kandra: Allow PostgreSQL primary ssh access for PostgreSQL upgrade.

This allows scripting of the whole upgrade process; these grants are
temporary.

puppet/kandra/manifests/profile/postgresql.pp

@@ -53,6 +53,13 @@ class kandra::profile::postgresql inherits kandra::profile::base {
       before  => File["${zulip::postgresql_base::postgresql_datadir}/standby.signal"],
       notify  => Exec[$zulip::postgresql_base::postgresql_restart],
     }
+    Kandra::User_Dotfiles['root'] {
+      authorized_keys => ['common', 'postgres-upgrade'],
+    }
+  } else {
+    Kandra::User_Dotfiles['root'] {
+      keys => ['internal-read-only-deploy-key', 'postgres-upgrade'],
+    }
   }
 
   file { "${zulip::postgresql_base::postgresql_confdir}/pg_hba.conf":

puppet/kandra/manifests/profile/prod_app_frontend.pp

@@ -6,7 +6,8 @@ class kandra::profile::prod_app_frontend inherits kandra::profile::base {
     keys => 'internal-limited-write-deploy-key',
   }
   Kandra::User_Dotfiles['zulip'] {
-    keys => 'internal-limited-write-deploy-key',
+    keys            => 'internal-limited-write-deploy-key',
+    authorized_keys => ['common', 'postgres-upgrade-only-supervisor'],
   }
 
   zulip::sysctl { 'conntrack':

puppet/kandra/manifests/profile/staging_app_frontend.pp

@@ -2,6 +2,10 @@ class kandra::profile::staging_app_frontend inherits kandra::profile::base {
 
   include kandra::app_frontend
 
+  Kandra::User_Dotfiles['zulip'] {
+    authorized_keys => ['common', 'postgres-upgrade-only-supervisor'],
+  }
+
   file { '/etc/nginx/sites-available/zulip-staging':
     ensure  => file,
     require => Package['nginx-full'],