Use encrypted passwords while creating robot users

pkg/cluster/pg.go

@@ -8,10 +8,11 @@ import (
 	_ "github.com/lib/pq"
 
 	"github.bus.zalan.do/acid/postgres-operator/pkg/spec"
+	"github.bus.zalan.do/acid/postgres-operator/pkg/util"
 	"github.bus.zalan.do/acid/postgres-operator/pkg/util/constants"
 )
 
-var createUserSQL = `SET LOCAL synchronous_commit = 'local'; CREATE ROLE "%s" %s PASSWORD %s;`
+var createUserSQL = `SET LOCAL synchronous_commit = 'local'; CREATE ROLE "%s" %s %s;`
 
 func (c *Cluster) pgConnectionString() string {
 	hostname := fmt.Sprintf("%s.%s.svc.cluster.local", c.Metadata.Name, c.Metadata.Namespace)
@@ -68,9 +69,9 @@ func (c *Cluster) createPgUser(user spec.PgUser) (isHuman bool, err error) {
 	}
 
 	userFlags := strings.Join(flags, " ")
-	userPassword := fmt.Sprintf("'%s'", user.Password)
+	userPassword := fmt.Sprintf("ENCRYPTED PASSWORD '%s'", util.PGUserPassword(user))
 	if user.Password == "" {
-		userPassword = "NULL"
+		userPassword = "PASSWORD NULL"
 	}
 	query := fmt.Sprintf(createUserSQL, user.Name, userFlags, userPassword)
 

pkg/util/util.go

@@ -1,6 +1,8 @@
 package util
 
 import (
+	"crypto/md5"
+	"encoding/hex"
 	"fmt"
 	"math/rand"
 	"time"
@@ -52,3 +54,9 @@ func PodSpiloRole(pod *v1.Pod) string {
 func ClusterDNSName(clusterName, teamName, hostedZone string) string {
 	return fmt.Sprintf("%s.%s.%s", clusterName, teamName, hostedZone)
 }
+
+func PGUserPassword(user spec.PgUser) string {
+	s := md5.Sum([]byte(user.Password + user.Name))
+
+	return "md5" + hex.EncodeToString(s[:])
+}