From f2d24d8e82f992b5db9f689f18d9559188a458c7 Mon Sep 17 00:00:00 2001
From: Yukha Dharmeswara <yukha.dw@samsung.com>
Date: Tue, 29 Oct 2024 15:24:41 +0700
Subject: [PATCH 1/2] [bitnami/postgresql-pgpool] encrypt health check
 passwords inside pgpool.conf

Signed-off-by: Yukha Dharmeswara <yukha.dw@samsung.com>
---
 .../rootfs/opt/bitnami/scripts/libpgpool.sh   | 33 +++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh b/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh
index 66b83b2829c59..28bb0073a9bc8 100644
--- a/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh
+++ b/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh
@@ -493,7 +493,7 @@ pgpool_create_config() {
     # Streaming Replication Check settings
     # https://www.pgpool.net/docs/latest/en/html/runtime-streaming-replication-check.html
     pgpool_set_property "sr_check_user" "$PGPOOL_SR_CHECK_USER"
-    pgpool_set_property "sr_check_password" "$PGPOOL_SR_CHECK_PASSWORD"
+    pgpool_set_property "sr_check_password" "$(pgpool_encrypt_password ${PGPOOL_SR_CHECK_PASSWORD})"
     pgpool_set_property "sr_check_period" "$PGPOOL_SR_CHECK_PERIOD"
     pgpool_set_property "sr_check_database" "$PGPOOL_SR_CHECK_DATABASE"
     # Healthcheck per node settings
@@ -501,7 +501,7 @@ pgpool_create_config() {
     pgpool_set_property "health_check_period" "$PGPOOL_HEALTH_CHECK_PERIOD"
     pgpool_set_property "health_check_timeout" "$PGPOOL_HEALTH_CHECK_TIMEOUT"
     pgpool_set_property "health_check_user" "$PGPOOL_HEALTH_CHECK_USER"
-    pgpool_set_property "health_check_password" "$PGPOOL_HEALTH_CHECK_PASSWORD"
+    pgpool_set_property "health_check_password" "$(pgpool_encrypt_password ${PGPOOL_HEALTH_CHECK_PASSWORD})"
     pgpool_set_property "health_check_max_retries" "$PGPOOL_HEALTH_CHECK_MAX_RETRIES"
     pgpool_set_property "health_check_retry_delay" "$PGPOOL_HEALTH_CHECK_RETRY_DELAY"
     pgpool_set_property "connect_timeout" "$PGPOOL_CONNECT_TIMEOUT"
@@ -591,6 +591,35 @@ pgpool_generate_password_file() {
     fi
 }
 
+########################
+# Encrypts a password
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   $1 - password
+# Returns:
+#   None
+#########################
+pgpool_encrypt_password() {
+    local -r password="${1:?missing password}"
+
+    local -a password_encryption_cmd=("pg_md5")
+
+    if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then
+
+        if is_file_writable "$PGPOOLKEYFILE"; then
+            # Creating a PGPOOLKEYFILE as it is writeable
+            echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
+            # Fix permissions for PGPOOLKEYFILE
+            chmod 0600 "$PGPOOLKEYFILE"
+        fi
+        password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
+        debug_execute "${password_encryption_cmd[@]}" "$password" | grep -o -E "AES.+" | tr -d '\n'
+    else
+        debug_execute "${password_encryption_cmd[@]}" "$password" | tr -d '\n'
+    fi
+}
+
 ########################
 # Run custom initialization scripts
 # Globals:

From d7c01c4a8684365c07384f9328203c20f6f1a785 Mon Sep 17 00:00:00 2001
From: Yukha Dharmeswara <yukha.dw@samsung.com>
Date: Thu, 31 Oct 2024 16:33:38 +0700
Subject: [PATCH 2/2] [bitnami/postgresql-pgpool] encrypt health check
 passwords inside pgpool.conf

Signed-off-by: Yukha Dharmeswara <yukha.dw@samsung.com>
---
 .../rootfs/opt/bitnami/scripts/libpgpool.sh   | 59 ++++++++++---------
 1 file changed, 31 insertions(+), 28 deletions(-)

diff --git a/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh b/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh
index 28bb0073a9bc8..ff2eeaee0fc91 100644
--- a/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh
+++ b/bitnami/pgpool/4/debian-12/rootfs/opt/bitnami/scripts/libpgpool.sh
@@ -548,6 +548,32 @@ pgpool_create_config() {
     fi
 }
 
+########################
+# Execute postgresql encrypt command
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   $@ - Command to execute
+# Returns:
+#   String
+#########################
+pgpool_encrypt_execute() {
+    local -a password_encryption_cmd=("pg_md5")
+
+    if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then
+
+        if is_file_writable "$PGPOOLKEYFILE"; then
+            # Creating a PGPOOLKEYFILE as it is writeable
+            echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
+            # Fix permissions for PGPOOLKEYFILE
+            chmod 0600 "$PGPOOLKEYFILE"
+        fi
+        password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
+    fi
+
+    "${password_encryption_cmd[@]}" "$@"
+}
+
 ########################
 # Generates a password file for local authentication
 # Globals:
@@ -561,20 +587,7 @@ pgpool_generate_password_file() {
     if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
         info "Generating password file for local authentication..."
 
-        local -a password_encryption_cmd=("pg_md5")
-
-        if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then
-
-            if is_file_writable "$PGPOOLKEYFILE"; then
-                # Creating a PGPOOLKEYFILE as it is writeable
-                echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
-                # Fix permissions for PGPOOLKEYFILE
-                chmod 0600 "$PGPOOLKEYFILE"
-            fi
-            password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
-        fi
-
-        debug_execute "${password_encryption_cmd[@]}" -m --config-file="$PGPOOL_CONF_FILE" -u "$PGPOOL_POSTGRES_USERNAME" "$PGPOOL_POSTGRES_PASSWORD"
+        debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$PGPOOL_POSTGRES_USERNAME" "$PGPOOL_POSTGRES_PASSWORD"
 
         if [[ -n "${PGPOOL_POSTGRES_CUSTOM_USERS}" ]]; then
             read -r -a custom_users_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_USERS}")"
@@ -582,7 +595,7 @@ pgpool_generate_password_file() {
 
             local index=0
             for user in "${custom_users_list[@]}"; do
-                debug_execute "${password_encryption_cmd[@]}" -m --config-file="$PGPOOL_CONF_FILE" -u "$user" "${custom_passwords_list[$index]}"
+                debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$user" "${custom_passwords_list[$index]}"
                 ((index += 1))
             done
         fi
@@ -598,25 +611,15 @@ pgpool_generate_password_file() {
 # Arguments:
 #   $1 - password
 # Returns:
-#   None
+#   String
 #########################
 pgpool_encrypt_password() {
     local -r password="${1:?missing password}"
 
-    local -a password_encryption_cmd=("pg_md5")
-
     if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then
-
-        if is_file_writable "$PGPOOLKEYFILE"; then
-            # Creating a PGPOOLKEYFILE as it is writeable
-            echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
-            # Fix permissions for PGPOOLKEYFILE
-            chmod 0600 "$PGPOOLKEYFILE"
-        fi
-        password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
-        debug_execute "${password_encryption_cmd[@]}" "$password" | grep -o -E "AES.+" | tr -d '\n'
+        pgpool_encrypt_execute "$password" | grep -o -E "AES.+" | tr -d '\n'
     else
-        debug_execute "${password_encryption_cmd[@]}" "$password" | tr -d '\n'
+        pgpool_encrypt_execute "$password" | tr -d '\n'
     fi
 }