Support Secrets for PGAdmin CRD

[dave-tucker]

Have an idea to improve PGO? We'd love to hear it! We're going to need some information from you to learn more about your feature requests.

Please be sure you've done the following:

• [x] Provide a concise description of your feature request.
• [x] Describe your use case. Detail the problem you are trying to solve.
• [x] Describe how you envision that the feature would work.
• [x] Provide general information about your current PGO environment.

Overview

I would like to use Kubernetes Secrets when configuring the PGAdmin CRD. For example the OAUTH2_CLIENT_SECRET in this example should be a Kubernetes secret.

Use Case

Describe your use case. Why do you want this feature? What problem will it solve? Why will it help you? Why will it make it easier to use PGO?

This will solve an issue whereby secrets are being checked in as plain text in Git repositories. A practice that is frowned upon (with good reason) by most security teams.

Desired Behavior

Describe how the feature would work. How do you envision interfacing with it?

Allow me to provide secrets as environment variables to the PGAdmin CR. This could look something like this:

apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PGAdmin
metadata:
  name: rhino
  namespace: postgres-operator
spec:
  dataVolumeClaimSpec:
    accessModes:
    - "ReadWriteOnce"
    resources:
      requests:
        storage: 1Gi
  serverGroups:
    - name: supply
      # An empty selector selects all postgresclusters in the Namespace
      postgresClusterSelector: {}
  config:
    settings:
      AUTHENTICATION_SOURCES: ['oauth2', 'internal']
      OAUTH2_CONFIG:
        - OAUTH2_NAME: "google"
          OAUTH2_DISPLAY_NAME: "Google"
          OAUTH2_CLIENT_ID: $GOOGLE_CLIENT_ID
          OAUTH2_CLIENT_SECRET: $GOOGLE_CLIENT_SECRET
          OAUTH2_TOKEN_URL: "https://oauth2.googleapis.com/token"
          OAUTH2_AUTHORIZATION_URL: "https://accounts.google.com/o/oauth2/auth"
          OAUTH2_API_BASE_URL: "https://openidconnect.googleapis.com/v1/"
          OAUTH2_SERVER_METADATA_URL: "https://accounts.google.com/.well-known/openid-configuration"
          OAUTH2_SCOPE: "openid email profile"
          OAUTH2_USERINFO_ENDPOINT: "userinfo"
          OAUTH2_SSL_CERT_VERIFICATION: "False" # for testing purposes
          OAUTH2_BUTTON_COLOR: "red"   
      OAUTH2_AUTO_CREATE_USER : "True"
      DEBUG: "True" # for testing purposes
      SERVER_MODE: "True"
  env:
    - name: GOOGLE_CLIENT_ID
       valueFrom:
          secretKeyRef:
             name: my-secret
             key: google_client_id
    - name: GOOGLE_CLIENT_SECRET
       valueFrom:
          secretKeyRef:
             name: my-secret
             key: google_client_secret

My understanding is that you're converting those settings directly into config.py. This feature would require the translation of:

OAUTH2_CLIENT_ID: $GOOGLE_CLIENT_ID

into:

OAUTH2_CLIENT_ID = os.environ["GOOGLE_CLIENT_ID"}

Environment

Tell us about your environment:

Please provide the following details:

• Platform: Kubernetes
• Platform Version: 1.30.4
• PGO Image Tag: ubi8-16.3-1
• Postgres Version: 16
• Storage: PersistentVolume
• Number of Postgres clusters: 1

Additional Information

Please provide any additional information that may be helpful.