Configuration

Configuration of the PGAdmin deployment is done using the config field in the PGAdmin manifest. This field is broken into a few fields that you might use depending on your environment. In this section we will walk through each of these fields and how you might use them.

pgAdmin settings

The config.settings field will be used to set any value that you would find in the pgAdmin config.py file. Some of easiest values to describe are the SHOW_GRAVATAR_IMAGE and DEBUG settings. The following configuration will enable DEBUG mode and disable gravatars when your users log in:

spec:
  config:
    settings:
      SHOW_GRAVATAR_IMAGE: False
      DEBUG: True
Copy

The values provided in config.settings are stored in a ConfigMap that is mounted to the pgAdmin Pod. The mounted ConfigMap and its values are passed to pgAdmin through the config_system.py configuration file.

It is worth noting that CPK will own some of the fields, and you won't be able to configure them. A good example of this is the SERVER_MODE setting. Since we want pgAdmin to run as a web server and not a desktop app, CPK will always set this value.

kubectl get cm -l postgres-operator.crunchydata.com/pgadmin=rhino -o yaml
Copy

Settings with Credentials

There are some pgAdmin settings that hold credentials or other sensitive data that you might not want stored as plain-text in your pgAdmin manifest. For some of these settings you can define a Secret reference in a separate field for that setting.

There are two settings that can be configured using a Secret key reference. The LDAP_BIND_PASSWORD setting was available in v5.5 and CONFIG_DATABASE_URI setting is configurable as of v5.6.

To configure these options, provide a Secret name and data key for the password. The following example shows how you can configure both options:

spec:
  config:
    ldapBindPassword:
      name: ldappass
      key: password
    configDatabaseURI:
      name: external-db-uri-secret
      key: uri
Copy

Providing these credential settings using a Secret helps to keep your sensitive date more secure.

Mounting files to the pgAdmin Pod

In some cases you may need to mount configuration files to the pgAdmin Pod. For example, if you want to configure TLS connections to pgAdmin, you will need to provide cert files. You can mount files by defining ConfigMaps or Secrets in the config.files field. The contents of the resources are mounted as projected volumes to the /etc/pgadmin/conf.d in the pgAdmin Pod. The following mounts tls.crt of Secret mysecret to /etc/pgadmin/conf.d/tls.crt:

spec:
  config:
    files:
      - secret:
          name: mysecret
          items:
            - key: tls.crt
Copy

Gunicorn Server Configuration

When pgAdmin is deployed through the PostgreSQL Operator, Gunicorn server is used to run it in server mode. You can adjust some Gunicorn server settings through the config.gunicorn of your manifest file. For example, if you are enabling TLS, you can follow these steps:

Create a TLS Secret pointing to your cert and key files:

kubectl create secret tls pgadmin-tls-certs --cert=server.crt --key=server.key
Copy

Configure your PGAdmin resource with the following config.gunicorn fields:

config:
    gunicorn:
      keyfile: /etc/pgadmin/conf.d/gunicorn-tls.key
      certfile: /etc/pgadmin/conf.d/gunicorn-tls.crt
    files:
      - secret:
          name: pgadmin-tls-certs
          items:
            - key: tls.crt
              path: gunicorn-tls.crt
            - key: tls.key
              path: gunicorn-tls.key
Copy

The config.files field, mounts the tls.crt and tls.key files in the /etc/pgadmin/conf.d/ directory as gunicorn-tls.crt and gunicorn-tls.key, respectively. With those files in place, the config.gunicorn field sets the server's keyfile and certfile settings to point to those mounted files, enabling TLS.