feat: Add configurable password policy for PostgresUser

[pretzelmaker]

This PR introduces a comprehensive and configurable password generation policy for the PostgresUser resource as proposed at #289. It addresses the need for stricter security compliance (e.g., minimum complexity requirements) and compatibility with legacy applications (e.g., ensuring passwords start with a letter).

Key Features:

1. Global Operator Configuration:

• Introduces new environment variables to set default password policies for all users managed by an operator instance.

• New Env Vars:

  • POSTGRES_DEFAULT_PASSWORD_LENGTH (Default: 15)
  • POSTGRES_DEFAULT_PASSWORD_MIN_LOWER
  • POSTGRES_DEFAULT_PASSWORD_MIN_UPPER
  • POSTGRES_DEFAULT_PASSWORD_MIN_NUMERIC
  • POSTGRES_DEFAULT_PASSWORD_MIN_SPECIAL
  • POSTGRES_DEFAULT_PASSWORD_EXCLUDE_CHARS
  • POSTGRES_DEFAULT_PASSWORD_ENSURE_FIRST_LETTER

2. Per-CRD Override:

• Updates the PostgresUser CRD to allow overriding the default 15 character alphanumeric password generator via a new spec.passwordPolicy field.

3. Enhanced Generator Logic:

• Refactors [pkg/utils/random.go] to support granular complexity requirements (min counts for character classes) and character exclusion.
• Includes a "Fail Fast" mechanism: The operator will verify configuration on startup and panic if invalid integer values are provided, preventing silent misconfiguration.

4. Helm Chart Updates:

• Bumps chart version to 3.1.0 and app version to 2.5.0.
• Exposes all new configuration options in [values.yaml] under postgres.passwordPolicy.

Testing:

• Added comprehensive unit tests in [pkg/utils/random_test.go] covering:
  • Default behavior (backwards compatibility).
  • Length validation.
  • Character class minimums.
  • Character exclusion.
  • "Ensure first letter" logic.
• Ran make fmt, make vet, and make generate to ensure code quality and up-to-date generated files.

This PR will close #289

[pretzelmaker]

Any chance I can get a bump in attention on this one @hitman99 or @tkcontiant?

[hitman99]

I'll check it out on Monday

[tkcontiant]

Question from my side:
Do you think the default policy will trigger password regeneration on existing installations?

[pretzelmaker]

Question from my side: Do you think the default policy will trigger password regeneration on existing installations?

The password generation only occurs during the reconciliation loop if the Secret is not found.

[pretzelmaker]

@hitman99 - Any chance this can hit your radar?

[hitman99]

Thank you for this contribution. We already have a sizeable amount of env vars and I don't think adding more for this specific use case is the right path. @pretzelmaker Would you be willing to implement this config in a config file mountable via ConfigMap?