search

CrunchyData / postgres-operator

Production PostgreSQL for Kubernetes, from high availability Postgres clusters to full-scale database-as-a-service.
https://access.crunchydata.com/documentation/postgres-operator/v5/
Apache License 2.0
3.97k stars 595 forks source link

Pgadmin oauth2 #3501

Closed rgherta closed 10 months ago

rgherta commented 1 year ago

According to pgadmin docs below ouath2 should easily integrate with any oauth2 provider https://www.pgadmin.org/docs/pgadmin4/development/oauth2.html

However this configuration fails

  userInterface:
    pgAdmin:
      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-6
      config:
        settings:
          #https://www.pgadmin.org/docs/pgadmin4/development/oauth2.html
          AUTHENTICATION_SOURCES: ['oauth2', 'internal']
          OAUTH2_NAME: "gitlab"
          OAUTH2_DISPLAY_NAME: "Gitlab"
          OAUTH2_CLIENT_ID: XXXXX
          OAUTH2_CLIENT_SECRET: XXXXX
          OAUTH2_TOKEN_URL: https://mydomain/oauth/token
          OAUTH2_AUTHORIZATION_URL: https://mydomain/oauth/authorize
          OAUTH2_API_BASE_URL: https://mydomain/oauth/
          OAUTH2_USERINFO_ENDPOINT: userinfo
          OAUTH2_SCOPE: "read_user email profile openid"
          OAUTH2_ICON: "fa-gitlab"
          OAUTH2_BUTTON_COLOR: "red"
          #OAUTH2_USERNAME_CLAIM:
          OAUTH2_AUTO_CREATE_USER: True
mzwettler2 commented 1 year ago

Any news on this one?

benjaminjb commented 12 months ago

Hello, a quick question and follow-up on this:

a) What error are you getting when you try to use this configuration?

b) We have a new implementation for deploying pgAdmin4: a new CRD for pgAdmin4. This implementation also comes with an updated pgAdmin4 image, and I would be curious if you get the same error with this new implementation.

rgherta commented 10 months ago

Hi @benjaminjb I created a PR https://github.com/CrunchyData/postgres-operator/pull/3824 that should fix the issue

This regex re.compile(r'[A-Z]+') is only allowing config.py keys that are capital letters plus

However according to docs we can also have alphanumeric keys like _OAUTH2_API_BASEURL etc ... this is the reason why as of now the oauth2 configs are ignored by crunchydata pgadmin container image.

With the above changes the following configuration should work with most providers

apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PGAdmin
metadata:
  name: rhino
  namespace: postgres-operator
spec:
  dataVolumeClaimSpec:
    accessModes:
    - "ReadWriteOnce"
    resources:
      requests:
        storage: 1Gi
  serverGroups:
    - name: supply
      # An empty selector selects all postgresclusters in the Namespace
      postgresClusterSelector: {}
  config:
    settings:
      AUTHENTICATION_SOURCES: ['oauth2', 'internal']
      OAUTH2_CONFIG:
        - OAUTH2_NAME: "gitlab"
          OAUTH2_DISPLAY_NAME: "mytestapp"
          OAUTH2_CLIENT_ID: "XXXXXXXX"
          OAUTH2_CLIENT_SECRET: "XXXXXXXXX"
          OAUTH2_TOKEN_URL: "https://myidp/login/oauth/access_token"
          OAUTH2_AUTHORIZATION_URL: "https://myidp/login/oauth/authorize"
          OAUTH2_API_BASE_URL: "https://myidp"
          OAUTH2_SCOPE: "openid email profile"
          OAUTH2_USERINFO_ENDPOINT: "userinfo"
          OAUTH2_SSL_CERT_VERIFICATION: "False" # for testing purposes
          OAUTH2_BUTTON_COLOR: "red"   
      OAUTH2_AUTO_CREATE_USER : "True"
      DEBUG: "True" # for testing purposes
      SERVER_MODE: "True"

Nice change on this CRD for pgadmin...

rgherta commented 10 months ago

Hi @benjaminjb I created a PR in this other repo to add pgadmin examples and oauth2 config demo that was susccessfully tested.

https://github.com/CrunchyData/postgres-operator-examples/pull/250