TEST: switch md5 2 scram-sha-256 by default in postgresql

taurus-forever · taurus-forever · commit 3e56682b553a · 2025-06-26T10:29:57.000+02:00
diff --git a/lib/charms/postgresql_k8s/v1/postgresql.py b/lib/charms/postgresql_k8s/v1/postgresql.py
@@ -34,7 +34,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 0
+LIBPATCH = 1
 
 # Groups to distinguish HBA access
 ACCESS_GROUP_IDENTITY = "identity_access"
@@ -849,7 +849,7 @@ def set_up_database(self, temp_location: Optional[str] = None) -> None:
                 -- Add the new users to the pg_hba file.
                 FOR rec IN SELECT * FROM relation_users
                 LOOP
-                  insert_value := connection_type || ' ' || rec.databases || ' ' || rec.user || ' 0.0.0.0/0 md5';
+                  insert_value := connection_type || ' ' || rec.databases || ' ' || rec.user || ' 0.0.0.0/0 scram-sha-256';
                   IF (SELECT COUNT(lines) FROM pg_hba WHERE lines = insert_value) = 0 THEN
                     INSERT INTO pg_hba (lines) VALUES (insert_value);
                     changes := changes + 1;
diff --git a/templates/patroni.yml.j2 b/templates/patroni.yml.j2
@@ -166,27 +166,27 @@ postgresql:
     - local all monitoring password
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_dba 0.0.0.0/0 scram-sha-256
     {%- if not connectivity %}
-    - {{ 'hostssl' if enable_tls else 'host' }} all all {{ self_ip }} md5
+    - {{ 'hostssl' if enable_tls else 'host' }} all all {{ self_ip }} scram-sha-256
     - {{ 'hostssl' if enable_tls else 'host' }} all all 0.0.0.0/0 reject
     {%- elif enable_ldap %}
     - {{ 'hostssl' if enable_tls else 'host' }} all +identity_access 0.0.0.0/0 ldap {{ ldap_parameters }}
-    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 md5
+    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 scram-sha-256
     {%- for user, databases in user_databases_map.items() %}
-    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 md5
+    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 scram-sha-256
     {%- endfor %}
     {%- else %}
-    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 md5
+    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 scram-sha-256
     {%- for user, databases in user_databases_map.items() %}
-    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 md5
+    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 scram-sha-256
     {%- endfor %}
     {%- endif %}
-    - {{ 'hostssl' if enable_tls else 'host' }} replication replication 127.0.0.1/32 md5
+    - {{ 'hostssl' if enable_tls else 'host' }} replication replication 127.0.0.1/32 scram-sha-256
     # Allow replications connections from other cluster members.
     {%- for endpoint in extra_replication_endpoints %}
-    - {{ 'hostssl' if enable_tls else 'host' }} replication replication {{ endpoint }}/32 md5
+    - {{ 'hostssl' if enable_tls else 'host' }} replication replication {{ endpoint }}/32 scram-sha-256
     {%- endfor %}
     {%- for peer_ip in peers_ips %}
-    - {{ 'hostssl' if enable_tls else 'host' }}     replication    replication    {{ peer_ip }}/0    md5
+    - {{ 'hostssl' if enable_tls else 'host' }}     replication    replication    {{ peer_ip }}/0    scram-sha-256
     {% endfor %}
   pg_ident:
   - operator snap_daemon backup
