Skip to content

Pgadmin oauth secrets #4123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Mar 12, 2025
Merged

Pgadmin oauth secrets #4123

merged 16 commits into from
Mar 12, 2025

Conversation

philrhurst
Copy link
Contributor

@philrhurst philrhurst commented Mar 6, 2025
edited
Loading

Checklist:

  • Have you added an explanation of what your changes do and why you'd like them to be included?
  • Have you updated or added documentation for the change, as applicable?
  • Have you tested your changes on all related environments with successful results, as applicable?
    • Have you added automated tests?

Type of Changes:

  • New feature
  • Bug fix
  • Documentation
  • Testing enhancement
  • Other

What is the current behavior (link to any open issues here)?

The PGAdmin API only allows users to specify OAUTH configuration data via plaintext in the manifest.

What is the new behavior (if this is a feature change)?

Users can now specify their OAUTH configuration via a Secret and pass that to the PGAdmin with an entry containing the secret name in spec.config.oauthConfigurations.

  • Breaking change (fix or feature that would cause existing functionality to change)

Other Information:

@philrhurst philrhurst marked this pull request as ready for review March 6, 2025 19:46
@cbandy cbandy self-requested a review March 10, 2025 20:38
dsessler7
dsessler7 approved these changes Mar 11, 2025
View reviewed changes
Copy link
Contributor

@dsessler7 dsessler7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just need to beef up that one comment for clarity, otherwise, looks good.

@andrewlecuyer
Copy link
Collaborator

@philrhurst just a general question here. Could a user effectively put any pgAdmin configuration into the Secret? E.g. even setting that have nothing to do with OAuth? Or are the OAUTH2 settings the only settings that are accepted?

@philrhurst
Copy link
Contributor Author

@andrewlecuyer - they could but it would not be read correctly and likely would mean pgAdmin wouldn't start. By design, the values encoded within the oauth-config key in the Secret are projected as a JSON file into the pgAdmin container. We parse that JSON file(s) with Python, along with the configuration that may be specified in the ConfigMap and merge them into a single JSON structure to be passed to pgAdmin.

Unfortunately, there is not a lot of validation that can be done here because the data is passed through into pgAdmin. It is similar to how we handle the passing of Postgres parameters to the Patroni section. We could - theoretically - add a validation layer in, but then it becomes a cat-and-mouse game of keeping these components in line.

cbandy
cbandy reviewed Mar 11, 2025
View reviewed changes
Copy link
Member

@cbandy cbandy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some thoughts and questions. I'm trying out the API locally right now.

@philrhurst philrhurst merged commit e19f3fe into CrunchyData:main Mar 12, 2025
19 checks passed
@philrhurst philrhurst deleted the pgadmin-oauth-secrets branch March 12, 2025 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbandy cbandy cbandy left review comments

@dsessler7 dsessler7 dsessler7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@philrhurst @andrewlecuyer @cbandy @dsessler7