diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml
index 7d683d304..34edb1294 100644
--- a/kubernetes/apps/default/kustomization.yaml
+++ b/kubernetes/apps/default/kustomization.yaml
@@ -10,6 +10,7 @@ resources:
   - ./gluetun/ks.yaml
   - ./homepage/ks.yaml
   - ./media-smb/ks.yaml
+  - ./pgadmin/ks.yaml
   - ./plex/ks.yaml
   - ./pocket-id/ks.yaml
   - ./prowlarr/ks.yaml
diff --git a/kubernetes/apps/default/pgadmin/app/externalsecret.yaml b/kubernetes/apps/default/pgadmin/app/externalsecret.yaml
new file mode 100644
index 000000000..0e635ae15
--- /dev/null
+++ b/kubernetes/apps/default/pgadmin/app/externalsecret.yaml
@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: pgadmin
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: pgadmin-secret
+  data:
+    - secretKey: PGADMIN_DEFAULT_EMAIL
+      remoteRef:
+        key: pgadmin
+        property: username
+    - secretKey: PGADMIN_DEFAULT_PASSWORD
+      remoteRef:
+        key: pgadmin
+        property: username
diff --git a/kubernetes/apps/default/pgadmin/app/helmrelease.yaml b/kubernetes/apps/default/pgadmin/app/helmrelease.yaml
new file mode 100644
index 000000000..2db3a1550
--- /dev/null
+++ b/kubernetes/apps/default/pgadmin/app/helmrelease.yaml
@@ -0,0 +1,87 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: pgadmin
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 5050
+        runAsGroup: 5050
+        fsGroup: 5050
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
+    controllers:
+      pgadmin:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          pgadmin:
+            image:
+              repository: docker.io/dpage/pgadmin4
+              tag: "8.13@sha256:561c1f8f99f2fe24bc63814db9e30292cf4360331de9182da21e3554ce61bdaa"
+            env:
+              PGADMIN_DISABLE_POSTFIX: "true"
+            envFrom:
+              - secretRef:
+                  name: pgadmin-secret
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop: ["ALL"]
+                add:
+                  - NET_BIND_SERVICE
+    service:
+      pgadmin:
+        controller: pgadmin
+        ports:
+          http:
+            port: 80
+    ingress:
+      pgadmin:
+        className: internal
+        annotations:
+          nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${PUBLIC_DOMAIN0}/oauth2/auth
+          nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${PUBLIC_DOMAIN0}/oauth2/start?rd=$scheme://$best_http_host$request_uri
+          nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-email"
+        hosts:
+          - host: "${APP_SUBDOMAIN:-${APP}}.${PUBLIC_DOMAIN0}"
+            paths:
+              - path: /
+                service:
+                  identifier: pgadmin
+                  port: http
+    persistence:
+      config:
+        existingClaim: ${APP}
+        globalMounts:
+          - path: /var/lib/pgadmin
+      empty:
+        type: emptyDir
+        sizeLimit: 100Mi
+        globalMounts:
+          - path: /tmp
+            subPath: tmp
+          - path: /var/log
+            subPath: log
diff --git a/kubernetes/apps/default/pgadmin/app/kustomization.yaml b/kubernetes/apps/default/pgadmin/app/kustomization.yaml
new file mode 100644
index 000000000..b5cc32d35
--- /dev/null
+++ b/kubernetes/apps/default/pgadmin/app/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/gatus/guarded
+  - ../../../../templates/volsync
diff --git a/kubernetes/apps/default/pgadmin/ks.yaml b/kubernetes/apps/default/pgadmin/ks.yaml
new file mode 100644
index 000000000..bc3f2b671
--- /dev/null
+++ b/kubernetes/apps/default/pgadmin/ks.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app pgadmin
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets-stores
+    - name: volsync
+  path: ./kubernetes/apps/default/pgadmin/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 100Mi