From b64d8b021cc1d8680e5d79fbd5c4bd5c32d41deb Mon Sep 17 00:00:00 2001
From: Vitaliy Kukharik <vitabaks@gmail.com>
Date: Mon, 20 Feb 2023 15:02:54 +0300
Subject: [PATCH] PITR: password reset for PostgreSQL users

---
 roles/patroni/tasks/main.yml | 39 +++++++++++++++++++++++++++---------
 1 file changed, 30 insertions(+), 9 deletions(-)

diff --git a/roles/patroni/tasks/main.yml b/roles/patroni/tasks/main.yml
index 7a0c6c700..41c91a1a0 100644
--- a/roles/patroni/tasks/main.yml
+++ b/roles/patroni/tasks/main.yml
@@ -840,7 +840,7 @@
   when: existing_pgcluster is not defined or not existing_pgcluster|bool
   tags: patroni, pg_hba, pg_hba_generate
 
-- block:  # PITR (custom bootstrap) - superuser and replication
+- block:  # PITR (custom bootstrap) - password reset for PostgreSQL users
     - name: Make sure the Master is not in recovery mode
       command: "{{ postgresql_bin_dir }}/psql -p {{ postgresql_port }} -tAc 'SELECT pg_is_in_recovery()'"
       register: pg_is_in_recovery
@@ -850,21 +850,42 @@
       changed_when: false
       when: is_master == "true"
 
-    - name: Make sure the postgresql users are present, and password does not differ from the specified
+    - name: Make sure the superuser and replication users are present, and password does not differ from the specified
       postgresql_user:
         db: postgres
-        name: "{{ item.role }}"
-        password: "{{ item.pass }}"
-        role_attr_flags: "{{ item.role_attr }}"
+        name: "{{ item.name }}"
+        password: "{{ item.password }}"
+        role_attr_flags: "{{ item.flags }}"
         login_unix_socket: "{{ postgresql_unix_socket_dir }}"
         port: "{{ postgresql_port }}"
       register: postgresql_user_result
       loop:
-        - { role: '{{ patroni_superuser_username }}', pass: '{{ patroni_superuser_password }}', role_attr: 'SUPERUSER' }
-        - { role: '{{ patroni_replication_username }}', pass: '{{ patroni_replication_password }}', role_attr: 'LOGIN,REPLICATION' }
+        - { name: '{{ patroni_superuser_username }}', password: '{{ patroni_superuser_password }}', flags: 'SUPERUSER' }
+        - { name: '{{ patroni_replication_username }}', password: '{{ patroni_replication_password }}', flags: 'LOGIN,REPLICATION' }
       loop_control:
-        label: "{{ item.role }}"
-      when: is_master == "true"
+        label: "{{ item.name }}"
+      when:
+        - is_master == "true"
+        - (patroni_superuser_username and patroni_superuser_password) is defined
+        - (patroni_superuser_username and patroni_superuser_password) | length > 0
+        - (patroni_replication_username and patroni_replication_password) is defined
+        - (patroni_replication_username and patroni_replication_password) | length > 0
+
+    - name: Make sure the postgresql users are present, and password does not differ from the specified
+      postgresql_user:
+        db: postgres
+        name: "{{ item.name }}"
+        password: "{{ item.password }}"
+        role_attr_flags: "{{ item.flags }}"
+        login_unix_socket: "{{ postgresql_unix_socket_dir }}"
+        port: "{{ postgresql_port }}"
+      loop: "{{ postgresql_users }}"
+      loop_control:
+        label: "{{ item.name }}"
+      ignore_errors: true
+      when:
+        - is_master == "true"
+        - (postgresql_users is defined and postgresql_users | length > 0)
 
     - name: Update postgresql authentication in patroni.yml
       yedit: