Puppetdb passes the database_password parameter to ::postgresql::server::db as cleartext, but ::postgresql::server::db is expecting encrypted text
- puppetdb::init invokes puppetdb::server with database_password, which defaults to cleartext 'puppetdb' (see lines 100 and 126). This is correct, as the client side of the database connection needs to have the cleartext password (puppetdb::server invokes puppetdb::server::database and puppetdb::server::read_database; these need the cleartext password
- puppetdb::init also invokes puppetdb::database::postgresql with database_password also set to the same (cleartext) value (see line 159). puppetdb::database::postgresql passes this parameter along to postgresql::server::db (see line 35). BUT postgresql::server::db is expecting a hashed password, not a cleartext one.
- I believe the fix is to modify pupptedb::database::postgresql line 35 to hash the password
password => postgresql_password($database_username, $database_password)
Also see ::postgresql::server::role, especially the last few lines.