Require SCRAM authentication of the monitoring user

szelenka · szelenka-cisco · web-flow · commit 29b438581967 · 2022-11-16T17:37:36.000-06:00
The PostgreSQL STIG requires that password authentication be done using scram-sha-256. Co-authored-by: Scott Zelenka <szelenka@cisco.com> Issue: #3424 See: https://www.stigviewer.com/stig/crunchy_data_postgresql/2022-06-13/finding/V-233519
diff --git a/internal/pgmonitor/postgres.go b/internal/pgmonitor/postgres.go
@@ -39,9 +39,9 @@ func PostgreSQLHBAs(inCluster *v1beta1.PostgresCluster, outHBAs *postgres.HBAs)
 		// https://kubernetes.io/docs/concepts/cluster-administration/networking/
 		// https://releases.k8s.io/v1.21.0/pkg/kubelet/kubelet_pods.go#L343
 		outHBAs.Mandatory = append(outHBAs.Mandatory, *postgres.NewHBA().TCP().
-			User(MonitoringUser).Network("127.0.0.0/8").Method("md5"))
+			User(MonitoringUser).Network("127.0.0.0/8").Method("scram-sha-256"))
 		outHBAs.Mandatory = append(outHBAs.Mandatory, *postgres.NewHBA().TCP().
-			User(MonitoringUser).Network("::1/128").Method("md5"))
+			User(MonitoringUser).Network("::1/128").Method("scram-sha-256"))
 	}
 }
 
diff --git a/internal/pgmonitor/postgres_test.go b/internal/pgmonitor/postgres_test.go
@@ -46,8 +46,8 @@ func TestPostgreSQLHBA(t *testing.T) {
 		outHBAs := postgres.HBAs{}
 		PostgreSQLHBAs(inCluster, &outHBAs)
 
-		assert.Equal(t, outHBAs.Mandatory[0].String(), `host all "ccp_monitoring" "127.0.0.0/8" md5`)
-		assert.Equal(t, outHBAs.Mandatory[1].String(), `host all "ccp_monitoring" "::1/128" md5`)
+		assert.Equal(t, outHBAs.Mandatory[0].String(), `host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256`)
+		assert.Equal(t, outHBAs.Mandatory[1].String(), `host all "ccp_monitoring" "::1/128" scram-sha-256`)
 	})
 }
 

Original file line number	Diff line number	Diff line change
`@@ -39,9 +39,9 @@ func PostgreSQLHBAs(inCluster v1beta1.PostgresCluster, outHBAs postgres.HBAs)`
`39`	`39`	`// https://kubernetes.io/docs/concepts/cluster-administration/networking/`
`40`	`40`	`// https://releases.k8s.io/v1.21.0/pkg/kubelet/kubelet_pods.go#L343`
`41`	`41`	`outHBAs.Mandatory = append(outHBAs.Mandatory, *postgres.NewHBA().TCP().`
`42`		`- User(MonitoringUser).Network("127.0.0.0/8").Method("md5"))`
	`42`	`+ User(MonitoringUser).Network("127.0.0.0/8").Method("scram-sha-256"))`
`43`	`43`	`outHBAs.Mandatory = append(outHBAs.Mandatory, *postgres.NewHBA().TCP().`
`44`		`- User(MonitoringUser).Network("::1/128").Method("md5"))`
	`44`	`+ User(MonitoringUser).Network("::1/128").Method("scram-sha-256"))`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`
Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,8 @@ func TestPostgreSQLHBA(t *testing.T) {`
`46`	`46`	`outHBAs := postgres.HBAs{}`
`47`	`47`	`PostgreSQLHBAs(inCluster, &outHBAs)`
`48`	`48`
`49`		- assert.Equal(t, outHBAs.Mandatory[0].String(), `host all "ccp_monitoring" "127.0.0.0/8" md5`)
`50`		- assert.Equal(t, outHBAs.Mandatory[1].String(), `host all "ccp_monitoring" "::1/128" md5`)
	`49`	+ assert.Equal(t, outHBAs.Mandatory[0].String(), `host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256`)
	`50`	+ assert.Equal(t, outHBAs.Mandatory[1].String(), `host all "ccp_monitoring" "::1/128" scram-sha-256`)
`51`	`51`	`})`
`52`	`52`	`}`
`53`	`53`