Fix the generated password not being idempotent in the ClickHouse pro…

…visioner (#6271)

* Fix the generated password not being idempotent in the ClickHouse provisioner

* Fix test

* Comment typo

admin/provisioner/clickhousestatic/provisioner.go

@@ -102,12 +102,20 @@ func (p *Provisioner) Provision(ctx context.Context, r *provisioner.Resource, op
 		return nil, fmt.Errorf("failed to create clickhouse database: %w", err)
 	}
 
-	// Idempotently create the user
+	// Idempotently create the user.
 	_, err = p.ch.ExecContext(ctx, fmt.Sprintf("CREATE USER IF NOT EXISTS %s IDENTIFIED WITH sha256_password BY ? DEFAULT DATABASE %s GRANTEES NONE", user, dbName), password)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create clickhouse user: %w", err)
 	}
 
+	// When creating the user, the password assignment is not idempotent (if there are two concurrent invocations, we don't know which password was used).
+	// By adding the password separately, we ensure all passwords will work.
+	// NOTE: Requires ClickHouse 24.9 or later.
+	_, err = p.ch.ExecContext(ctx, fmt.Sprintf("ALTER USER %s ADD IDENTIFIED WITH sha256_password BY ?", user), password)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add password for clickhouse user: %w", err)
+	}
+
 	// Grant privileges on the database to the user
 	_, err = p.ch.ExecContext(ctx, fmt.Sprintf(`
 		GRANT

admin/provisioner/clickhousestatic/provisioner_test.go

@@ -17,11 +17,11 @@ import (
 	"go.uber.org/zap"
 )
 
-func Test(t *testing.T) {
+func TestClickHouseStatic(t *testing.T) {
 	// Create a test ClickHouse cluster
 	container, err := testcontainersclickhouse.Run(
 		context.Background(),
-		"clickhouse/clickhouse-server:24.6.2.17",
+		"clickhouse/clickhouse-server:24.11.1.2557",
 		// Add a user config file that enables access management for the "default" user
 		testcontainers.CustomizeRequestOption(func(req *testcontainers.GenericContainerRequest) error {
 			req.Files = append(req.Files, testcontainers.ContainerFile{