DPE-5512: add instance_password_encryption to patroni.yml

Author: taurus-forever

src/charm.py

@@ -2366,6 +2366,7 @@ def update_config(
             no_peers=no_peers,
             user_databases_map=self.relations_user_databases_map,
             slots=replication_slots or None,
+            instance_password_encryption=self.config.instance_password_encryption,
         )
         if no_peers:
             return True

src/cluster.py

@@ -651,6 +651,7 @@ def render_patroni_yml_file(
         no_peers: bool = False,
         user_databases_map: dict[str, str] | None = None,
         slots: dict[str, str] | None = None,
+        instance_password_encryption: str | None = None,
     ) -> None:
         """Render the Patroni configuration file.
 
@@ -670,6 +671,7 @@ def render_patroni_yml_file(
             no_peers: Don't include peers.
             user_databases_map: map of databases to be accessible by each user.
             slots: replication slots (keys) with assigned database name (values).
+            instance_password_encryption: algorithm to use to encrypt the users passwords.
         """
         if not self._are_passwords_set:
             logger.warning("Passwords are not yet generated by the leader")
@@ -724,6 +726,7 @@ def render_patroni_yml_file(
             patroni_password=self.patroni_password,
             user_databases_map=user_databases_map,
             slots=slots,
+            instance_password_encryption=instance_password_encryption,
         )
         self.render_file(f"{PATRONI_CONF_PATH}/patroni.yaml", rendered, 0o600)
 

templates/patroni.yml.j2

@@ -181,21 +181,21 @@ postgresql:
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_admin 0.0.0.0/0 scram-sha-256
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_databases_owner 0.0.0.0/0 scram-sha-256
     {%- if not connectivity %}
-    - {{ 'hostssl' if enable_tls else 'host' }} all all {{ self_ip }} scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all all {{ self_ip }} {{ instance_password_encryption }}
     - {{ 'hostssl' if enable_tls else 'host' }} all all 0.0.0.0/0 reject
     {%- elif enable_ldap %}
     - {{ 'hostssl' if enable_tls else 'host' }} all +identity_access 0.0.0.0/0 ldap {{ ldap_parameters }}
-    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 {{ instance_password_encryption }}
     {%-   for user, databases in user_databases_map.items() %}
-    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 {{ instance_password_encryption }}
     {%-   endfor %}
     {%- else %}
     - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 scram-sha-256
     {%-   for user, databases in user_databases_map.items() %}
     {%-     if 'pgbouncer_auth_relation_' in user %}
     - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 md5
     {%-     else %}
-    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 {{ instance_password_encryption }}
     {%-     endif %}
     {%-   endfor %}
     {%- endif %}
@@ -205,7 +205,7 @@ postgresql:
     - {{ 'hostssl' if enable_tls else 'host' }} replication replication {{ endpoint }}/32 scram-sha-256
     {%- endfor %}
     {%- for peer_ip in peers_ips %}
-    - {{ 'hostssl' if enable_tls else 'host' }}     replication    replication    {{ peer_ip }}/0    scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} replication replication {{ peer_ip }}/0 scram-sha-256
     {%- endfor %}
 
   pg_ident:

tests/integration/test_config.py

@@ -47,6 +47,9 @@ async def test_config_parameters(ops_test: OpsTest, charm) -> None:
         {
             "instance_max_locks_per_transaction": ["-1", "64"]
         },  # config option is between 64 and 2147483647
+        {
+            "instance_password_encryption": [test_string, "md5"]
+        },  # config option is one of `md5` or `scram-sha-256`
         {
             "instance_password_encryption": [test_string, "scram-sha-256"]
         },  # config option is one of `md5` or `scram-sha-256`

tests/unit/test_charm.py

@@ -1163,6 +1163,7 @@ class _MockSnap:
             no_peers=False,
             user_databases_map={"operator": "all", "replication": "all", "rewind": "all"},
             slots=None,
+            instance_password_encryption="scram-sha-256",
         )
         _handle_postgresql_restart_need.assert_called_once_with()
         _restart_ldap_sync_service.assert_called_once()

tests/unit/test_cluster.py

@@ -307,6 +307,7 @@ def test_render_patroni_yml_file(peers_ips, patroni):
         raft_password = "fake-raft-password"
         patroni_password = "fake-patroni-password"
         postgresql_version = "16"
+        instance_password_encryption = "md5"
 
         # Get the expected content from a file.
         with open("templates/patroni.yml.j2") as file:
@@ -331,6 +332,7 @@ def test_render_patroni_yml_file(peers_ips, patroni):
             synchronous_node_count=0,
             raft_password=raft_password,
             patroni_password=patroni_password,
+            render_patroni_yml_file=instance_password_encryption,
         )
 
         # Setup a mock for the `open` method, set returned data to patroni.yml template.