Enable pgAdmin deployment (#20)

foundry/pgadmin4.values.yaml

@@ -5,14 +5,25 @@ replicaCount: 1
 ## pgAdmin4 container image
 ##
 image:
+  registry: docker.io
   repository: dpage/pgadmin4
-  tag: "4.27"
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
   pullPolicy: IfNotPresent
 
+## Deployment annotations
+annotations: {}
+
+## Deployment entrypoint override
+## Useful when there's a requirement to modify container's default:
+## https://www.vaultproject.io/docs/platform/k8s/injector/examples#environment-variable-example
+## ref: https://github.com/postgres/pgadmin4/blob/master/Dockerfile#L206
+# command: "['/bin/sh', '-c', 'source /vault/secrets/config && <entrypoint script>']"
+
 service:
   type: ClusterIP
   port: 80
-  targetPort: http
+  targetPort: 80
   # targetPort: 4181 To be used with a proxy extraContainer
   portName: http
 
@@ -26,6 +37,18 @@ service:
   ##
   # nodePort:
 
+## Pod Service Account
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+##
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: false
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
 ## Strategy used to replace old Pods by new ones
 ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
 ##
@@ -42,64 +65,38 @@ strategy: {}
 serverDefinitions:
   ## If true, server definitions will be created
   ##
-  enabled: false
+  enabled: true
 
-  servers: |-
-  #  "1": {
-  #    "Name": "Minimally Defined Server",
-  #    "Group": "Servers",
-  #    "Port": 5432,
-  #    "Username": "postgres",
-  #    "Host": "localhost",
-  #    "SSLMode": "prefer",
-  #    "MaintenanceDB": "postgres"
-  #  }
+  servers:
+    foundry:
+      Name: "foundry"
+      Group: "Servers"
+      Port: 5432
+      Username: "postgres"
+      Host: "postgresql"
+      PassFile: "../../pgpass.conf"
+      SSLMode: "prefer"
+      MaintenanceDB: "postgres"
 
 networkPolicy:
   enabled: true
 
+## Ingress
+## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
-  ## If true, pgAdmin4 Ingress will be created
-  ##
   enabled: true
-
-  ## pgAdmin4 Ingress annotations
-  ##
-  annotations: {}
-    ## Indicate that the ingress should be handled by NGINX controller
-    # kubernetes.io/ingress.class: nginx
-    #
-    ## When setting `ingress.hosts.paths`, pgAdmin needs additional header
-    ## to be passed.
-    ## Ref: https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html#http-via-nginx
-    # nginx.ingress.kubernetes.io/configuration-snippet: |
-    #   proxy_set_header X-Script-Name /pgadmin4;
-    #
-    ## If TLS is terminated elsewhere (on external load balancer), you may want
-    ## to redirect to `https://` URL scheme along with rewriting URL path if
-    ## `ingress.hosts.paths` is set. This is specific for image version >= 4.22.
-    ## Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#proxy-redirect
-    # nginx.ingress.kubernetes.io/proxy-redirect-from: "~^http://([^/]+)/(pgadmin4/)?(.*)$"
-    # nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$1/pgadmin4/$3"
-    #
-    ## Secure Ingress with kube-lego or cert-manager if they are deployed into
-    ## the cluster.
-    ## Ref: https://cert-manager.io/docs/usage/ingress/#optional-configuration
-    # kubernetes.io/tls-acme: "true"
-
-  ## pgAdmin4 Ingress hostnames with optional path
-  ## Must be provided if Ingress is enabled
+  annotations:
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Script-Name /pgadmin;
   hosts:
-    - host: pgadmin.foundry.local
+    - host: foundry.local
       paths:
-        - "/"
-
-  ## pgAdmin4 Ingress TLS configuration
-  ## Secrets must be manually created in the namespace
+        - path: /pgadmin
+          pathType: Prefix
   tls:
-    - secretName: pgadmin.foundry.local
+    - secretName: appliance-cert
       hosts:
-        - pgadmin.foundry.local
+        - foundry.local
 
 # Additional config maps to be mounted inside a container
 # Can be used to map config maps for sidecar as well
@@ -110,12 +107,12 @@ extraConfigmapMounts: []
   #   configMap: certs-configmap
   #   readOnly: true
 
-extraSecretMounts: []
-  # - name: pgpassfile
-  #   secret: pgpassfile
-  #   subPath: pgpassfile
-  #   mountPath: "/var/lib/pgadmin/storage/pgadmin/file.pgpass"
-  #   readOnly: true
+extraSecretMounts:
+  - name: pgpassfile
+    secret: pgpassfile
+    subPath: pgpassfile
+    mountPath: "/pgpass.conf"
+    readOnly: true
 
 ## Specify additional containers in extraContainers.
 ## For example, to add an authentication proxy to a pgadmin4 pod.
@@ -145,9 +142,12 @@ existingSecret: ""
 env:
   # can be email or nickname
   email: administrator@foundry.local
-  password: tartans
+  password: foundry
   # pgpassfile: /var/lib/pgadmin/storage/pgadmin/file.pgpass
 
+  # set context path for application (e.g. /pgadmin4/*)
+  # contextPath: /pgadmin4
+
   ## If True, allows pgAdmin4 to create session cookies based on IP address
   ## Ref: https://www.pgadmin.org/docs/pgadmin4/latest/config_py.html
   ##
@@ -199,14 +199,6 @@ securityContext:
   runAsGroup: 5050
   fsGroup: 5050
 
-resources: {}
-#   limits:
-#     cpu: 100m
-#     memory: 128Mi
-#   requests:
-#     cpu: 100m
-#     memory: 128Mi
-
 ## pgAdmin4 readiness and liveness probe initial delay and timeout
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 ##
@@ -235,15 +227,45 @@ VolumePermissions:
 ## Additional InitContainers to initialize the pod
 ##
 extraInitContainers: |
-#   - name: add-folder-for-pgpass
-#     image: "dpage/pgadmin4:4.23"
-#     command: ["/bin/mkdir", "-p", "/var/lib/pgadmin/storage/pgadmin"]
-#     volumeMounts:
-#       - name: pgadmin-data
-#         mountPath: /var/lib/pgadmin
-#     securityContext:
-#       runAsUser: 5050
+  - name: prepare-pgpass
+    image: "dpage/pgadmin4:latest"
+    command:
+      - "sh"
+      - "-c"
+      - "cp /pgpass.conf /var/lib/pgadmin/pgpass.conf && chown pgadmin:pgadmin /var/lib/pgadmin/pgpass.conf && chmod 600 /var/lib/pgadmin/pgpass.conf"
+    volumeMounts:
+      - name: pgadmin-data
+        mountPath: /var/lib/pgadmin
+      - name: pgpassfile
+        subPath: pgpassfile
+        mountPath: /pgpass.conf
+    securityContext:
+      runAsUser: 0
+
+containerPorts:
+  http: 80
 
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+## Horizontal Pod Autoscaling
+## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+#
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
 
 ## Node labels for pgAdmin4 pod assignment
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
@@ -263,7 +285,34 @@ affinity: {}
 ##
 podAnnotations: {}
 
+## Pod labels
+##
+podLabels: {}
+  # key1: value1
+  # key2: value2
+
 init:
   ## Init container resources
   ##
   resources: {}
+
+## Define values for chart tests
+test:
+  ## Container image for test-connection.yaml
+  image:
+    registry: docker.io
+    repository: busybox
+    tag: latest
+  ## Resources request/limit for test-connection Pod
+  resources: {}
+#     limits:
+#       cpu: 25m
+#       memory: 16Mi
+#     requests:
+#       cpu: 50m
+#       memory: 32Mi
+  ## Security context for test-connection Pod
+  securityContext:
+    runAsUser: 5051
+    runAsGroup: 5051
+    fsGroup: 5051

foundry/setup-foundry

@@ -23,11 +23,14 @@ kubectl patch configmap nginx-load-balancer-microk8s-conf \
 # Add host certificate
 kubectl create secret tls appliance-cert --key certs/host-key.pem --cert <( cat certs/host.pem certs/int-ca.pem )
 
-# Install PostgreSQL and pgAdmin4
+# Install PostgreSQL
 helm repo add bitnami https://charts.bitnami.com/bitnami
-helm repo add runix https://helm.runix.net/
 helm install --wait -f postgresql.values.yaml postgresql bitnami/postgresql
-#helm install -f pgadmin4.values.yaml pgadmin4 runix/pgadmin4
+
+# Install pgAdmin4
+helm repo add runix https://helm.runix.net/
+kubectl create secret generic pgpassfile --from-literal=pgpassfile=postgresql:5432:\*:postgres:foundry
+helm install -f pgadmin4.values.yaml pgadmin4 runix/pgadmin4
 
 # Install code-server (browser-based VS Code)
 helm repo add nicholaswilde https://nicholaswilde.github.io/helm-charts/
@@ -89,7 +92,7 @@ API_KEY=$(curl -X POST --silent \
   -H "Content-Type: application/json" \
   -d "{}" | jq -r '.value')
 
-sed -i -r "s/(Core__GameEngineClientSecret:).*/\1 $API_KEY/" gameboard.values.yaml 
+sed -i -r "s/(Core__GameEngineClientSecret:).*/\1 $API_KEY/" gameboard.values.yaml
 
 helm install --wait -f gameboard.values.yaml gameboard sei/gameboard
 kubectl apply -f console-ingress.yaml

mkdocs/docs/index.md

@@ -27,7 +27,7 @@ The following Foundry applications are loaded on this appliance:
 | -------- | --- | ----------- |
 | [/identity](/identity)|[api](/identity/api)| _Identity_ manages logins/credentials across all of the apps. It can integrate with any OAuth2/OIDC application.|
 | [/topomojo](/topomojo)|[api](/topomojo/api)| _TopoMojo_ allows users to build on-demand labs.|
-| [/gameboard](/gameboard)|[api](/gameboard/api/)| _Gameboard_ provides a platform for cyber competition development and delivery.|
+| [/gameboard](/gameboard)|[api](/gameboard/api)| _Gameboard_ provides a platform for cyber competition development and delivery.|
 
 ## Third-party apps
 
@@ -37,6 +37,7 @@ The following third-party applications are loaded on this appliance:
 | -------- | ----------- |
 | [/dashboard](/dashboard)| _Kubernetes Dashboard_ provides details regarding the container deployment for the appliance. |
 | [/gitea](/gitea)| _Gitea_ provides a user interface for editing the web content on the appliance (including this page).|
+| [/pgadmin](/pgadmin)| _pgAdmin_ provides a GUI for managing the PostgreSQL databases for each app. |
 | [/vscode](/vscode)| _code-server_ runs a browser version of [Visual Studio Code](https://code.visualstudio.com) to configure the appliance.
 
 ## Demo challenge