From 3d712ccede162a05a076880e537e9dca5f55874f Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Fri, 30 May 2025 00:18:42 +0200 Subject: [PATCH] pgadmin --- pgadmin/kustomization.yaml | 6 + pgadmin/main.yaml | 200 +++++++++++++++ pgadmin/src/kustomization.yaml | 12 + pgadmin/src/values.yaml | 450 +++++++++++++++++++++++++++++++++ 4 files changed, 668 insertions(+) create mode 100644 pgadmin/kustomization.yaml create mode 100644 pgadmin/main.yaml create mode 100644 pgadmin/src/kustomization.yaml create mode 100644 pgadmin/src/values.yaml diff --git a/pgadmin/kustomization.yaml b/pgadmin/kustomization.yaml new file mode 100644 index 0000000..4ae436c --- /dev/null +++ b/pgadmin/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - main.yaml \ No newline at end of file diff --git a/pgadmin/main.yaml b/pgadmin/main.yaml new file mode 100644 index 0000000..97ef785 --- /dev/null +++ b/pgadmin/main.yaml @@ -0,0 +1,200 @@ +apiVersion: v1 +data: + password: U3VwZXJTZWNyZXQ= +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pgadmin4 + app.kubernetes.io/version: "9.3" + helm.sh/chart: pgadmin4-1.45.1 + name: pgadmin-pgadmin4 + namespace: pgadmin +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pgadmin4 + app.kubernetes.io/version: "9.3" + helm.sh/chart: pgadmin4-1.45.1 + name: pgadmin-pgadmin4 + namespace: pgadmin +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/name: pgadmin4 + type: ClusterIP +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pgadmin4 + app.kubernetes.io/version: "9.3" + helm.sh/chart: pgadmin4-1.45.1 + name: pgadmin-pgadmin4 + namespace: pgadmin +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: openebs-3-replicas +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pgadmin4 + app.kubernetes.io/version: "9.3" + helm.sh/chart: pgadmin4-1.45.1 + name: pgadmin-pgadmin4 + namespace: pgadmin +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/name: pgadmin4 + template: + metadata: + annotations: + checksum/secret: d60cced22b70238aab1ff018a874bbd8cba79292c40172e1449dc31f0a56afb7 + labels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/name: pgadmin4 + spec: + automountServiceAccountToken: false + containers: + - env: + - name: PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION + value: "False" + - name: PGADMIN_DEFAULT_EMAIL + value: chart@domain.com + - name: PGADMIN_DEFAULT_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: pgadmin-pgadmin4 + image: docker.io/dpage/pgadmin4:9.2.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /misc/ping + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 5 + name: pgadmin4 + ports: + - containerPort: 80 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /misc/ping + port: http + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + resources: {} + startupProbe: + failureThreshold: 30 + httpGet: + path: /misc/ping + port: http + scheme: HTTP + periodSeconds: 2 + volumeMounts: + - mountPath: /var/lib/pgadmin + name: pgadmin-data + subPath: "" + securityContext: + fsGroup: 5050 + runAsGroup: 5050 + runAsUser: 5050 + volumes: + - name: pgadmin-data + persistentVolumeClaim: + claimName: pgadmin-pgadmin4 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pgadmin4 + app.kubernetes.io/version: "9.3" + helm.sh/chart: pgadmin4-1.45.1 + name: pgadmin-pgadmin4 + namespace: pgadmin +spec: + ingress: + - ports: + - port: 80 + podSelector: + matchLabels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/name: pgadmin4 + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: hook-succeeded + labels: + app.kubernetes.io/instance: pgadmin + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pgadmin4 + app.kubernetes.io/version: "9.3" + helm.sh/chart: pgadmin4-1.45.1 + name: pgadmin-pgadmin4-test-connection + namespace: pgadmin +spec: + containers: + - command: + - /bin/sh + - -ec + - | + response=$(wget -qSO - http://${PGADMIN_HOST}:${PGADMIN_PORT} 2>&1) + check=$(echo $response | grep -c '200 OK'); echo $check; if [[ $check -gt 0 ]]; then echo "Response OK"; else exit 1; fi + env: + - name: PGADMIN_HOST + value: pgadmin-pgadmin4 + - name: PGADMIN_PORT + value: "80" + image: docker.io/busybox:latest + name: wget + resources: {} + securityContext: + readOnlyRootFilesystem: true + restartPolicy: Never + securityContext: + fsGroup: 5051 + runAsGroup: 5051 + runAsNonRoot: true + runAsUser: 5051 diff --git a/pgadmin/src/kustomization.yaml b/pgadmin/src/kustomization.yaml new file mode 100644 index 0000000..1105cf4 --- /dev/null +++ b/pgadmin/src/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmCharts: + - name: pgadmin4 + repo: https://helm.runix.net + version: 1.45.1 + releaseName: pgadmin + includeCRDs: true + namespace: pgadmin + valuesFile: values.yaml diff --git a/pgadmin/src/values.yaml b/pgadmin/src/values.yaml new file mode 100644 index 0000000..4da47ae --- /dev/null +++ b/pgadmin/src/values.yaml @@ -0,0 +1,450 @@ +global: + # Overrides the Docker registry globally for all images. + imageRegistry: "" + # Add additional image pull secrets globally. + # Support both full format (- name: secret) and short format (- secret). + # These will be merged with any chart-specific pull secrets. + imagePullSecrets: [] + +replicaCount: 1 + +## pgAdmin4 container image +## +image: + registry: docker.io + repository: dpage/pgadmin4 + # Overrides the image tag whose default is the chart appVersion. + tag: 9.2.0 + pullPolicy: IfNotPresent + +## Optionally specify an array of imagePullSecrets. +## Secrets must be manually created in the namespace. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + # - RegistryKeySecret + +## Deployment annotations +annotations: {} + +## revisionHistoryLimit The number of old history to retain to allow rollback +revisionHistoryLimit: 10 + +## commonLabels Add labels to all the deployed resources +commonLabels: {} + +## priorityClassName +priorityClassName: "" + +## Deployment entrypoint override +## Useful when there's a requirement to modify container's default: +## https://www.vaultproject.io/docs/platform/k8s/injector/examples#environment-variable-example +## ref: https://github.com/postgres/pgadmin4/blob/master/Dockerfile#L206 +# command: "['/bin/sh', '-c', 'source /vault/secrets/config && ']" + +service: + type: ClusterIP + clusterIP: "" + loadBalancerIP: "" + port: 80 + targetPort: 80 + # targetPort: 4181 To be used with a proxy extraContainer + portName: http + + annotations: {} + ## Special annotations at the service level, e.g + ## this will set vnet internal IP's rather than public ip's + ## service.beta.kubernetes.io/azure-load-balancer-internal: "true" + + ## Specify the nodePort value for the service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # Opt out of API credential automounting. + # If you don't want the kubelet to automatically mount a ServiceAccount's API credentials, + # you can opt out of the default behavior + automountServiceAccountToken: false + +## Pod HostAliases +## ref: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ +## +hostAliases: + # - ip: "127.0.0.1" + # hostnames: + # - "pgadmin4.local" + +## Strategy used to replace old Pods by new ones +## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## +strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + +## Pre-load pgAdmin4 with servers at first start-up. +## Servers are imported only the first time the config DB is created. +## Docs: https://www.pgadmin.org/docs/pgadmin4/latest/import_export_servers.html +## +serverDefinitions: + # Enable/disable server import + enabled: false + + # Storage for the server JSON: + # ConfigMap - plain text (good for non-secret data) + # Secret - base-64 (better for credentials) + resourceType: ConfigMap + + # Use this only when `resourceType` = ConfigMap - point to an existing ConfigMap + # that already holds your `servers.json` + existingConfigmap: "" + + # Use this only when `resourceType` = Secret - point to an existing Secret + # that already holds your `servers.json`. + existingSecret: "" + + # Set to true to put raw JSON under `stringData` (handy for dry-runs/debug). + # Leave false to keep the default base-64 in `data`. + useStringData: false + + # Inline server definitions (ignore if you point to an existing resource) + # You can use Helm templates here, e.g. Host: "{{ .Values.example.host }}" + servers: + # firstServer: + # Name: "Minimally Defined Server" + # Group: "Servers" + # Username: "postgres" + # Host: "{{ .Values.example.host }}" + # Port: "{{ .Values.example.port }}" + # SSLMode: "prefer" + # MaintenanceDB: "postgres" + +networkPolicy: + enabled: true + +## Ingress +## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + hosts: + - host: chart-example.local + paths: + - path: / + pathType: Prefix + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +# Additional config maps to be mounted inside a container +# Can be used to map config maps for sidecar as well +extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /etc/ssl/certs + # subPath: "" + # configMap: certs-configmap + # readOnly: true + +extraSecretMounts: [] + # - name: pgpassfile + # secret: pgpassfile + # subPath: pgpassfile + # mountPath: "/var/lib/pgadmin/storage/pgadmin/file.pgpass" + # readOnly: true + +## Additional volumes to be mounted inside a container +## +extraVolumeMounts: [] + +## Specify additional containers in extraContainers. +## For example, to add an authentication proxy to a pgadmin4 pod. +extraContainers: | +# - name: proxy +# image: quay.io/gambol99/keycloak-proxy:latest +# args: +# - -provider=github +# - -client-id= +# - -client-secret= +# - -github-org= +# - -email-domain=* +# - -cookie-secret= +# - -http-address=http://0.0.0.0:4181 +# - -upstream-url=http://127.0.0.1:3000 +# ports: +# - name: proxy-web +# containerPort: 4181 + +## @param existingSecret Name of existing secret to use for default pgadmin credentials. `env.password` will be ignored and picked up from this secret. +## +existingSecret: "" +## @param secretKeys.pgadminPasswordKey Name of key in existing secret to use for default pgadmin credentials. Only used when `existingSecret` is set. +## +secretKeys: + pgadminPasswordKey: password + +## pgAdmin4 startup configuration +## Values in here get injected as environment variables +## Needed chart reinstall for apply changes +env: + # can be email or nickname + email: chart@domain.com + password: SuperSecret + # pgpassfile: /var/lib/pgadmin/storage/pgadmin/file.pgpass + + # set context path for application (e.g. /pgadmin4/*) + # contextPath: /pgadmin4 + + ## If True, allows pgAdmin4 to create session cookies based on IP address + ## Ref: https://www.pgadmin.org/docs/pgadmin4/latest/config_py.html + ## + enhanced_cookie_protection: "False" + + ## Add custom environment variables that will be injected to deployment + ## Ref: https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html + ## + variables: [] + # - name: PGADMIN_LISTEN_ADDRESS + # value: "0.0.0.0" + # - name: PGADMIN_LISTEN_PORT + # value: "8080" + +## Additional environment variables from ConfigMaps +envVarsFromConfigMaps: [] + # - array-of + # - config-map-names + +## Additional environment variables from Secrets +envVarsFromSecrets: [] + # - array-of + # - secret-names + +## Additional environment variables +envVarsExtra: [] + # - name: POSTGRES_USERNAME + # valueFrom: + # secretKeyRef: + # name: pgadmin.pgadmin-db.credentials.postgresql.acid.zalan.do + # key: username + # - name: POSTGRES_PASSWORD + # valueFrom: + # secretKeyRef: + # name: pgadmin.pgadmin-db.credentials.postgresql.acid.zalan.do + # key: password + +persistentVolume: + ## If true, pgAdmin4 will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## pgAdmin4 Persistent Volume Claim annotations + ## + annotations: {} + + ## pgAdmin4 Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + accessModes: + - ReadWriteOnce + + ## pgAdmin4 Persistent Volume Size + ## + size: 10Gi + + ## pgAdmin4 Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: openebs-3-replicas + # existingClaim: "" + + ## Subdirectory of pgAdmin4 Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + +## Additional volumes to be added to the deployment +## +extraVolumes: [] + +## Security context to be added to pgAdmin4 pods +## +securityContext: + runAsUser: 5050 + runAsGroup: 5050 + fsGroup: 5050 + +containerSecurityContext: + enabled: false + allowPrivilegeEscalation: false + +## pgAdmin4 readiness and liveness probe initial delay and timeout +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +## +livenessProbe: + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + +readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + +startupProbe: + failureThreshold: 30 + periodSeconds: 2 + +## Required to be enabled pre pgAdmin4 4.16 release, to set the ACL on /var/lib/pgadmin. +## Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## +VolumePermissions: + ## If true, enables an InitContainer to set permissions on /var/lib/pgadmin. + ## + enabled: false + +## @param extraDeploy list of extra manifests to deploy +## +extraDeploy: [] + +## Additional InitContainers to initialize the pod +## +extraInitContainers: | +# - name: add-folder-for-pgpass +# image: "dpage/pgadmin4:latest" +# command: ["/bin/mkdir", "-p", "/var/lib/pgadmin/storage/pgadmin"] +# volumeMounts: +# - name: pgadmin-data +# mountPath: /var/lib/pgadmin +# securityContext: +# runAsUser: 5050 + +containerPorts: + http: 80 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Horizontal Pod Autoscaling +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +# +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +## Node labels for pgAdmin4 pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## Node tolerations for server scheduling to nodes with taints +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +## +tolerations: [] + +## Pod affinity +## +affinity: {} + +## Pod DNS Policy +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + +dnsPolicy: "" + +## Update pod DNS Config +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config + +dnsConfig: {} +# nameservers: +# - 192.0.2.1 +# searches: +# - ns1.svc.cluster-domain.example +# - my.dns.search.suffix +# options: +# - name: ndots +# value: "2" +# - name: edns0 + +## Pod annotations +## +podAnnotations: {} +templatedPodAnnotations: |- +# checksum/configmap-oauth2: {{ include "/templates/configmap-oauth2.yaml" $ | sha256sum }} +# checksum/secret-oauth2: "{{ include "/templates/secret-oauth2.yaml" $ | sha256sum }}" +# checksum/secret-pgpass: "{{ include "/templates/secret-pgpass.yaml" $ | sha256sum }}" + +## Pod labels +## +podLabels: {} + # key1: value1 + # key2: value2 + +# -- The name of the Namespace to deploy +# If not set, `.Release.Namespace` is used +namespace: null + +init: + ## Init container resources + ## + resources: {} + +## Define values for chart tests +test: + enabled: true + ## Container image for test-connection.yaml + image: + registry: docker.io + repository: busybox + tag: latest + ## Resources request/limit for test-connection Pod + resources: {} + # limits: + # cpu: 50m + # memory: 32Mi + # requests: + # cpu: 25m + # memory: 16Mi + ## Security context for test-connection Pod + securityContext: + runAsUser: 5051 + runAsGroup: 5051 + fsGroup: 5051 + + ## Container Security context for test-connection Pod + containerSecurityContext: + readOnlyRootFilesystem: true