add pg_hba_auth_password_encryption parameter

SimonHoenscheid · SimonHoenscheid · commit 0f03dfe97de3 · 2023-08-31T21:09:19.000+02:00
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -96,7 +96,9 @@
 # @param manage_logdir Set to false if you have file{ $logdir: } already defined
 # @param manage_xlogdir Set to false if you have file{ $xlogdir: } already defined
 # @param password_encryption Specify the type of encryption set for the password.
-#
+# @param pg_hba_auth_password_encryption
+#   Specify the type of encryption set for the password in pg_hba_conf,
+#   this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
 # @param roles Specifies a hash from which to generate postgresql::server::role resources.
 # @param config_entries Specifies a hash from which to generate postgresql::server::config_entry resources.
 # @param pg_hba_rules Specifies a hash from which to generate postgresql::server::pg_hba_rule resources.
@@ -179,6 +181,7 @@
   Boolean                                            $manage_logdir                = $postgresql::params::manage_logdir,
   Boolean                                            $manage_xlogdir               = $postgresql::params::manage_xlogdir,
   Postgresql::Pg_password_encryption                 $password_encryption          = $postgresql::params::password_encryption,
+  Postgresql::Pg_password_encryption                 $pg_hba_auth_password_encryption = undef,
   Optional[String]                                   $extra_systemd_config         = $postgresql::params::extra_systemd_config,
 
   Hash[String, Hash]                                 $roles                        = {},
diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp
@@ -42,6 +42,9 @@
 # @param log_line_prefix PostgreSQL log line prefix
 # @param timezone Set timezone for the PostgreSQL instance
 # @param password_encryption Specify the type of encryption set for the password.
+# @param pg_hba_auth_password_encryption
+#   Specify the type of encryption set for the password in pg_hba_conf,
+#   this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
 # @param extra_systemd_config
 #   Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string
 define postgresql::server::instance::config (
@@ -71,8 +74,15 @@
   Optional[String[1]]                            $log_line_prefix              = $postgresql::server::log_line_prefix,
   Optional[String[1]]                            $timezone                     = $postgresql::server::timezone,
   Postgresql::Pg_password_encryption             $password_encryption          = $postgresql::server::password_encryption,
+  Postgresql::Pg_password_encryption             $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption,
   Optional[String]                               $extra_systemd_config         = $postgresql::server::extra_systemd_config,
 ) {
+  if $pg_hba_auth_password_encryption {
+    $override_pg_hba_auth_password_encryption = $pg_hba_auth_password_encryption
+  } else {
+    $override_pg_hba_auth_password_encryption = $password_encryption
+  }
+
   if ($manage_pg_hba_conf == true) {
     # Prepare the main pg_hba file
     concat { $pg_hba_conf_path:
