Add ability to set Postgres password type at cluster creation

Specifically, this allows one to use "scram-sha-256" formatted passwords when a PostgreSQL cluster is created. This adds a new attribute to the `pgclusters.crunchydata.com` CRD called "passwordType", which stores the default value of the password hashing mechanism that the Postgres cluster should use. This also adds the "--password-type" flag to "pgo create cluster", which accepts the same values as the user-oriented commands, i.e. "scram-sha-256" and "md5". If a password type is not provided when a new user is created, the value from the custom resource is used. Issue: [ch11049]

Author: jkatz

cmd/pgo/cmd/cluster.go

@@ -269,6 +269,7 @@ func createCluster(args []string, ns string, createClusterCmd *cobra.Command) {
 r.PasswordSuperuser = PasswordSuperuser
 r.PasswordReplication = PasswordReplication
 r.Password = Password
+r.PasswordType = PasswordType
 r.SecretFrom = SecretFrom
 r.UserLabels = getLabels(UserLabels)
 r.Policies = PoliciesFlag

cmd/pgo/cmd/create.go

@@ -418,6 +418,8 @@ func init() {
 createClusterCmd.Flags().StringVarP(&NodeLabel, "node-label", "", "", "The node label (key=value) to use in placing the primary database. If not set, any node is used.")
 createClusterCmd.Flags().StringVarP(&Password, "password", "", "", "The password to use for standard user account created during cluster initialization.")
 createClusterCmd.Flags().IntVarP(&PasswordLength, "password-length", "", 0, "If no password is supplied, sets the length of the automatically generated password. Defaults to the value set on the server.")
+createClusterCmd.Flags().StringVar(&PasswordType, "password-type", "", "The default Postgres password type to use for managed users. "+
+"Either \"scram-sha-256\" or \"md5\". Defaults to \"md5\".")
 createClusterCmd.Flags().StringVarP(&PasswordSuperuser, "password-superuser", "", "", "The password to use for the PostgreSQL superuser.")
 createClusterCmd.Flags().StringVarP(&PasswordReplication, "password-replication", "", "", "The password to use for the PostgreSQL replication user.")
 createClusterCmd.Flags().StringVar(&BackrestCPURequest, "pgbackrest-cpu", "", "Set the number of millicores to request for CPU "+
@@ -595,7 +597,7 @@ func init() {
 createUserCmd.Flags().StringVarP(&OutputFormat, "output", "o", "", `The output format. Supported types are: "json"`)
 createUserCmd.Flags().StringVarP(&Password, "password", "", "", "The password to use for creating a new user which overrides a generated password.")
 createUserCmd.Flags().IntVarP(&PasswordLength, "password-length", "", 0, "If no password is supplied, sets the length of the automatically generated password. Defaults to the value set on the server.")
-createUserCmd.Flags().StringVar(&PasswordType, "password-type", "md5", "The type of password hashing to use."+
+createUserCmd.Flags().StringVar(&PasswordType, "password-type", "", "The type of password hashing to use."+
 "Choices are: (md5, scram-sha-256).")
 createUserCmd.Flags().StringVarP(&Selector, "selector", "s", "", "The selector to use for cluster filtering.")
 createUserCmd.Flags().StringVarP(&Username, "username", "", "", "The username to use for creating a new user")

cmd/pgo/cmd/update.go

@@ -206,7 +206,7 @@ func init() {
 UpdateUserCmd.Flags().StringVarP(&OutputFormat, "output", "o", "", `The output format. Supported types are: "json"`)
 UpdateUserCmd.Flags().StringVarP(&Password, "password", "", "", "Specifies the user password when updating a user password or creating a new user. If --rotate-password is set as well, --password takes precedence.")
 UpdateUserCmd.Flags().IntVarP(&PasswordLength, "password-length", "", 0, "If no password is supplied, sets the length of the automatically generated password. Defaults to the value set on the server.")
-UpdateUserCmd.Flags().StringVar(&PasswordType, "password-type", "md5", "The type of password hashing to use."+
+UpdateUserCmd.Flags().StringVar(&PasswordType, "password-type", "", "The type of password hashing to use."+
 "Choices are: (md5, scram-sha-256). This only takes effect if the password is being changed.")
 UpdateUserCmd.Flags().BoolVar(&PasswordValidAlways, "valid-always", false, "Sets a password to never expire based on expiration time. Takes precedence over --valid-days")
 UpdateUserCmd.Flags().BoolVar(&RotatePassword, "rotate-password", false, "Rotates the user's password with an automatically generated password. The length of the password is determine by either --password-length or the value set on the server, in that order.")

docs/content/custom-resources/_index.md

@@ -933,6 +933,7 @@ make changes, as described below.
 | limits | `create`, `update` | Specify the container resource limits that the PostgreSQL cluster should use. Follows the [Kubernetes definitions of resource limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container). |
 | name | `create` | The name of the PostgreSQL instance that is the primary. On creation, this should be set to be the same as `ClusterName`. |
 | nodeAffinity | `create` | Sets the [node affinity rules](/architecture/high-availability/#node-affinity) for the PostgreSQL cluster and associated PostgreSQL instances. Can be overridden on a per-instance (`pgreplicas.crunchydata.com`) basis. Please see the `Node Affinity Specification` section below. |
+| passwordType | `create`, `update` | If set, provides the Postgres password type that is used for creating Postgres users that are managed by PGO. Can be either `md5` or `scram-sha-256`. |
 | pgBadger | `create`,`update` | If `true`, deploys the `crunchy-pgbadger` sidecar for query analysis. |
 | pgbadgerport | `create` | If the `PGBadger` label is set, then this specifies the port that the pgBadger sidecar runs on (e.g. `10000`) |
 | pgBouncer | `create`, `update` | If specified, defines the attributes to use for the pgBouncer connection pooling deployment that can be used in conjunction with this PostgreSQL cluster. Please see the specification defined below. |

docs/content/pgo-client/reference/pgo_create_cluster.md

@@ -55,6 +55,7 @@ pgo create cluster [flags]
  --password-length int If no password is supplied, sets the length of the automatically generated password. Defaults to the value set on the server.
  --password-replication string The password to use for the PostgreSQL replication user.
  --password-superuser string The password to use for the PostgreSQL superuser.
+ --password-type string The default Postgres password type to use for managed users. Either "scram-sha-256" or "md5". Defaults to "md5".
  --pgbackrest-cpu string Set the number of millicores to request for CPU for the pgBackRest repository.
  --pgbackrest-cpu-limit string Set the number of millicores to limit for CPU for the pgBackRest repository.
  --pgbackrest-custom-config string The name of a ConfigMap containing pgBackRest configuration files.
@@ -141,4 +142,4 @@ pgo create cluster [flags]
 
 * [pgo create](/pgo-client/reference/pgo_create/) - Create a Postgres Operator resource
 
-###### Auto generated by spf13/cobra on 11-Apr-2021
+###### Auto generated by spf13/cobra on 19-Apr-2021

docs/content/pgo-client/reference/pgo_create_user.md

@@ -27,7 +27,7 @@ pgo create user [flags]
  -o, --output string The output format. Supported types are: "json"
  --password string The password to use for creating a new user which overrides a generated password.
  --password-length int If no password is supplied, sets the length of the automatically generated password. Defaults to the value set on the server.
- --password-type string The type of password hashing to use.Choices are: (md5, scram-sha-256). (default "md5")
+ --password-type string The type of password hashing to use.Choices are: (md5, scram-sha-256).
  -s, --selector string The selector to use for cluster filtering.
  --username string The username to use for creating a new user
  --valid-days int Sets the number of days that a password is valid. Defaults to the server value.
@@ -50,4 +50,4 @@ pgo create user [flags]
 
 * [pgo create](/pgo-client/reference/pgo_create/) - Create a Postgres Operator resource
 
-###### Auto generated by spf13/cobra on 14-Jan-2021
+###### Auto generated by spf13/cobra on 19-Apr-2021

docs/content/pgo-client/reference/pgo_update_user.md

@@ -41,7 +41,7 @@ pgo update user [flags]
  -o, --output string The output format. Supported types are: "json"
  --password string Specifies the user password when updating a user password or creating a new user. If --rotate-password is set as well, --password takes precedence.
  --password-length int If no password is supplied, sets the length of the automatically generated password. Defaults to the value set on the server.
- --password-type string The type of password hashing to use.Choices are: (md5, scram-sha-256). This only takes effect if the password is being changed. (default "md5")
+ --password-type string The type of password hashing to use.Choices are: (md5, scram-sha-256). This only takes effect if the password is being changed.
  --rotate-password Rotates the user's password with an automatically generated password. The length of the password is determine by either --password-length or the value set on the server, in that order.
  -s, --selector string The selector to use for cluster filtering.
  --set-system-account-password Allows for a system account password to be set.
@@ -67,4 +67,4 @@ pgo update user [flags]
 
 * [pgo update](/pgo-client/reference/pgo_update/) - Update a pgouser, pgorole, or cluster
 
-###### Auto generated by spf13/cobra on 14-Jan-2021
+###### Auto generated by spf13/cobra on 19-Apr-2021

installers/ansible/roles/pgo-operator/files/pgo-configs/cluster-bootstrap-job.json

@@ -78,6 +78,9 @@
  }, {
  "name": "PGHA_TLS_ONLY",
  "value": "{{.TLSOnly}}"
+ }, {
+ "name": "PGHA_PASSWORD_TYPE",
+ "value": "{{.PasswordType}}"
  }, {
  "name": "PGHA_STANDBY",
  "value": "{{.Standby}}"

installers/ansible/roles/pgo-operator/files/pgo-configs/cluster-deployment.json

@@ -117,6 +117,9 @@
  }, {
  "name": "PGHA_TLS_ONLY",
  "value": "{{.TLSOnly}}"
+ }, {
+ "name": "PGHA_PASSWORD_TYPE",
+ "value": "{{.PasswordType}}"
  }, {
  "name": "PGHA_STANDBY",
  "value": "{{.Standby}}"

internal/apiserver/clusterservice/clusterimpl.go

@@ -792,6 +792,15 @@ func CreateCluster(request *msgs.CreateClusterRequest, ns, pgouser string) msgs.
 }
 }
 
+// determine if the the password type is valid
+if _, err := apiserver.GetPasswordType(request.PasswordType); err != nil {
+resp.Status.Code = msgs.Error
+resp.Status.Msg = err.Error()
+return resp
+} else if request.PasswordType == "scram" {
+request.PasswordType = "scram-sha-256"
+}
+
 // if the pgBouncer flag is set, validate that replicas is set to a
 // nonnegative value and the service type.
 if request.PgbouncerFlag {
@@ -1400,6 +1409,9 @@ func getClusterParams(request *msgs.CreateClusterRequest, name string, ns string
 
 log.Debugf("username set to [%s]", spec.User)
 
+// set the password type
+spec.PasswordType = request.PasswordType
+
 // set the name of the database. The hierarchy is as such:
 // 1. Use the name that the user provides in the request
 // 2. Use the name that is in the pgo.yaml file