Use scram-sha-256 for password encryption

stejskalleos · evgeni · commit 4718e556aae5 · 2025-10-29T09:01:50.000+01:00
diff --git a/src/roles/postgresql/tasks/main.yml b/src/roles/postgresql/tasks/main.yml
@@ -49,6 +49,18 @@
     enabled: true
     state: started
 
+# SCRAM-SHA-256 is default for PostgreSQL 14+,
+# after the upgrade, we can drop this task.
+- name: Use scram-sha-256 for password encryption
+  community.postgresql.postgresql_set:
+    login_user: postgres
+    login_password: "{{ postgresql_admin_password }}"
+    login_host: localhost
+    name: password_encryption
+    value: "scram-sha-256"
+  notify:
+    - Restart postgresql
+
 - name: Create PostgreSQL users
   community.postgresql.postgresql_user:
     name: "{{ item.name }}"
diff --git a/tests/postgresql_test.py b/tests/postgresql_test.py
@@ -1,3 +1,5 @@
+import csv
+
 def test_postgresql_service(server):
     postgresql = server.service("postgresql")
     assert postgresql.is_running
@@ -20,3 +22,13 @@ def test_postgresql_users(server):
     assert "foreman" in result.stdout
     assert "candlepin" in result.stdout
     assert "pulp" in result.stdout
+
+def test_postgresql_password_encryption(server):
+    result = server.run("podman exec postgresql psql -U postgres -c 'SHOW password_encryption'")
+    assert "scram-sha-256" in result.stdout
+
+    result = server.run("echo 'COPY (select * from pg_shadow) TO STDOUT (FORMAT CSV);' | podman exec -i postgresql psql -U postgres")
+
+    reader = csv.reader(result.stdout.splitlines())
+    for row in reader:
+        assert ("SCRAM-SHA-256" in row[6])
