Add pgadmin

mebezac · mebezac · commit 2015932568cc · 2026-01-02T10:11:20.000-05:00
diff --git a/kubernetes/apps/database/pgadmin/kustomization.yaml b/kubernetes/apps/database/pgadmin/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - secret-generator.yaml
diff --git a/kubernetes/apps/database/pgadmin/pgadmin-secret.sops.yaml b/kubernetes/apps/database/pgadmin/pgadmin-secret.sops.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pgadmin-secret
+  namespace: database
+stringData:
+  PGADMIN_DEFAULT_EMAIL: ENC[AES256_GCM,data:1hRFoPItcCAv+qa77fDbC+P7Vw==,iv:QHiUN3i0ZeW5QQ9XRYmhFY+qLjYtKObjCVi+Y5UcOX8=,tag:4EhKxSTMTrgIjDvD0jSvAA==,type:str]
+  PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:kRCOLc7K3hjYKAN2g6w4VR3ORRabNyU=,iv:uaScuIrNl9rIDzshayREreQeLmGJIXto2bMIbhhvFYw=,tag:ondOHMXb9KTVWMart6L6mA==,type:str]
+  config_local.py: ENC[AES256_GCM,data:WxVz/RakiN/JZZ6Z5JkbmarsrhJpx+eocGoV0b6rrgy/f29aJ5FjD/jOmleWuvHazFGFs5CahuEPU52KY6srnYKGpb5V3PosNV0yLcK8MPwuDRoGVSNu8iuy9DrdbLEEGwOjTbeCQBz05qmAg6VYq3CtdW8+Gl3HPU/8/+0GZa767qiGzJAdxVOJbmrxNLxEUJ20QmiWPzMz1Ad4Z4YbazBz0o+xnUEG4ANmDCwJgdMKk+KkoiW8sao6P3WhC/WlooiBipzgI+FcM1uhopMjRxDL5cPpQRehntjHlJdvZUDS/2+DHZ3FIAhGwxNO3GGbj+zHWuIhkrXLhbtt16NMbu5znpBAHUG8eba9U05/ooYgAcemOXQ781d855PRAVTc3RFj4j5nDdx1GbI+aZjA50zcPmZ76V06IHCM7rBfvZYzNhdi1eMMDzJH2ssssXHgb9DHE8QsCvSQnYyXbqzNlfz3FQc7u+m4OJU2JmNnRwdsvM2VH+gcXva6DC5N/tGT/95Pssh0OBd+vm0m5IS4308MESYgAgfFSn14Trc/IShEvvJue1zb11YFo1M45uu2k8fsrDH15DoVp+JYxeiC9ehHKO5WvyZRkGr5uksgf5yz1NN005sCO6yUHxeveVzQJ6yey4VGsZsXRsrYDCBBPtYDrq5gWKDNK20HwAURoa43FT7B5Fxkk01/hChZ3BR+NbexgkAWWPs3iQ7JXhM/wePOnbLuBRJXlkzDQ8CtYn/cCi+tkCi/5OxAdwrGaLI/rdl6ghYPsvSi+JD1U+v+dVZyyzdsLIyhH1USYpkuSCIkaZDEbW1EJTnfEfreiD3LlSygV+2IsP7n2QZfAXKE74hVcB7rX2pgGxk8PAUUEn0LEQtN+fuFhogIs8Eo/83b7+dBjsFhlKV+/P/TPxgVc6VSvRcCrFu4GGP+TyFaZCPw9yp2TZ4fEhIyh1nHW9RVQMn6SOGLm7fQDUGQLLnW4CQgv34DiuIKyWdPBl/dDq3eOjfumysSTxl9xlu1hN9gqeeomYV+RstB14sD1NuLUWdjC9tNcX7rOfOzNgLR6B/CWoemwE/KejdrTnzoy+bYvULgZBc9rv9GmqmT2h2qSK2Vp6nNi5cLO+oihxd77I1WxL+RwIn6DetSwubWINlgWs6ATlMOyD5cX1WdEHwJeckTGOgd2FfgYot2Z+/URA63i83P0uvj/+ISQnTSRxYftHOvO/jP7vyiUI+eF03WSJKOj9+93NKJ/lziPcU8o6TgDJvb+a8=,iv:d2EDblO98u0wMozTteeIMwyjAr5F1qHzgS/dp2WOxe8=,tag:Hoz4Qvv6sI4c2I++AF8keA==,type:str]
+sops:
+  age:
+    - recipient: age1j7x3jkw82w02taqj8dmqplae07fxcrup2enejnta9z2v82fzsakqd4ka6p
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdXFzNnc3dGprZ3VVc2Zr
+        S2NVS29mbEJlRDl0WGUrb3FweTYxamRJcERFCkdNakxIcWVIZHZ1MXFJSWVzVDJ1
+        WEhGUUFlbCtycGxTYjBDdjI0RWtWdHMKLS0tIFZIK00xZTB3OGp3STUzY3VXTFhZ
+        Q2h5TjYxQWN6a2pOWFdFNjJkMzhGNWcKTWsGZI2BDkde2mWkcNyc+jhVdldLSYXs
+        4xakfj73KLpiIZ5DE7zP/9gEtH4MkuuM5uIXld/lKZXbT4gX1CDejg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-02T14:56:59Z"
+  mac: ENC[AES256_GCM,data:X/E660CfHiUwEITrF/m1emOlBevc1XdEsI6i07xRPeeFnQivoXQN6nIbHJy5Cy0sfRW4DD+fw+tU+zoV9kBEa+70k8CpGjLlDAU8Gvz3wBDQ/uJluEpr34dtH/B4Hs8kdJF8hlBLP/LyF+9GYkGxy2GuT71IAFh/uDrrnt4Bi70=,iv:fl5ORGRFVPeu4dVlK17X/xtLVObZP7vMQ+7b4NbwB0I=,tag:+ht0qfhpwPOaCSqa/yKY2A==,type:str]
+  encrypted_regex: ^(data|stringData)$
+  mac_only_encrypted: true
+  version: 3.11.0
diff --git a/kubernetes/apps/database/pgadmin/secret-generator.yaml b/kubernetes/apps/database/pgadmin/secret-generator.yaml
@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: pgadmin-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./pgadmin-secret.sops.yaml
diff --git a/kubernetes/apps/database/pgadmin/values.yaml b/kubernetes/apps/database/pgadmin/values.yaml
@@ -0,0 +1,75 @@
+defaultPodOptions:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 3000
+    runAsGroup: 3000
+    fsGroup: 3000
+    fsGroupChangePolicy: OnRootMismatch
+
+controllers:
+  pgadmin:
+    annotations:
+      reloader.stakater.com/auto: "true"
+    containers:
+      app:
+        image:
+          repository: docker.io/dpage/pgadmin4
+          tag: "9.11@sha256:50700ac17936d0227f9e3e4bb086a91efb67064debc4b4737c35545bf1564088"
+        env:
+          GUNICORN_LIMIT_REQUEST_LINE: "0"
+          GUNICORN_LIMIT_REQUEST_FIELD_SIZE: "0"
+          PGADMIN_CUSTOM_CONFIG_DISTRO_FILE: /tmp/config_distro.py
+          PGADMIN_DISABLE_POSTFIX: "true"
+        envFrom:
+          - secretRef:
+              name: pgadmin-secret
+        resources:
+          requests:
+            cpu: 50m
+            memory: 100Mi
+          limits:
+            memory: 500Mi
+
+service:
+  app:
+    controller: pgadmin
+    ports:
+      http:
+        port: 80
+
+ingress:
+  app:
+    className: internal
+    hosts:
+      - host: pgadmin.laboratory.casa
+        paths:
+          - path: /
+            service:
+              identifier: app
+              port: http
+
+persistence:
+  config:
+    type: persistentVolumeClaim
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+    size: 512Mi
+    globalMounts:
+      - path: /var/lib/pgadmin
+  oauth:
+    enabled: true
+    type: secret
+    name: pgadmin-secret
+    advancedMounts:
+      pgadmin:
+        app:
+          - path: /pgadmin4/config_local.py
+            subPath: config_local.py
+  empty:
+    type: emptyDir
+    sizeLimit: 100Mi
+    globalMounts:
+      - path: /tmp
+        subPath: tmp
+      - path: /var/log
+        subPath: log
diff --git a/kubernetes/apps/security/authelia/authelia-config.yaml b/kubernetes/apps/security/authelia/authelia-config.yaml
@@ -217,6 +217,27 @@ identity_providers:
         token_endpoint_auth_method: none
         access_token_signed_response_alg: "none"
         userinfo_signed_response_alg: "none"
+        # pgAdmin
+      - client_id: "180j8UKBM3CEMYV~0sQFlbvG-HlZX1SagNIIBf5Gk~9UtCadBzRAj32_QQdP2WkJWW3ek1AW"
+        client_name: "pgAdmin"
+        client_secret: "$pbkdf2-sha512$310000$mW.OvQaOY78b4afaoGtyMA$ROU1LSObbw48vu.EE2SuN/iqnK5abuTf0FYpSnXiSGobwbzFpXjLIIdyfswhpuOyUXLYonCFfXpbZzHE/VkCHA"
+        public: false
+        authorization_policy: "one_factor"
+        require_pkce: true
+        pkce_challenge_method: "S256"
+        redirect_uris:
+          - "https://pgadmin.laboratory.casa/oauth2/authorize"
+        scopes:
+          - "openid"
+          - "profile"
+          - "email"
+        response_types:
+          - "code"
+        grant_types:
+          - "authorization_code"
+        access_token_signed_response_alg: "none"
+        userinfo_signed_response_alg: "none"
+        token_endpoint_auth_method: "client_secret_basic"
       # Romm
       - client_id: ".VBSb-hcpa9r3odp1o~1VreQRYpwUWpb1Dzw5dDkEcr08duvBx2TZ6tAIO-gFJ92q2rPZ-Y8"
         client_name: "Romm"
diff --git a/kubernetes/argo/apps/database/pgadmin.yaml b/kubernetes/argo/apps/database/pgadmin.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pgadmin
+  namespace: argo-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  project: kubernetes
+  sources:
+    - repoURL: https://github.com/mebezac/home-cluster.git
+      path: kubernetes/apps/database/pgadmin
+      targetRevision: main
+      ref: pgadmin-repo
+    - repoURL: ghcr.io/bjw-s-labs/helm
+      chart: app-template
+      targetRevision: 4.5.0
+      helm:
+        releaseName: pgadmin
+        valueFiles:
+          - $pgadmin-repo/kubernetes/apps/database/pgadmin/values.yaml
+  destination:
+    name: in-cluster
+    namespace: database
+  syncPolicy:
+    automated:
+      allowEmpty: true
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
