CrunchyData
diff --git a/‎config/crd/bases/postgres-operator.crunchydata.com_pgadmins.yaml
+4 b/‎config/crd/bases/postgres-operator.crunchydata.com_pgadmins.yaml
+4
diff --git a/‎internal/controller/standalone_pgadmin/config.go
+1 b/‎internal/controller/standalone_pgadmin/config.go
+1
diff --git a/‎internal/controller/standalone_pgadmin/configmap.go
+39 b/‎internal/controller/standalone_pgadmin/configmap.go
+39
diff --git a/‎internal/controller/standalone_pgadmin/configmap_test.go
+82 b/‎internal/controller/standalone_pgadmin/configmap_test.go
+82
diff --git a/‎internal/controller/standalone_pgadmin/pod.go
+66-27 b/‎internal/controller/standalone_pgadmin/pod.go
+66-27
@@ -1082,6 +1082,10 @@ spec:
                           type: object
                       type: object
                     type: array
+                  gunicorn:
+                    description: 'Settings for the gunicorn server. More info: https://docs.gunicorn.org/en/latest/settings.html'
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
                   ldapBindPassword:
                     description: 'A Secret containing the value for the LDAP_BIND_PASSWORD
                       setting. More info: https://www.pgadmin.org/docs/pgadmin4/latest/ldap.html'
 
@@ -19,6 +19,7 @@ const (
 	// ConfigMap keys used also in mounting volume to pod
 	settingsConfigMapKey  = "pgadmin-settings.json"
 	settingsClusterMapKey = "pgadmin-shared-clusters.json"
+	gunicornConfigKey     = "gunicorn-config.json"
 
 	// Port address used to define pod and service
 	pgAdminPort = 5050
 
@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"sort"
+	"strconv"
 
 	corev1 "k8s.io/api/core/v1"
 
@@ -76,6 +77,11 @@ func configmap(pgadmin *v1beta1.PGAdmin,
 		configmap.Data[settingsClusterMapKey] = clusterSettings
 	}
 
+	gunicornSettings, err := generateGunicornConfig(pgadmin)
+	if err == nil {
+		configmap.Data[gunicornConfigKey] = gunicornSettings
+	}
+
 	return configmap, err
 }
 
@@ -181,3 +187,36 @@ func generateClusterConfig(
 	err := encoder.Encode(servers)
 	return buffer.String(), err
 }
+
+// generateGunicornConfig generates the config settings for the gunicorn server
+// - https://docs.gunicorn.org/en/latest/settings.html
+func generateGunicornConfig(pgadmin *v1beta1.PGAdmin) (string, error) {
+	settings := map[string]any{
+		// Bind to all IPv4 addresses and set 25 threads by default.
+		// - https://docs.gunicorn.org/en/latest/settings.html#bind
+		// - https://docs.gunicorn.org/en/latest/settings.html#threads
+		"bind":    "0.0.0.0:" + strconv.Itoa(pgAdminPort),
+		"threads": 25,
+	}
+
+	// Copy any specified settings over the defaults.
+	for k, v := range pgadmin.Spec.Config.Gunicorn {
+		settings[k] = v
+	}
+
+	// Write mandatory settings over any specified ones.
+	// - https://docs.gunicorn.org/en/latest/settings.html#workers
+	settings["workers"] = 1
+
+	// To avoid spurious reconciles, the following value must not change when
+	// the spec does not change. [json.Encoder] and [json.Marshal] do this by
+	// emitting map keys in sorted order. Indent so the value is not rendered
+	// as one long line by `kubectl`.
+	buffer := new(bytes.Buffer)
+	encoder := json.NewEncoder(buffer)
+	encoder.SetEscapeHTML(false)
+	encoder.SetIndent("", "  ")
+	err := encoder.Encode(settings)
+
+	return buffer.String(), err
+}
@@ -219,3 +219,85 @@ namespace: some-ns
 		})
 	})
 }
+
+func TestGenerateGunicornConfig(t *testing.T) {
+	require.ParallelCapacity(t, 0)
+
+	t.Run("Default", func(t *testing.T) {
+		pgAdmin := &v1beta1.PGAdmin{}
+		pgAdmin.Name = "test"
+		pgAdmin.Namespace = "postgres-operator"
+
+		expectedString := `{
+  "bind": "0.0.0.0:5050",
+  "threads": 25,
+  "workers": 1
+}
+`
+		actualString, err := generateGunicornConfig(pgAdmin)
+		assert.NilError(t, err)
+		assert.Equal(t, actualString, expectedString)
+	})
+
+	t.Run("Add Settings", func(t *testing.T) {
+		pgAdmin := &v1beta1.PGAdmin{}
+		pgAdmin.Name = "test"
+		pgAdmin.Namespace = "postgres-operator"
+		pgAdmin.Spec.Config.Gunicorn = map[string]any{
+			"keyfile":  "/path/to/keyfile",
+			"certfile": "/path/to/certfile",
+		}
+
+		expectedString := `{
+  "bind": "0.0.0.0:5050",
+  "certfile": "/path/to/certfile",
+  "keyfile": "/path/to/keyfile",
+  "threads": 25,
+  "workers": 1
+}
+`
+		actualString, err := generateGunicornConfig(pgAdmin)
+		assert.NilError(t, err)
+		assert.Equal(t, actualString, expectedString)
+	})
+
+	t.Run("Update Defaults", func(t *testing.T) {
+		pgAdmin := &v1beta1.PGAdmin{}
+		pgAdmin.Name = "test"
+		pgAdmin.Namespace = "postgres-operator"
+		pgAdmin.Spec.Config.Gunicorn = map[string]any{
+			"bind":    "127.0.0.1:5051",
+			"threads": 30,
+		}
+
+		expectedString := `{
+  "bind": "127.0.0.1:5051",
+  "threads": 30,
+  "workers": 1
+}
+`
+		actualString, err := generateGunicornConfig(pgAdmin)
+		assert.NilError(t, err)
+		assert.Equal(t, actualString, expectedString)
+	})
+
+	t.Run("Update Mandatory", func(t *testing.T) {
+		pgAdmin := &v1beta1.PGAdmin{}
+		pgAdmin.Name = "test"
+		pgAdmin.Namespace = "postgres-operator"
+		pgAdmin.Spec.Config.Gunicorn = map[string]any{
+			"workers": "100",
+		}
+
+		expectedString := `{
+  "bind": "0.0.0.0:5050",
+  "threads": 25,
+  "workers": 1
+}
+`
+		actualString, err := generateGunicornConfig(pgAdmin)
+		assert.NilError(t, err)
+		assert.Equal(t, actualString, expectedString)
+	})
+
+}
@@ -28,10 +28,11 @@ import (
 )
 
 const (
-	configMountPath = "/etc/pgadmin/conf.d"
-	configFilePath  = "~postgres-operator/" + settingsConfigMapKey
-	clusterFilePath = "~postgres-operator/" + settingsClusterMapKey
-	ldapFilePath    = "~postgres-operator/ldap-bind-password"
+	configMountPath        = "/etc/pgadmin/conf.d"
+	configFilePath         = "~postgres-operator/" + settingsConfigMapKey
+	clusterFilePath        = "~postgres-operator/" + settingsClusterMapKey
+	ldapFilePath           = "~postgres-operator/ldap-bind-password"
+	gunicornConfigFilePath = "~postgres-operator/" + gunicornConfigKey
 
 	// Nothing should be mounted to this location except the script our initContainer writes
 	scriptMountPath = "/etc/pgadmin"
@@ -210,6 +211,10 @@ func podConfigFiles(configmap *corev1.ConfigMap, pgadmin v1beta1.PGAdmin) []core
 							Key:  settingsClusterMapKey,
 							Path: clusterFilePath,
 						},
+						{
+							Key:  gunicornConfigKey,
+							Path: gunicornConfigFilePath,
+						},
 					},
 				},
 			},
@@ -262,32 +267,43 @@ func startupScript(pgadmin *v1beta1.PGAdmin) []string {
 	var setupCommandV7 = "python3 ${PGADMIN_DIR}/setup.py"
 	var setupCommandV8 = setupCommandV7 + " setup-db"
 
+	// startCommands (v8 image includes Gunicorn)
+	var startCommandV7 = "pgadmin4 &"
+	var startCommandV8 = "gunicorn -c /etc/pgadmin/gunicorn_config.py --chdir $PGADMIN_DIR pgAdmin4:app &"
+
 	// This script sets up, starts pgadmin, and runs the appropriate `loadServerCommand` to register the discovered servers.
+	// pgAdmin is hosted by Gunicorn and uses a config file.
+	// - https://www.pgadmin.org/docs/pgadmin4/development/server_deployment.html#standalone-gunicorn-configuration
+	// - https://docs.gunicorn.org/en/latest/configure.html
 	var startScript = fmt.Sprintf(`
 PGADMIN_DIR=/usr/local/lib/python3.11/site-packages/pgadmin4
 APP_RELEASE=$(cd $PGADMIN_DIR && python3 -c "import config; print(config.APP_RELEASE)")
 
 echo "Running pgAdmin4 Setup"
 if [ $APP_RELEASE -eq 7 ]; then
-	%s
+    %s
 else
-	%s
+    %s
 fi
 
 echo "Starting pgAdmin4"
 PGADMIN4_PIDFILE=/tmp/pgadmin4.pid
-pgadmin4 &
+if [ $APP_RELEASE -eq 7 ]; then
+    %s
+else
+    %s
+fi
 echo $! > $PGADMIN4_PIDFILE
 
 loadServerCommand() {
-	if [ $APP_RELEASE -eq 7 ]; then
-		%s
-	else
-		%s
-	fi
+    if [ $APP_RELEASE -eq 7 ]; then
+        %s
+    else
+        %s
+    fi
 }
 loadServerCommand
-`, setupCommandV7, setupCommandV8, loadServerCommandV7, loadServerCommandV8)
+`, setupCommandV7, setupCommandV8, startCommandV7, startCommandV8, loadServerCommandV7, loadServerCommandV8)
 
 	// Use a Bash loop to periodically check:
 	// 1. the mtime of the mounted configuration volume for shared/discovered servers.
@@ -303,17 +319,21 @@ loadServerCommand
 	var reloadScript = `
 exec {fd}<> <(:)
 while read -r -t 5 -u "${fd}" || true; do
-	if [ "${cluster_file}" -nt "/proc/self/fd/${fd}" ] && loadServerCommand
-	then
-		exec {fd}>&- && exec {fd}<> <(:)
-		stat --format='Loaded shared servers dated %y' "${cluster_file}"
-	fi
-	if [ ! -d /proc/$(cat $PGADMIN4_PIDFILE) ]
-	then
-		pgadmin4 &
-		echo $! > $PGADMIN4_PIDFILE
-		echo "Restarting pgAdmin4"
-	fi
+    if [ "${cluster_file}" -nt "/proc/self/fd/${fd}" ] && loadServerCommand
+    then
+        exec {fd}>&- && exec {fd}<> <(:)
+        stat --format='Loaded shared servers dated %y' "${cluster_file}"
+    fi
+    if [ ! -d /proc/$(cat $PGADMIN4_PIDFILE) ]
+    then
+        if [ $APP_RELEASE -eq 7 ]; then
+            ` + startCommandV7 + `
+        else
+            ` + startCommandV8 + `
+        fi
+        echo $! > $PGADMIN4_PIDFILE
+        echo "Restarting pgAdmin4"
+    fi
 done
 `
 
@@ -333,8 +353,8 @@ func startupCommand() []string {
 	// and sets those variables globally. That way those values are available as pgAdmin
 	// configurations when pgAdmin starts.
 	//
-	// Note: All pgAdmin settings are uppercase with underscores, so ignore any keys/names
-	// that are not.
+	// Note: All pgAdmin settings are uppercase alphanumeric with underscores, so ignore
+	// any keys/names that are not.
 	//
 	// Note: set pgAdmin's LDAP_BIND_PASSWORD setting from the Secret last
 	// in order to overwrite configuration of LDAP_BIND_PASSWORD via ConfigMap JSON.
@@ -352,17 +372,36 @@ with open('` + configMountPath + `/` + configFilePath + `') as _f:
 if os.path.isfile('` + ldapPasswordAbsolutePath + `'):
     with open('` + ldapPasswordAbsolutePath + `') as _f:
         LDAP_BIND_PASSWORD = _f.read()
+`
+		// gunicorn reads from the `/etc/pgadmin/gunicorn_config.py` file during startup
+		// after all other config files.
+		// - https://docs.gunicorn.org/en/latest/configure.html#configuration-file
+		//
+		// This command writes a script in `/etc/pgadmin/gunicorn_config.py` that reads
+		// from the `gunicorn-config.json` file and sets those variables globally.
+		// That way those values are available as settings when gunicorn starts.
+		//
+		// Note: All gunicorn settings are lowercase with underscores, so ignore
+		// any keys/names that are not.
+		gunicornConfig = `
+import json, re
+with open('` + configMountPath + `/` + gunicornConfigFilePath + `') as _f:
+    _conf, _data = re.compile(r'[a-z_]+'), json.load(_f)
+    if type(_data) is dict:
+        globals().update({k: v for k, v in _data.items() if _conf.fullmatch(k)})
 `
 	)
 
-	args := []string{strings.TrimLeft(configSystem, "\n")}
+	args := []string{strings.TrimLeft(configSystem, "\n"), strings.TrimLeft(gunicornConfig, "\n")}
 
 	script := strings.Join([]string{
 		// Use the initContainer to create this path to avoid the error noted here:
 		// - https://github.com/kubernetes/kubernetes/issues/121294
 		`mkdir -p /etc/pgadmin/conf.d`,
 		// Write the system configuration into a read-only file.
 		`(umask a-w && echo "$1" > ` + scriptMountPath + `/config_system.py` + `)`,
+		// Write the server configuration into a read-only file.
+		`(umask a-w && echo "$2" > ` + scriptMountPath + `/gunicorn_config.py` + `)`,
 	}, "\n")
 
 	return append([]string{"bash", "-ceu", "--", script, "startup"}, args...)