[bitnami/postgresql-pgpool] encrypt health check passwords inside pgp…

…ool.conf Signed-off-by: Yukha Dharmeswara <[email protected]>
bitnami · Oct 29, 2024 · f2d24d8 · f2d24d8
1 parent c41d3eb
commit f2d24d8
Showing 1 changed file with 31 additions and 2 deletions.
diff --git a/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh b/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh
@@ -493,15 +493,15 @@ pgpool_create_config() {
     # Streaming Replication Check settings
     # https://www.pgpool.net/docs/latest/en/html/runtime-streaming-replication-check.html
     pgpool_set_property "sr_check_user" "$PGPOOL_SR_CHECK_USER"
-    pgpool_set_property "sr_check_password" "$PGPOOL_SR_CHECK_PASSWORD"
+    pgpool_set_property "sr_check_password" "$(pgpool_encrypt_password ${PGPOOL_SR_CHECK_PASSWORD})"
     pgpool_set_property "sr_check_period" "$PGPOOL_SR_CHECK_PERIOD"
     pgpool_set_property "sr_check_database" "$PGPOOL_SR_CHECK_DATABASE"
     # Healthcheck per node settings
     # https://www.pgpool.net/docs/latest/en/html/runtime-config-health-check.html
     pgpool_set_property "health_check_period" "$PGPOOL_HEALTH_CHECK_PERIOD"
     pgpool_set_property "health_check_timeout" "$PGPOOL_HEALTH_CHECK_TIMEOUT"
     pgpool_set_property "health_check_user" "$PGPOOL_HEALTH_CHECK_USER"
-    pgpool_set_property "health_check_password" "$PGPOOL_HEALTH_CHECK_PASSWORD"
+    pgpool_set_property "health_check_password" "$(pgpool_encrypt_password ${PGPOOL_HEALTH_CHECK_PASSWORD})"
     pgpool_set_property "health_check_max_retries" "$PGPOOL_HEALTH_CHECK_MAX_RETRIES"
     pgpool_set_property "health_check_retry_delay" "$PGPOOL_HEALTH_CHECK_RETRY_DELAY"
     pgpool_set_property "connect_timeout" "$PGPOOL_CONNECT_TIMEOUT"
@@ -591,6 +591,35 @@ pgpool_generate_password_file() {
     fi
 }
 
+########################
+# Encrypts a password
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   $1 - password
+# Returns:
+#   None
+#########################
+pgpool_encrypt_password() {
+    local -r password="${1:?missing password}"
+
+    local -a password_encryption_cmd=("pg_md5")
+
+    if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then
+
+        if is_file_writable "$PGPOOLKEYFILE"; then
+            # Creating a PGPOOLKEYFILE as it is writeable
+            echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
+            # Fix permissions for PGPOOLKEYFILE
+            chmod 0600 "$PGPOOLKEYFILE"
+        fi
+        password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
+        debug_execute "${password_encryption_cmd[@]}" "$password" | grep -o -E "AES.+" | tr -d '\n'
+    else
+        debug_execute "${password_encryption_cmd[@]}" "$password" | tr -d '\n'
+    fi
+}
+
 ########################
 # Run custom initialization scripts
 # Globals: