Avoid overwriting infrastrure roles.

When a role is defined in the infrastructure roles and the cluster
manifest use the infrastructure role definition and add flags
defined in the manifest.

Previously the role has been overwritten by the definition from the
manifest.  Because a random password is generated for each role from the
manifest the applications relying on the infrastructure role credentials
from the infrastructure roles secret were unable to connect.

pkg/cluster/cluster.go

@@ -617,11 +617,19 @@ func (c *Cluster) initRobotUsers() error {
 		if err != nil {
 			return fmt.Errorf("invalid flags for user '%v': %v", username, err)
 		}
-
+		if _, present := c.pgUsers[username]; !present {
-		c.pgUsers[username] = spec.PgUser{
+			c.pgUsers[username] = spec.PgUser{
-			Name:     username,
+				Name:     username,
-			Password: util.RandomPassword(constants.PasswordLength),
+				Password: util.RandomPassword(constants.PasswordLength),
-			Flags:    flags,
+				Flags:    flags,
+			}
+		} else {
+			// avoid overwriting the password if the user is already there. The flags should be
+			// merged here, but since there is no mechanism to define them for non-robot roles
+			// they are assigned from the robot user.
+			c.logger.Debugf("merging user %q data", username)
+			user := c.pgUsers[username]
+			user.Flags = flags
 		}
 	}
 
@@ -645,6 +653,10 @@ func (c *Cluster) initHumanUsers() error {
 			}
 		}
 
+		if _, present := c.pgUsers[username]; present {
+			c.logger.Warnf("overwriting existing user %q with the data from the teams API")
+		}
+
 		c.pgUsers[username] = spec.PgUser{
 			Name:       username,
 			Flags:      flags,