Fixes for passwords for FIPS compliance (#2062)

Set password_encryption to scram-sha-256 and re-encrypt db user passwords for FIPS compliance (cherry picked from commit 0e76404357a77a5f773aee6e2b3a5b85d1f514b7) Co-authored-by: Christian M. Adams <chadams@redhat.com>
2026-03-26 21:33:14 +00:00 · 2025-07-28 18:52:59 +01:00
parent 54293a0efb
commit a55829e5d5
2 changed files with 19 additions and 0 deletions
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -430,6 +430,9 @@ postgres_init_container_commands: |
  chown 26:0 /var/lib/pgsql/data
  chmod 700 /var/lib/pgsql/data

+# Enable PostgreSQL SCRAM-SHA-256 migration
+postgres_scram_migration_enabled: true
+
 # Configure postgres connection keepalive
 postgres_keepalives: true
 postgres_keepalives_idle: 5
--- a/roles/installer/tasks/database.yml
+++ b/roles/installer/tasks/database.yml
@@ -70,6 +70,22 @@
    - debug:
        msg: "--- Upgrading from {{ old_postgres_pod['metadata']['name'] | default('NONE')}} Pod ---"

+    - name: Migrate from md5 to scram-sha-256
+      k8s_exec:
+        namespace: "{{ ansible_operator_meta.namespace }}"
+        pod: "{{ old_postgres_pod['metadata']['name'] }}"
+        command: |
+          bash -c "
+          psql -U postgres -c \"ALTER SYSTEM SET password_encryption = 'scram-sha-256';\" &&
+          psql -U postgres -c \"SELECT pg_reload_conf();\" &&
+          psql -U postgres -c \"ALTER USER \\\"{{ awx_postgres_user }}\\\" WITH PASSWORD '{{ awx_postgres_pass }}';\"
+          "
+      register: _migration_output
+      no_log: "{{ no_log }}"
+      when:
+        - postgres_scram_migration_enabled
+        - (_old_pg_version.stdout | default(0) | int ) == 13
+
    - name: Upgrade data dir from old Postgres to {{ supported_pg_version }} if applicable
      include_tasks: upgrade_postgres.yml
      when: