Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pgadmin oauth secrets #4123

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Pgadmin oauth secrets #4123

wants to merge 8 commits into from

Conversation

philrhurst
Copy link
Contributor

@philrhurst philrhurst commented Mar 6, 2025
edited
Loading

Checklist:

  • Have you added an explanation of what your changes do and why you'd like them to be included?
  • Have you updated or added documentation for the change, as applicable?
  • Have you tested your changes on all related environments with successful results, as applicable?
    • Have you added automated tests?

Type of Changes:

  • New feature
  • Bug fix
  • Documentation
  • Testing enhancement
  • Other

What is the current behavior (link to any open issues here)?

The PGAdmin API only allows users to specify OAUTH configuration data via plaintext in the manifest.

What is the new behavior (if this is a feature change)?

Users can now specify their OAUTH configuration via a Secret and pass that to the PGAdmin with an entry containing the secret name in spec.config.oauthConfigurations.

  • Breaking change (fix or feature that would cause existing functionality to change)

Other Information:

@philrhurst philrhurst marked this pull request as ready for review March 6, 2025 19:46
dsessler7
dsessler7 reviewed Mar 7, 2025
View reviewed changes
internal/controller/standalone_pgadmin/statefulset.go
Comment on lines +143 to +190
// Determine if a rollout because Secrets and ConfigMaps have changed
checkOauthSecretsChange(oauthSecrets, sts)
checkConfigMapChange(configmap, sts)

return sts
}

func checkOauthSecretsChange(oauthSecrets []corev1.Secret, sts *appsv1.StatefulSet) {
var secretHash, currentHash string
var sb strings.Builder

for _, secret := range oauthSecrets {
hash := sha256.New()
for key, value := range secret.Data {
hash.Write([]byte(key))
hash.Write(value)
}
encoding := hex.EncodeToString(hash.Sum(nil))
sb.WriteString(encoding)
}
secretHash = sb.String()
currentHash = sts.Spec.Template.Annotations["oauthSecretsHash"]

if currentHash != secretHash {
if sts.Spec.Template.Annotations == nil {
sts.Spec.Template.Annotations = map[string]string{}
}
sts.Spec.Template.Annotations["oauthSecretsHash"] = secretHash
}
}

func checkConfigMapChange(configmap *corev1.ConfigMap, sts *appsv1.StatefulSet) {
var secretHash, currentHash string
hash := sha256.New()
for key, value := range configmap.Data {
hash.Write([]byte(key))
hash.Write([]byte(value))
}
secretHash = hex.EncodeToString(hash.Sum(nil))
currentHash = sts.Spec.Template.Annotations["configMapHash"]

if currentHash != secretHash {
if sts.Spec.Template.Annotations == nil {
sts.Spec.Template.Annotations = map[string]string{}
}
sts.Spec.Template.Annotations["configMapHash"] = secretHash
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm probably just missing something, but I don't understand the purpose of this code here... It seems like it's just updating the hash in the annotation if it is different from the current hash, but I don't see any references to either of these hash annotations in the codebase, so I'm wondering what their purpose is in the first place...

dsessler7
dsessler7 reviewed Mar 7, 2025
View reviewed changes
pkg/apis/postgres-operator.crunchydata.com/v1beta1/standalone_pgadmin_types.go
Comment on lines +46 to +52
// OauthConfigurations allows the user to reference one or more Secrets
// containing OAUTH2 configuration settings for pgAdmin.
// Each Secret shall contain a single data key called oauth-config.json
// whose value is a JSON object containing the OAUTH2 configuration settings.
// More info: https://www.pgadmin.org/docs/pgadmin4/latest/oauth2.html
// +optional
OauthConfigurations []corev1.LocalObjectReference `json:"oauthConfigurations,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's probably fine to tell the user that they have to name the file a specific thing; however, if we wanted to allow the user to name it whatever they want, you could use SecretKeyRef found in pkg/apis/postgres-operator.crunchydata.com/v1beta1/config_types.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dsessler7 dsessler7 dsessler7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@philrhurst @dsessler7