flexible value for auth_method in pg_hba.conf if passwords are used

manifests/params.pp

@@ -25,7 +25,7 @@
   $manage_selinux               = pick($manage_selinux, false)
   $package_ensure               = 'present'
   $module_workdir               = pick($module_workdir,'/tmp')
-  $password_encryption          = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef }
+  $password_encryption          = versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' }
   $extra_systemd_config         = undef
   $manage_datadir               = true
   $manage_logdir                = true

manifests/server.pp

@@ -96,7 +96,9 @@
 # @param manage_logdir Set to false if you have file{ $logdir: } already defined
 # @param manage_xlogdir Set to false if you have file{ $xlogdir: } already defined
 # @param password_encryption Specify the type of encryption set for the password.
-#
+# @param pg_hba_auth_password_encryption
+#   Specify the type of encryption set for the password in pg_hba_conf,
+#   this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
 # @param roles Specifies a hash from which to generate postgresql::server::role resources.
 # @param config_entries Specifies a hash from which to generate postgresql::server::config_entry resources.
 # @param pg_hba_rules Specifies a hash from which to generate postgresql::server::pg_hba_rule resources.
@@ -178,7 +180,8 @@
   Boolean                                            $manage_datadir               = $postgresql::params::manage_datadir,
   Boolean                                            $manage_logdir                = $postgresql::params::manage_logdir,
   Boolean                                            $manage_xlogdir               = $postgresql::params::manage_xlogdir,
-  Optional[Postgresql::Pg_password_encryption]       $password_encryption          = $postgresql::params::password_encryption,
+  Postgresql::Pg_password_encryption                 $password_encryption          = $postgresql::params::password_encryption,
+  Optional[Postgresql::Pg_password_encryption]       $pg_hba_auth_password_encryption = undef,
   Optional[String]                                   $extra_systemd_config         = $postgresql::params::extra_systemd_config,
 
   Hash[String, Hash]                                 $roles                        = {},

manifests/server/instance/config.pp

@@ -42,6 +42,9 @@
 # @param log_line_prefix PostgreSQL log line prefix
 # @param timezone Set timezone for the PostgreSQL instance
 # @param password_encryption Specify the type of encryption set for the password.
+# @param pg_hba_auth_password_encryption
+#   Specify the type of encryption set for the password in pg_hba_conf,
+#   this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
 # @param extra_systemd_config
 #   Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string
 define postgresql::server::instance::config (
@@ -70,9 +73,16 @@
   Boolean                                        $service_enable               = $postgresql::server::service_enable,
   Optional[String[1]]                            $log_line_prefix              = $postgresql::server::log_line_prefix,
   Optional[String[1]]                            $timezone                     = $postgresql::server::timezone,
-  Optional[Postgresql::Pg_password_encryption]   $password_encryption          = $postgresql::server::password_encryption,
+  Postgresql::Pg_password_encryption             $password_encryption          = $postgresql::server::password_encryption,
+  Optional[Postgresql::Pg_password_encryption]   $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption,
   Optional[String]                               $extra_systemd_config         = $postgresql::server::extra_systemd_config,
 ) {
+  if $pg_hba_auth_password_encryption {
+    $override_pg_hba_auth_password_encryption = $pg_hba_auth_password_encryption
+  } else {
+    $override_pg_hba_auth_password_encryption = $password_encryption
+  }
+
   if ($manage_pg_hba_conf == true) {
     # Prepare the main pg_hba file
     concat { $pg_hba_conf_path:
@@ -105,7 +115,7 @@
           type        => 'host',
           user        => $user,
           address     => '127.0.0.1/32',
-          auth_method => 'md5',
+          auth_method => $password_encryption,
           order       => 3;
 
         "deny access to postgresql user for instance ${name}":
@@ -118,13 +128,13 @@
         "allow access to all users for instance ${name}":
           type        => 'host',
           address     => $ip_mask_allow_all_users,
-          auth_method => 'md5',
+          auth_method => $password_encryption,
           order       => 100;
 
         "allow access to ipv6 localhost for instance ${name}":
           type        => 'host',
           address     => '::1/128',
-          auth_method => 'md5',
+          auth_method => $password_encryption,
           order       => 101;
       }
     }

spec/acceptance/overridden_settings_spec.rb

@@ -11,6 +11,7 @@
 
   let(:pp) do
     <<-MANIFEST
+    $auth_method = $facts['os']['release']['major'] ? { '7' => 'md5', default => 'scram-sha-256'}
     class { 'postgresql::server':
       roles          => {
         'testusername' => {
@@ -26,7 +27,7 @@ class { 'postgresql::server':
           type        => 'host',
           database    => 'mydb',
           user        => 'myuser',
-          auth_method => 'md5',
+          auth_method => $auth_method,
           address     => '192.0.2.100/32',
         },
       },