Secure Database Management on Kubernetes: Deploying pgAdmin 4 with OAuth2 and Ingress

PythonJavaScriptPLpgSQLShellTypeScriptCSSOtherView on Github

Managing PostgreSQL databases in a Kubernetes environment requires secure, centralized access. This guide details how to deploy pgAdmin 4 as a web application on K8s, securing it behind an Ingress Controller with OAuth2 authentication for enterprise-grade access control.

The Challenge: Secure Access to DB Tools

Developers and DBAs need a GUI to inspect data, run ad-hoc queries, and manage schemas. However, exposing database ports (5432) to the internet is a security risk. Port-forwarding is tedious.

pgAdmin 4 in "Server Mode" solves this. By deploying it as a web application within your Kubernetes cluster, you provide a centralized interface for all your databases without exposing them directly.

Architecture: pgAdmin on Kubernetes

We will deploy pgAdmin 4 using the official Helm chart, but with critical security enhancements:

1. Stateful Storage: Persisting user sessions and server definitions using a PersistentVolumeClaim (PVC).
2. Ingress: Exposing the UI via an Ingress Controller (e.g., NGINX or ALB).
3. OAuth2 / OIDC: Integrating with your identity provider (Google, GitHub, Okta) so users don't need separate credentials for the tool itself.

Helm Configuration

Here is a snippet of a production-ready values.yaml for the pgAdmin Helm chart.

env:
  email: "[email protected]"
  password: "SuperSecretPassword" # Use a Secret in production!

persistentVolume:
  enabled: true
  size: 5Gi

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: pgadmin.example.com
      paths:
        - path: /
          pathType: Prefix

Integrating OAuth2

To avoid managing local users in pgAdmin, configure it to use an external Identity Provider (IdP).

extraSecretMounts:
  - name: oauth2-config
    secret: pgadmin-oauth2-secret
    mountPath: /var/lib/pgadmin/oauth2_config.json
    subPath: oauth2_config.json

This JSON file maps your IdP's claims (email, groups) to pgAdmin roles, ensuring that only authorized team members can access production database credentials.

Managing Server Definitions

Instead of asking every developer to manually add server connections, you can pre-populate the server list by mounting a servers.json file into the container. This file can be generated by your CI/CD pipeline or Terraform, ensuring that as new database clusters are provisioned, they automatically appear in pgAdmin.

Conclusion

Deploying pgAdmin 4 on Kubernetes transforms it from a personal desktop tool into a collaborative, secure platform for database management. By leveraging Ingress and OAuth2, you provide a seamless experience for your team while maintaining strict security controls over your data infrastructure.