Installation¶
Kubernetes¶
The PgDog control plane comes with its own Helm chart. You can install it directly from our chart repository:
The chart has a few external requirements, documented below.
Guided install¶
While the chart creates and manages several resources, including an Ingress, some of them have external dependencies which cannot be created by Helm.
If you're not sure if your Kubernetes cluster has all the necessary dependencies, we created a quick script you can run to validate this:
The script requires that you have both the awscli and kubectl installed, which it will use to inspect your environment.
Read-only actions
The guided installation script is strictly read-only and will never make any modifications to your environment.
Requirements¶
Since the chart creates an Ingress resource for the web dashboard, an ingress controller is required to access the web dashboard. The chart supports four Ingress settings out of the box:
| Ingress | Description |
|---|---|
| Nginx | Uses the ingress-nginx controller with cert-manager for TLS. The controller is widely used, although currently deprecated by the Kubernetes consortium. |
| AWS ALB | Uses the AWS ELB controller to create a load balancer. Supports TLS termination with an ACM-managed certificate. |
| Gateway API | Uses the more modern Kubernetes Gateway API, with support for gateways like Envoy. |
| Custom | All labels and annotations are exposed to the chart caller, so you can configure your own Ingress. |
Authentication¶
If deploying the dashboard with access to the Internet, make sure to configure authentication to protect against unauthorized access. The control plane supports OAuth2 and two providers: GitHub and Google.
Ingress¶
Most of the settings that need to be provided are around the Ingress and OAuth authentication. The guided install will configure them automatically. However, if you're installing manually, they are documented below:
| Setting | Description | Example |
|---|---|---|
ingress.mode |
Which ingress to use for the web dashboard. | gateway |
ingress.host |
DNS for the dashboard. Tightly coupled to the TLS certificate, if enabled. | pgdog.acme.com |
Nginx¶
The nginx ingress (deprecated, but still available) is supported out of the box, along with automatic TLS termination (using cert-manager).
| Setting | Description | Example |
|---|---|---|
ingress.nginx.clusterIssuer |
The name of the ClusterIssuer resource. |
letsencrypt-prod |
Example¶
AWS ALB¶
The AWS ALB ingress is supported out of the box and uses ACM for TLS termination at the load balancer.
| Setting | Description | Example |
|---|---|---|
ingress.aws.scheme |
internet-facing or internal. |
internet-facing |
ingress.aws.certificateArn |
ARN of the ACM TLS certificate (validated externally, e.g., with DNS). | arn:aws:acm:us-east-1:111111111111:certificate/abc-123 |
Example¶
ingress:
mode: aws
host: control.acme.com
aws:
scheme: internet-facing
certificateArn: arn:aws:acm:us-east-1:111111111111:certificate/abc-123
OAuth2¶
OAuth2 authentication is supported out of the box for GitHub and Google providers. Either one can be configured as follows:
The client secret can be alternatively set as an environment variable:
| Provider | Variable |
|---|---|
| GitHub | GITHUB_CLIENT_SECRET |
GOOGLE_CLIENT_SECRET |
Access control¶
allowed_orgs (GitHub) and allowed_domains (Google) restrict logins to members of those organizations or email domains. If left empty, anyone who can authenticate with the provider is allowed in.
Both accept a list, so you can allow more than one: