Hide telegraf password from console and close so-minion race

Two fixes on the postgres telegraf fan-out path:

1. postgres.auth cmd.run leaked the password to the console because
   Salt always prints the Name: field and `show_changes: False` does
   not apply to cmd.run. Move the user and password into the `env:`
   attribute so the shell body still sees them via $PG_USER / $PG_PASS
   but Salt's state reporter never renders them.

2. so-minion's addMinion -> setupMinionFiles sequence removes the
   minion pillar file and rewrites it from scratch, which wipes the
   postgres.telegraf.* entries the reactor may have already written on
   salt-key accept. Add a postgres.auth fan-out step to
   orch.deploy_newnode (the orch so-minion kicks off after
   setupMinionFiles) and require it from the new minion's highstate.
   Idempotent via the existing unless: guard in postgres.auth.

salt/orch/deploy_newnode.sls

@@ -12,6 +12,21 @@
         attempts: 36
         interval: 5
 
+# so-minion's setupMinionFiles rebuilds the new minion's pillar file from
+# scratch, wiping any postgres.telegraf.* entries the reactor may have written
+# on salt-key accept. Re-fan the cred here so the highstate below sees it.
+# Idempotent via the unless: guard in postgres.auth.
+manager_fanout_postgres_telegraf_{{NEWNODE}}:
+  salt.state:
+    - tgt: {{ MANAGER }}
+    - sls:
+      - postgres.auth
+    - queue: True
+    - pillar:
+        postgres_fanout_minion: {{ NEWNODE }}
+    - require:
+      - salt: {{NEWNODE}}_update_mine
+
 # we need to prepare the manager for a new searchnode or heavynode
 {% if NEWNODE.split('_')|last in ['searchnode', 'heavynode'] %}
 manager_run_es_soc:
@@ -30,3 +45,5 @@ manager_run_es_soc:
     - tgt: {{ NEWNODE }}
     - highstate: True
     - queue: True
+    - require:
+      - salt: manager_fanout_postgres_telegraf_{{NEWNODE}}