feat: Make the used password algorithm configurable

[ZPascal]

Description:
The PR makes password_encryption method centrally configurable within the Bosh release

TODO:

• Create a dev release
• Test the dev release with psql

[Copilot]

Pull request overview

This PR makes the PostgreSQL password hashing/authentication algorithm configurable across the BOSH release instead of being hard-coded to md5. A new databases.password_authentication_algorithm property (default scram-sha-256) is introduced and threaded into both postgresql.conf (as password_encryption) and pg_hba.conf (as the local/host auth method).

Changes:

• Add a new spec property databases.password_authentication_algorithm defaulting to scram-sha-256.
• Render password_encryption in postgresql.conf.erb from the new property.
• Replace the hard-coded md5 auth methods in pg_hba.conf.erb with the new property.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
jobs/postgres/spec	Declares the new password_authentication_algorithm property and its default.
jobs/postgres/templates/postgresql.conf.erb	Sets password_encryption from the new property.
jobs/postgres/templates/pg_hba.conf.erb	Replaces the two hard-coded md5 auth methods with the property.

Comments suppressed due to low confidence (2)

jobs/postgres/spec:74

• Reusing a single property databases.password_authentication_algorithm for both postgresql.conf's password_encryption setting and pg_hba.conf's authentication method conflates two different concerns. password_encryption only accepts md5 or scram-sha-256, whereas the pg_hba auth-method column legitimately supports other values like password, cert, peer, trust, etc. Operators who want, for example, scram-sha-256 storage with password (cleartext-over-TLS) auth — a valid combination — cannot express it. Consider splitting into two properties (e.g. password_encryption and host_auth_method) or documenting explicitly that only the two enum values are supported.

  databases.password_authentication_algorithm:
      description: "Defines the central algorithm for encrypting passwords e.g. md5 or scram-sha-256"
      default: "scram-sha-256"

jobs/postgres/spec:74

• The property name password_authentication_algorithm is misleading: in postgresql.conf this controls the password storage/hashing algorithm (password_encryption), not the authentication algorithm itself. A name like password_encryption (matching the postgres setting) would be clearer and more discoverable for operators familiar with PostgreSQL.

  databases.password_authentication_algorithm:
      description: "Defines the central algorithm for encrypting passwords e.g. md5 or scram-sha-256"
      default: "scram-sha-256"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.