Request: Configurable Password Complexity and Length for PostgresUser

[pretzelmaker]

Description:

The currently auto-generated passwords for PostgresUser resources are inflexible, which causes issues when interacting with managed Postgres instances that enforce strict password policies (e.g., GCP Cloud SQL, AWS RDS).

Problem:

1. Limited Character Set: The GetSecureRandomString function in pkg/utils/random.go only utilizes alphanumeric characters ([a-zA-Z0-9]). It explicitly lacks support for special characters, which are frequently a requirement for strong passwords.
2. Fixed Length: The password length is hardcoded to 15 characters in internal/controller/postgresuser_controller.go, which may not meet minimum length requirements for some organizations or compliance standards.
3. Inefficient Retry Behavior: If a generated password fails the database's validation policy (e.g., "password must contain a special character"), the operator simply receives an error and retries the reconciliation loop with the same inadequate generation logic, never resolving the issue.

Suggested Approach:

Update the PostgresUser CRD, the operator logic, and the Helm chart to support configurable password generation standards.

Desired Features:

1. Backward Compatibility:
   • The default behavior must remain unchanged to prevent breaking changes for existing users.
2. Configurable Length:
   • Minimum Length: Ability to specify the minimum length.
   • Maximum Length: Ability to specify a maximum length to comply with specific system constraints (e.g., legacy systems or interface limits).
3. Complexity Requirements: Introduce fields to enforce minimum counts of:
   • Uppercase letters
   • Lowercase letters
   • Numeric digits
   • Special characters (e.g., !@#$%^&*)
4. Character Restrictions:
   • Excluded Characters: Ability to explicitly exclude specific characters (e.g., @, /, ", ', or spaces) that might break connection strings or are forbidden by specific cloud providers (e.g. AWS RDS often has restrictions on /, @, ").
   • First Character Requirement: Option to enforce that the password must start with a letter (some systems/parsers do not accept passwords starting with a number or special character).
5. Helm Chart Configuration:
   • Expose equivalent configuration options in values.yaml to allow setting global defaults for the operator, which can be overridden by individual PostgresUser CRs if needed.

Reference:

• Hardcoded character set: pkg/utils/random.go#L7
• Hardcoded length: internal/controller/postgresuser_controller.go#121
• Helm Values: charts/ext-postgres-operator/values.yaml

Implementing these changes would greatly enhance the operator's compatibility with managed database services and allow users to adhere to their internal security best practices.