flexible value for auth_method in pg_hba.conf if passwords are used

SimonHoenscheid · SimonHoenscheid · commit 8b797633649c · 2023-08-31T21:09:19.000+02:00
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -25,7 +25,7 @@
   $manage_selinux               = pick($manage_selinux, false)
   $package_ensure               = 'present'
   $module_workdir               = pick($module_workdir,'/tmp')
-  $password_encryption          = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef }
+  $password_encryption          = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { 'md5' }
   $extra_systemd_config         = undef
   $manage_datadir               = true
   $manage_logdir                = true
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -178,7 +178,7 @@
   Boolean                                            $manage_datadir               = $postgresql::params::manage_datadir,
   Boolean                                            $manage_logdir                = $postgresql::params::manage_logdir,
   Boolean                                            $manage_xlogdir               = $postgresql::params::manage_xlogdir,
-  Optional[Postgresql::Pg_password_encryption]       $password_encryption          = $postgresql::params::password_encryption,
+  Postgresql::Pg_password_encryption                 $password_encryption          = $postgresql::params::password_encryption,
   Optional[String]                                   $extra_systemd_config         = $postgresql::params::extra_systemd_config,
 
   Hash[String, Hash]                                 $roles                        = {},
diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp
@@ -70,7 +70,7 @@
   Boolean                                        $service_enable               = $postgresql::server::service_enable,
   Optional[String[1]]                            $log_line_prefix              = $postgresql::server::log_line_prefix,
   Optional[String[1]]                            $timezone                     = $postgresql::server::timezone,
-  Optional[Postgresql::Pg_password_encryption]   $password_encryption          = $postgresql::server::password_encryption,
+  Postgresql::Pg_password_encryption             $password_encryption          = $postgresql::server::password_encryption,
   Optional[String]                               $extra_systemd_config         = $postgresql::server::extra_systemd_config,
 ) {
   if ($manage_pg_hba_conf == true) {
@@ -105,7 +105,7 @@
           type        => 'host',
           user        => $user,
           address     => '127.0.0.1/32',
-          auth_method => 'md5',
+          auth_method => $password_encryption,
           order       => 3;
 
         "deny access to postgresql user for instance ${name}":
@@ -118,13 +118,13 @@
         "allow access to all users for instance ${name}":
           type        => 'host',
           address     => $ip_mask_allow_all_users,
-          auth_method => 'md5',
+          auth_method => $password_encryption,
           order       => 100;
 
         "allow access to ipv6 localhost for instance ${name}":
           type        => 'host',
           address     => '::1/128',
-          auth_method => 'md5',
+          auth_method => $password_encryption,
           order       => 101;
       }
     }
