puppet: Support password-based PostgreSQL replication.

docs/production/deployment.md

@@ -523,8 +523,10 @@ replication_primary = hostname-of-primary.example.com
 
 The `postgres` user on the replica will need to be able to
 authenticate as the `replicator` user, which may require further
-configuration of `pg_hba.conf` and client certificates on the
-replica.
+configuration of `pg_hba.conf` and client certificates on the replica.
+If you are using password authentication, you can set a
+`postgresql_replication_password` secret in
+`/etc/zulip/zulip-secrets.conf`.
 
 [warm-standby]: https://www.postgresql.org/docs/current/warm-standby.html
 [wal-g]: export-and-import.md#backup-details
@@ -690,7 +692,10 @@ should be done from.
 
 On the [warm standby replicas](#postgresql-warm-standby), set to the
 username that the host should authenticate to the primary PostgreSQL
-server as, for streaming replication.
+server as, for streaming replication. Authentication will be done
+based on the `pg_hba.conf` file; if you are using password
+authentication, you can set a `postgresql_replication_password` secret
+for authentication.
 
 #### `ssl_ca_file`
 

puppet/zulip/manifests/profile/postgresql.pp

@@ -16,6 +16,7 @@ class zulip::profile::postgresql {
   $s3_backups_bucket = zulipsecret('secrets', 's3_backups_bucket', '')
   $replication_primary = zulipconf('postgresql', 'replication_primary', undef)
   $replication_user = zulipconf('postgresql', 'replication_user', undef)
+  $replication_password = zulipsecret('secrets', 'postgresql_replication_password', '')
 
   $ssl_cert_file = zulipconf('postgresql', 'ssl_cert_file', undef)
   $ssl_key_file = zulipconf('postgresql', 'ssl_key_file', undef)

puppet/zulip/templates/postgresql/12/postgresql.conf.template.erb

@@ -794,7 +794,9 @@ archive_mode = on
 archive_command = '/usr/bin/timeout 10m /usr/local/bin/env-wal-g wal-push %p'
 restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
-primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user %>'
+primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
+<% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+'
 <% end -%>
 <% end -%>
 

puppet/zulip/templates/postgresql/13/postgresql.conf.template.erb

@@ -825,7 +825,9 @@ archive_mode = on
 archive_command = '/usr/bin/timeout 10m /usr/local/bin/env-wal-g wal-push %p'
 restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
-primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user %>'
+primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
+<% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+'
 <% end -%>
 <% end -%>
 

puppet/zulip/templates/postgresql/14/postgresql.conf.template.erb

@@ -846,7 +846,9 @@ archive_mode = on
 archive_command = '/usr/bin/timeout 10m /usr/local/bin/env-wal-g wal-push %p'
 restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
-primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user %>'
+primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
+<% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+'
 <% end -%>
 <% end -%>
 

puppet/zulip/templates/postgresql/recovery.conf.template.erb

@@ -2,5 +2,7 @@ standby_mode = on
 restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 recovery_target_timeline = 'latest'
 <% if @replication_primary != '' && @replication_user != '' -%>
-primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user %>'
+primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
+<% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+'
 <% end -%>