User Management

In order to log into and use your pgAdmin, you need user credentials. Crunchy Postgres for Kubernetes (CPK) provides a way to manage internal pgAdmin users through the PGAdmin API.

Defining Users

Users are defined in the users field in the PGAdmin custom resource. Below is an example of a PGAdmin manifest with a single user in place:

apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PGAdmin
metadata:
  name: rhino
spec:
  dataVolumeClaimSpec:
    accessModes:
    - "ReadWriteOnce"
    resources:
      requests:
        storage: 1Gi
  serverGroups:
  - name: supply
    postgresClusterSelector: {}
  users:
  - username: user@example.com
    role: User
    passwordRef:
      name: user-password-secret
      key: password
Copy

User Properties

When defining a user, there are three properties that you can set:

• username (required) - The username for the user. The username for these internal users must be in email format.
• role (optional) - The role that you want to give this user. The options are Administrator and User. If left unset, the role will default to User.
• passwordRef (required) - A reference to a Kubernetes Secret and key that hold the password for this user.
  • name (required) - The name of the Secret.
  • key (required) - The key inside the Secret that holds the password.

Given the sensitive nature of passwords, we require that the passwords be stored in Secrets and then obtained by referencing those Secrets in the user spec. Given that the passwordRef references not only the name of the Secret, but also the key that holds a particular password, you can choose to have a separate Secret for each user or you can store multiple passwords in one Secret.

Example

Let's say you wanted to add two users, where one has admin privileges and the other does not, and you want to store both passwords in one Secret. You would start by creating the Secret:

kubectl create secret generic pgadmin-password-secret \
  -n postgres-operator \
  --from-literal=hippo-password=$HIPPO_USER_PASSWORD
  --from-literal=elephant-password=$ELEPHANT_USER_PASSWORD
Copy

This creates a Secret called pgadmin-password-secret in the postgres-operator namespace, with two keys: hippo-password and elephant-password.

You would then update the users field in your PGAdmin manifest to create these two users and reference the Secret you just created to set the users' passwords.

spec:
  users:
  - username: hippo@example.com
    role: Administrator
    passwordRef:
      name: pgadmin-password-secret
      key: hippo-password
  - username: elephant@example.com
    passwordRef:
      name: pgadmin-password-secret
      key: elephant-password
Copy

Notice that the role setting was omitted for the elephant@example.com user and will therefore default to a User role.

If you change the password stored in your Secret, the operator will automatically update the password in pgAdmin. You can also change the passwordRef to point to a different Secret or key. Likewise, you can change a user's role and it will be updated in pgAdmin.

Retrieving and editing passwords

If you've forgotten a password, you can either retrieve it from the Secret or change the password altogether. Let's start by retrieving a password.

Following the example in the previous section, let's say we want to retrieve the password for the hippo@example.com user. We can do this with the following command:

kubectl get secret/pgadmin-password-secret -n postgres-operator -o 'go-template={{index .data "hippo-password"}}' | base64 -d
Copy

If we instead wanted to change this password, we could do that with the following command:

kubectl get secret/pgadmin-password-secret -n postgres-operator \
  -o json | jq --arg password "$NEW_PASSWORD" '.stringData["hippo-password"]=$password' | kubectl apply -f -
Copy