I’ve put a detailed explanation of the problem and my proposed fix at http://tickets.opscode.com/browse/COOK-2163.
I have already implemented my proposed fix in my forked cookbook. Just getting this out there to seek comments before I submit a pull request.
In short, It’s merely a coincidence that “assign-postgres-password” has been succeeding. Every recipe[postgresql::server] run resets the password, regardless of whether or what password is currently set.
The coincidence is a counter-intuitive effect of the following pg_hba.conf authorization rules generated by a couple of attributes/default.rb settings:
TYPE DATABASE USER CIDR-ADDRESS METHOD
local all postgres ident
host all all 127.0.0.1/32 md5
My proposal involves making the first of those authorizations permanently hard-coded in the pg_hba.conf.erb template.