So I am trying to configure postgresql with pgadmin access, I have managed to get postgresql and pgadmin deployed but issues appears when I try to login into pgadmin UI.
My k8s cluster is on google cloud platform.
Cluster info.
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.4", GitCommit:"c96aede7b5205121079932896c4ad89bb93260af", GitTreeState:"clean", BuildDate:"2020-06-18T17:02:08Z", GoVersion:"go1.13.12", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.10-gke.36", GitCommit:"34a615f32e9a0c9e97cdb9f749adb392758349a6", GitTreeState:"clean", BuildDate:"2020-04-06T16:33:17Z", GoVersion:"go1.12.12b4", Compiler:"gc", Platform:"linux/amd64"}
This is pgadmin-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgadmin
spec:
selector:
matchLabels:
frontend: pgadmin
replicas: 1
template:
metadata:
labels:
frontend: pgadmin
spec:
containers:
- name: pgadmin
image: dpage/pgadmin4
imagePullPolicy: "IfNotPresent"
env:
- name: PGADMIN_DEFAULT_EMAIL
value: "test@test.com"
- name: PGADMIN_DEFAULT_PASSWORD
value: "test!"
- name: PGADMIN_LISTEN_PORT
value: "443"
ports:
- containerPort: 443
Here is mine pgadmin-service.yaml
apiVersion: v1
kind: Service
metadata:
name: pgadmin-service
spec:
type: ClusterIP
selector:
frontend: pgadmin
ports:
- port: 9210
targetPort: 443
protocol: TCP
Also I have certmanager and nginx ingress installed on the cluster.
Nginx installation steps:
helm repo add stable https://kubernetes-charts.storage.googleapis.com/
helm install my-ingress stable/nginx-ingress --set rbac.create=true
Cert-Manager install steps:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager-legacy.crds.yaml
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v0.15.1 \
# --set installCRDs=true
My issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: "my@email.com"
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
My certificate.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: mydomain.com
spec:
secretName: cert
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: mydomain.com
dnsNames:
- pgadmin.mydomain.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- pgadmin.mydomain.com
And finally ingress-service.yaml
apiVersion: networking.k8s.io/v1beta1 #networking.k8s.io/v1beta1 # for versions before 1.14 use extensions/v1beta1
kind: Ingress
metadata:
name: example-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/use-regex: 'true'
spec:
tls:
- hosts:
- pgadmin.mydomain.com
secretName: cert
rules:
- host: pgadmin.mydomain.com
http:
paths:
- path: /
backend:
serviceName: pgadmin-service
servicePort: 9210
Currently my issue is when I try to login into my pgadmin UI, I get the following error: error
Container logs: logs
My domain is located behind CloudFlare. tls settings
If anything else is needed please let me know.
Don't use port 443 .. use 80 and don't use ssl in pod.Terminate pls on ingress
It's is because you aren't passing the TLS certificate to pgadmin pods.
As mentioned in documentation, you need to provide the certificate and key:
PGADMIN_ENABLE_TLS
Default: <null>
If left un-set, the container will listen on port 80 for connections in plain text. If set to any value, the container will listen on port 443 for TLS connections.
When TLS is enabled, a certificate and key must be provided. Typically these should be stored on the host file system and mounted from the container. The expected paths are /certs/server.crt and /certs/server.key
You have 2 options:
volumes
on your deployment as mentioned hereFrom the specs you have provided, you should change the deployment file to:
..
env:
- name: PGADMIN_DEFAULT_EMAIL
value: "test@test.com"
- name: PGADMIN_DEFAULT_PASSWORD
value: "test!"
ports:
- containerPort: 80
Change the service
spec to point to the correct port:
apiVersion: v1
kind: Service
metadata:
name: pgadmin-service
spec:
selector:
frontend: pgadmin
ports:
- port: 80
targetPort: 80
protocol: TCP
And then, change the ingress to the correct port:
spec:
tls:
- hosts:
- pgadmin.mydomain.com
secretName: cert
rules:
- host: pgadmin.mydomain.com
http:
paths:
- path: /
backend:
serviceName: pgadmin-service
servicePort: 80
The ingress will redirect all request from port 80 to 443 since you are using the nginx.ingress.kubernetes.io/ssl-redirect
annotation