pgAdmin¶
Web UI for Postgres, deployed per environment via the Runix pgadmin4 Helm chart. Each environment connects to its own CNPG cluster (see Postgres).
Argo CD Application¶
k8s/envs/<env>/middleware/pgadmin/application.yaml uses the multi-source pattern:
- Chart —
https://helm.runix.net/pgadmin4at1.57.0. - Values —
$values/k8s/envs/<env>/middleware/pgadmin/values.yamlfrom this repo.
Both apps deploy into the data namespace alongside Postgres.
Server definition¶
serverDefinitions.enabled: true pre-registers the per-env Postgres so the first-time login lands on a populated server tree:
| Env | Server name | Host | User |
|---|---|---|---|
| dev | Tomoda-Dev-Postgres |
postgres-postgresql |
postgres |
| prod | Tomoda-Prod-Postgres |
prod-postgres-postgresql |
tomoda_admin |
Both connect on port 5432 with SSLMode: prefer. The hostnames are the ExternalName aliases that point at the CNPG -rw Service.
The pgAdmin master password and login email are set in values.yaml (env.email, env.password) — these gate the pgAdmin UI itself, not the Postgres connection. The Postgres password is not pre-filled by the chart; the operator enters it interactively after authenticating to pgAdmin.
Ingress and auth¶
Despite the lightweight role, pgAdmin is exposed via Traefik, not port-forward — both envs ship an Ingress:
| Env | Host | Auth |
|---|---|---|
| dev | pg-admin-dev.tomoda.life |
oauth2-proxy (Google) middlewares |
| prod | pg-admin-prod.tomoda.life |
oauth2-proxy (Google) middlewares |
The traefik.ingress.kubernetes.io/router.middlewares annotation chains sys-oauth2-proxy-errors and sys-oauth2-proxy-auth, so every request hits oauth2-proxy first and is bounced through Google sign-in (restricted to tomoda.life accounts). An additional path /oauth2 on the same Ingress routes to the oauth2-proxy-redir Service for the callback dance. TLS is provisioned by cert-manager into pgadmin-tls (dev) / pgadmin-prod-tls (prod).
If you don't want to deal with the OAuth flow, kubectl -n data port-forward svc/pgadmin-pgadmin4 8080:80 works locally — but the canonical access path is the URL.
Operations¶
- Reset master password — bump
env.passwordinvalues.yaml, commit, let Argo CD sync, then restart the pod. - Add a server — extend
serverDefinitions.serversand re-sync. Existing servers in the user's profile are not overwritten. - Chart upgrade — adjust
targetRevision; check the Runix changelog for value-schema changes.