security team.- Credentials: Store ClickHouse passwords in Kubernetes secrets, not plain text.
- Network policies: Consider implementing NetworkPolicies to restrict ClickHouse access.
- RBAC: Ensure service accounts have minimal required permissions.
- S3 bucket: Enable encryption at rest and restrict bucket access to necessary IAM roles.
- TLS: Optional. For production, enable TLS for ClickHouse client connections.
Upgrade
The following procedures cover routine upgrades for the operator, ClickHouse server, and Weave Trace components. Upgrade one component at a time and confirm that the deployment is healthy before moving on.Self-Managed deployments that use ClickHouse for both Weave and Models OLAP features must satisfy version requirements for both products. Models OLAP features and Weave can have different ClickHouse version requirements.See ClickHouse compatibility for upgrades and Supported W&B Server releases before upgrading ClickHouse or W&B Server. Upgrade ClickHouse Server and ClickHouse Keeper together.
Upgrade the ClickHouse Operator
Upgrade ClickHouse Server
Update the image version in bothch-keeper.yaml and ch-server.yaml, then apply the server manifest:
Upgrade Weave Trace
Update the image tag inwandb-cr.yaml and apply:
Additional resources
- Configure ingest sampling: Keep only a share of incoming traces to control storage and LLM scoring costs at high trace volume.
- Altinity ClickHouse Operator Documentation
- ClickHouse Documentation
- W&B Weave Documentation
- ClickHouse S3 Storage Configuration
Support
For production deployments or issues:- W&B Support:
support@wandb.com - Solutions Architects: For ultra-high volume deployments, custom sizing, and deployment planning.
- Include in support requests:
- Logs from
weave-trace, ClickHouse pods, and the operator. - W&B version, ClickHouse version, and Kubernetes version.
- Cluster information and trace volume.
- Logs from
FAQ
Q: Can I use a single ClickHouse replica instead of 3? A: Yes, but it’s not recommended for production. UpdatereplicasCount: 1 in ch-server.yaml and set clickhouse.replicated: false in wandb-cr.yaml.
Q: Can I use another database instead of ClickHouse?
A: No, Weave Trace requires ClickHouse for its high-performance columnar storage capabilities.
Q: How much S3 storage do I need?
A: S3 storage requirements depend on your trace volume, retention period, and data compression. Monitor your actual usage after deployment and adjust accordingly. ClickHouse’s columnar format compresses trace data efficiently.
Q: Do I need to configure the database name in ClickHouse?
A: No, the weave-trace service creates the weave database automatically during initial startup.
Q: What if my cluster name is not weavecluster?
A: You must set the WF_CLICKHOUSE_REPLICATED_CLUSTER environment variable to match your cluster name, otherwise database migrations fail.
Q: Should I use the exact security contexts shown in the examples?
A: No. The security contexts such as runAsUser and fsGroup provided in this guide are reference examples. You must adjust them to comply with your organization’s security policies, especially for OpenShift clusters, which have specific UID and GID range requirements.
Q: How do I know if I’ve sized my ClickHouse cluster correctly?
A: Contact your W&B Solutions Architect team with your expected trace volume and usage patterns. They provide sizing recommendations. Monitor your deployment’s resource usage and adjust as needed.
Q: Can I customize the naming conventions used in the examples?
A: Yes, but you must maintain consistency across all components:
- ClickHouse Keeper names: Must match the Keeper node hostnames in the
zookeeper.nodessection ofch-server.yaml. - ClickHouse cluster name (
weavecluster): Must matchWF_CLICKHOUSE_REPLICATED_CLUSTERinwandb-cr.yaml. - ClickHouse installation name: Affects the service hostname used by
weave-trace.