Allow users to configure CONFIG_DATABASE_URI setting in a Secret

This update allows users to configure the CONFIG_DATABASE_URI setting
using a Secret rather than in plaintext in the PGAdmin manifest.

- https://www.pgadmin.org/docs/pgadmin4/latest/external_database.html

Issue: PGO-1130

Author: tjmoore4

build/crd/pgadmins/todos.yaml

@@ -16,5 +16,8 @@
 - op: copy
   from: /work
   path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/users/items/properties/passwordRef/properties/name/description
+- op: copy
+  from: /work
+  path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/config/properties/configDatabaseURI/properties/name/description
 - op: remove
   path: /work

config/crd/bases/postgres-operator.crunchydata.com_pgadmins.yaml

@@ -860,6 +860,24 @@ spec:
                   to any of these values will be loaded without validation. Be careful,
                   as you may put pgAdmin into an unusable state.
                 properties:
+                  configDatabaseURI:
+                    description: 'A Secret containing the value for the CONFIG_DATABASE_URI
+                      setting. More info: https://www.pgadmin.org/docs/pgadmin4/latest/external_database.html'
+                    properties:
+                      key:
+                        description: The key of the secret to select from.  Must be
+                          a valid secret key.
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      optional:
+                        description: Specify whether the Secret or its key must be
+                          defined
+                        type: boolean
+                    required:
+                    - key
+                    type: object
                   files:
                     description: Files allows the user to mount projected volumes
                       into the pgAdmin container so that files can be referenced by

internal/controller/standalone_pgadmin/pod.go

@@ -31,6 +31,7 @@ const (
 	configMountPath        = "/etc/pgadmin/conf.d"
 	configFilePath         = "~postgres-operator/" + settingsConfigMapKey
 	clusterFilePath        = "~postgres-operator/" + settingsClusterMapKey
+	configDatabaseURIPath  = "~postgres-operator/config-database-uri"
 	ldapFilePath           = "~postgres-operator/ldap-bind-password"
 	gunicornConfigFilePath = "~postgres-operator/" + gunicornConfigKey
 
@@ -220,6 +221,21 @@ func podConfigFiles(configmap *corev1.ConfigMap, pgadmin v1beta1.PGAdmin) []core
 			},
 		}...)
 
+	if pgadmin.Spec.Config.ConfigDatabaseURI != nil {
+		config = append(config, corev1.VolumeProjection{
+			Secret: &corev1.SecretProjection{
+				LocalObjectReference: pgadmin.Spec.Config.ConfigDatabaseURI.LocalObjectReference,
+				Optional:             pgadmin.Spec.Config.ConfigDatabaseURI.Optional,
+				Items: []corev1.KeyToPath{
+					{
+						Key:  pgadmin.Spec.Config.ConfigDatabaseURI.Key,
+						Path: configDatabaseURIPath,
+					},
+				},
+			},
+		})
+	}
+
 	// To enable LDAP authentication for pgAdmin, various LDAP settings must be configured.
 	// While most of the required configuration can be set using the 'settings'
 	// feature on the spec (.Spec.UserInterface.PGAdmin.Config.Settings), those
@@ -349,19 +365,23 @@ func startupCommand() []string {
 	// - https://github.com/pgadmin-org/pgadmin4/blob/REL-7_7/docs/en_US/config_py.rst
 	//
 	// This command writes a script in `/etc/pgadmin/config_system.py` that reads from
-	// the `pgadmin-settings.json` file and the `ldap-bind-password` file (if it exists)
-	// and sets those variables globally. That way those values are available as pgAdmin
-	// configurations when pgAdmin starts.
+	// the `pgadmin-settings.json` file and the config-database-uri and/or
+	// `ldap-bind-password` files (if either exists) and sets those variables globally.
+	// That way those values are available as pgAdmin configurations when pgAdmin starts.
 	//
 	// Note: All pgAdmin settings are uppercase alphanumeric with underscores, so ignore
 	// any keys/names that are not.
 	//
-	// Note: set pgAdmin's LDAP_BIND_PASSWORD setting from the Secret last
-	// in order to overwrite configuration of LDAP_BIND_PASSWORD via ConfigMap JSON.
+	// Note: set the pgAdmin LDAP_BIND_PASSWORD and CONFIG_DATABASE_URI settings from the
+	// Secrets last in order to overwrite the respective configurations set via ConfigMap JSON.
+
 	const (
 		// ldapFilePath is the path for mounting the LDAP Bind Password
 		ldapPasswordAbsolutePath = configMountPath + "/" + ldapFilePath
 
+		// configDatabaseURIPath is the path for mounting the database URI connection string
+		configDatabaseURIPathAbsolutePath = configMountPath + "/" + configDatabaseURIPath
+
 		configSystem = `
 import glob, json, re, os
 DEFAULT_BINARY_PATHS = {'pg': sorted([''] + glob.glob('/usr/pgsql-*/bin')).pop()}
@@ -372,6 +392,9 @@ with open('` + configMountPath + `/` + configFilePath + `') as _f:
 if os.path.isfile('` + ldapPasswordAbsolutePath + `'):
     with open('` + ldapPasswordAbsolutePath + `') as _f:
         LDAP_BIND_PASSWORD = _f.read()
+if os.path.isfile('` + configDatabaseURIPathAbsolutePath + `'):
+    with open('` + configDatabaseURIPathAbsolutePath + `') as _f:
+        CONFIG_DATABASE_URI = _f.read()
 `
 		// gunicorn reads from the `/etc/pgadmin/gunicorn_config.py` file during startup
 		// after all other config files.

internal/controller/standalone_pgadmin/pod_test.go

@@ -157,6 +157,9 @@ initContainers:
     if os.path.isfile('/etc/pgadmin/conf.d/~postgres-operator/ldap-bind-password'):
         with open('/etc/pgadmin/conf.d/~postgres-operator/ldap-bind-password') as _f:
             LDAP_BIND_PASSWORD = _f.read()
+    if os.path.isfile('/etc/pgadmin/conf.d/~postgres-operator/config-database-uri'):
+        with open('/etc/pgadmin/conf.d/~postgres-operator/config-database-uri') as _f:
+            CONFIG_DATABASE_URI = _f.read()
   - |
     import json, re
     with open('/etc/pgadmin/conf.d/~postgres-operator/gunicorn-config.json') as _f:
@@ -336,6 +339,9 @@ initContainers:
     if os.path.isfile('/etc/pgadmin/conf.d/~postgres-operator/ldap-bind-password'):
         with open('/etc/pgadmin/conf.d/~postgres-operator/ldap-bind-password') as _f:
             LDAP_BIND_PASSWORD = _f.read()
+    if os.path.isfile('/etc/pgadmin/conf.d/~postgres-operator/config-database-uri'):
+        with open('/etc/pgadmin/conf.d/~postgres-operator/config-database-uri') as _f:
+            CONFIG_DATABASE_URI = _f.read()
   - |
     import json, re
     with open('/etc/pgadmin/conf.d/~postgres-operator/gunicorn-config.json') as _f:

pkg/apis/postgres-operator.crunchydata.com/v1beta1/standalone_pgadmin_types.go

@@ -26,6 +26,11 @@ type StandalonePGAdminConfiguration struct {
 	// +optional
 	Files []corev1.VolumeProjection `json:"files,omitempty"`
 
+	// A Secret containing the value for the CONFIG_DATABASE_URI setting.
+	// More info: https://www.pgadmin.org/docs/pgadmin4/latest/external_database.html
+	// +optional
+	ConfigDatabaseURI *corev1.SecretKeySelector `json:"configDatabaseURI,omitempty"`
+
 	// Settings for the gunicorn server.
 	// More info: https://docs.gunicorn.org/en/latest/settings.html
 	// +optional

pkg/apis/postgres-operator.crunchydata.com/v1beta1/zz_generated.deepcopy.go

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- files/00-cluster.yaml
+assert:
+- files/00-cluster-check.yaml

testing/kuttl/e2e-other/standalone-pgadmin-db-uri/00--create-cluster.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+# ensure the user schema is created for pgAdmin to use
+  - script: |
+      PRIMARY=$(
+        kubectl get pod --namespace "${NAMESPACE}" \
+          --output name --selector '
+            postgres-operator.crunchydata.com/cluster=elephant,
+            postgres-operator.crunchydata.com/role=master'
+      )
+      kubectl exec --namespace "${NAMESPACE}" "${PRIMARY}" \
+        -- psql -qAt -d elephant --command 'CREATE SCHEMA elephant AUTHORIZATION elephant'

testing/kuttl/e2e-other/standalone-pgadmin-db-uri/01--user-schema.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- files/02-pgadmin.yaml
+assert:
+- files/02-pgadmin-check.yaml

testing/kuttl/e2e-other/standalone-pgadmin-db-uri/02--create-pgadmin.yaml

@@ -0,0 +1,21 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+- script: |
+      PRIMARY=$(
+        kubectl get pod --namespace "${NAMESPACE}" \
+          --output name --selector '
+            postgres-operator.crunchydata.com/cluster=elephant,
+            postgres-operator.crunchydata.com/role=master'
+      )
+
+      NUM_USERS=$(
+      kubectl exec --namespace "${NAMESPACE}" "${PRIMARY}" -- \
+        psql -qAt -d elephant --command 'select count(*) from elephant.user' \
+      )
+
+      if [[ ${NUM_USERS} != 1 ]]; then
+          echo >&2 'Expected 1 user'
+          echo "got ${NUM_USERS}"
+          exit 1
+      fi