DPE-5512: add instance_password_encryption to patroni.yml

taurus-forever · taurus-forever · commit fe7326258c5f · 2025-08-13T17:01:18.000+02:00
diff --git a/src/charm.py b/src/charm.py
@@ -2366,6 +2366,7 @@ def update_config(
             no_peers=no_peers,
             user_databases_map=self.relations_user_databases_map,
             slots=replication_slots or None,
+            instance_password_encryption=self.config.instance_password_encryption,
         )
         if no_peers:
             return True
diff --git a/src/cluster.py b/src/cluster.py
@@ -651,6 +651,7 @@ def render_patroni_yml_file(
         no_peers: bool = False,
         user_databases_map: dict[str, str] | None = None,
         slots: dict[str, str] | None = None,
+        instance_password_encryption: str | None = None,
     ) -> None:
         """Render the Patroni configuration file.
 
@@ -670,6 +671,7 @@ def render_patroni_yml_file(
             no_peers: Don't include peers.
             user_databases_map: map of databases to be accessible by each user.
             slots: replication slots (keys) with assigned database name (values).
+            instance_password_encryption: algorithm to use to encrypt the users passwords.
         """
         if not self._are_passwords_set:
             logger.warning("Passwords are not yet generated by the leader")
@@ -724,6 +726,7 @@ def render_patroni_yml_file(
             patroni_password=self.patroni_password,
             user_databases_map=user_databases_map,
             slots=slots,
+            instance_password_encryption=instance_password_encryption,
         )
         self.render_file(f"{PATRONI_CONF_PATH}/patroni.yaml", rendered, 0o600)
 
diff --git a/templates/patroni.yml.j2 b/templates/patroni.yml.j2
@@ -173,6 +173,7 @@ postgresql:
     - local all backup peer map=operator
     - local all operator scram-sha-256
     - local all monitoring password
+    - local all taurus {{ instance_password_encryption }}
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_stats 0.0.0.0/0 scram-sha-256
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_read 0.0.0.0/0 scram-sha-256
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_dml 0.0.0.0/0 scram-sha-256
@@ -181,21 +182,21 @@ postgresql:
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_admin 0.0.0.0/0 scram-sha-256
     - {{ 'hostssl' if enable_tls else 'host' }} all +charmed_databases_owner 0.0.0.0/0 scram-sha-256
     {%- if not connectivity %}
-    - {{ 'hostssl' if enable_tls else 'host' }} all all {{ self_ip }} scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all all {{ self_ip }} {{ instance_password_encryption }}
     - {{ 'hostssl' if enable_tls else 'host' }} all all 0.0.0.0/0 reject
     {%- elif enable_ldap %}
     - {{ 'hostssl' if enable_tls else 'host' }} all +identity_access 0.0.0.0/0 ldap {{ ldap_parameters }}
-    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 {{ instance_password_encryption }}
     {%-   for user, databases in user_databases_map.items() %}
-    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 {{ instance_password_encryption }}
     {%-   endfor %}
     {%- else %}
     - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 scram-sha-256
     {%-   for user, databases in user_databases_map.items() %}
     {%-     if 'pgbouncer_auth_relation_' in user %}
     - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 md5
     {%-     else %}
-    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} {{ databases }} {{ user }} 0.0.0.0/0 {{ instance_password_encryption }}
     {%-     endif %}
     {%-   endfor %}
     {%- endif %}
@@ -205,7 +206,7 @@ postgresql:
     - {{ 'hostssl' if enable_tls else 'host' }} replication replication {{ endpoint }}/32 scram-sha-256
     {%- endfor %}
     {%- for peer_ip in peers_ips %}
-    - {{ 'hostssl' if enable_tls else 'host' }}     replication    replication    {{ peer_ip }}/0    scram-sha-256
+    - {{ 'hostssl' if enable_tls else 'host' }} replication replication {{ peer_ip }}/0 scram-sha-256
     {%- endfor %}
 
   pg_ident:
diff --git a/tests/integration/test_config.py b/tests/integration/test_config.py
@@ -47,6 +47,9 @@ async def test_config_parameters(ops_test: OpsTest, charm) -> None:
         {
             "instance_max_locks_per_transaction": ["-1", "64"]
         },  # config option is between 64 and 2147483647
+        {
+            "instance_password_encryption": [test_string, "md5"]
+        },  # config option is one of `md5` or `scram-sha-256`
         {
             "instance_password_encryption": [test_string, "scram-sha-256"]
         },  # config option is one of `md5` or `scram-sha-256`
diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
@@ -1163,6 +1163,7 @@ class _MockSnap:
             no_peers=False,
             user_databases_map={"operator": "all", "replication": "all", "rewind": "all"},
             slots=None,
+            instance_password_encryption="scram-sha-256",
         )
         _handle_postgresql_restart_need.assert_called_once_with()
         _restart_ldap_sync_service.assert_called_once()
@@ -1194,6 +1195,7 @@ class _MockSnap:
             no_peers=False,
             user_databases_map={"operator": "all", "replication": "all", "rewind": "all"},
             slots=None,
+            instance_password_encryption="scram-sha-256",
         )
         _handle_postgresql_restart_need.assert_called_once()
         _restart_ldap_sync_service.assert_called_once()
diff --git a/tests/unit/test_cluster.py b/tests/unit/test_cluster.py
@@ -295,6 +295,7 @@ def test_render_patroni_yml_file(peers_ips, patroni):
             new_callable=PropertyMock,
             return_value=["1.1.1.1", "192.168.0.1"],
         ),
+        #patch("charm.CharmConfig.instance_password_encryption", return_value="scram-sha-256")
     ):
         _get_postgresql_version.return_value = "16.6"
 
@@ -331,6 +332,7 @@ def test_render_patroni_yml_file(peers_ips, patroni):
             synchronous_node_count=0,
             raft_password=raft_password,
             patroni_password=patroni_password,
+            instance_password_encryption="scram-sha-256",
         )
 
         # Setup a mock for the `open` method, set returned data to patroni.yml template.

Original file line number	Diff line number	Diff line change
`@@ -2366,6 +2366,7 @@ def update_config(`
`2366`	`2366`	`no_peers=no_peers,`
`2367`	`2367`	`user_databases_map=self.relations_user_databases_map,`
`2368`	`2368`	`slots=replication_slots or None,`
	`2369`	`+ instance_password_encryption=self.config.instance_password_encryption,`
`2369`	`2370`	`)`
`2370`	`2371`	`if no_peers:`
`2371`	`2372`	`return True`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,9 @@ async def test_config_parameters(ops_test: OpsTest, charm) -> None:`
`47`	`47`	`{`
`48`	`48`	`"instance_max_locks_per_transaction": ["-1", "64"]`
`49`	`49`	`}, # config option is between 64 and 2147483647`
	`50`	`+ {`
	`51`	`+ "instance_password_encryption": [test_string, "md5"]`
	`52`	+ }, # config option is one of `md5` or `scram-sha-256`
`50`	`53`	`{`
`51`	`54`	`"instance_password_encryption": [test_string, "scram-sha-256"]`
`52`	`55`	}, # config option is one of `md5` or `scram-sha-256`