Send the "password" method to Postgres as "md5" instead

The differences between "password," "md5," and "scram-sha-256" are not
interesting to Postgres novices. This allows one to say "password" in
the API and have secure authentication using usernames and passwords.

The PGO default "password_encryption" has always been "scram-sha-256".

Issue: PGO-2263

Author: cbandy

internal/controller/postgrescluster/postgres.go

@@ -51,7 +51,16 @@ func (*Reconciler) generatePostgresHBA(spec *v1beta1.PostgresHBARule) *postgres.
 
 	result := postgres.NewHBA()
 	result.Origin(spec.Connection)
-	result.Method(spec.Method)
+
+	// The "password" method is not recommended. More likely, the user wants to
+	// use passwords generally. The most compatible method for that is "md5"
+	// which accepts a password in the format in which it is hashed in the database.
+	// - https://www.postgresql.org/docs/current/auth-password.html
+	if spec.Method == "password" {
+		result.Method("md5")
+	} else {
+		result.Method(spec.Method)
+	}
 
 	if len(spec.Databases) > 0 {
 		result.Databases(spec.Databases[0], spec.Databases[1:]...)

internal/controller/postgrescluster/postgres_test.go

@@ -59,6 +59,11 @@ func TestGeneratePostgresHBA(t *testing.T) {
 			rule:     `{ connection: hostssl, method: md5, options: { clientcert: verify-ca } }`,
 			expected: `"hostssl" all all all "md5"  "clientcert"="verify-ca"`,
 		},
+		// "password" input should be "md5" output
+		{
+			rule:     `{ connection: hostssl, method: password }`,
+			expected: `"hostssl" all all all "md5"`,
+		},
 	} {
 		var rule *v1beta1.PostgresHBARule
 		require.UnmarshalInto(t, &rule, tt.rule)