diff --git a/proxy/src/auth/backend/link.rs b/proxy/src/auth/backend/link.rs index 7175a23dc1..077c8a934a 100644 --- a/proxy/src/auth/backend/link.rs +++ b/proxy/src/auth/backend/link.rs @@ -87,6 +87,20 @@ pub(super) async fn authenticate( .dbname(&db_info.dbname) .user(&db_info.user); + // That is a hack to support new way of accessing compute without using a + // NodePort. Now to access compute in cross-k8s setup (console->compute + // and link-proxy->compute) we need to connect to the pg_sni_router service + // using a TLS. Destination compute address is encoded in domain/SNI. + // + // However, for link-proxy it is hard add support for outgoing TLS connections + // as our trick with stealing stream from tokio-postgres doesn't work with TLS. + // So set sni_host option and use unencrupted connection instead. Once we add + // encryption support for outgoing connections to the proxy, we can remove + // this hack. + if db_info.host.contains("cluster.local") { + config.options(format!("sni_host={}", db_info.host).as_str()); + } + if let Some(password) = db_info.password { config.password(password.as_ref()); } diff --git a/proxy/src/compute.rs b/proxy/src/compute.rs index 4878992456..c06716156e 100644 --- a/proxy/src/compute.rs +++ b/proxy/src/compute.rs @@ -199,16 +199,11 @@ pub struct PostgresConnection { impl ConnCfg { async fn do_connect(&self) -> Result { - - let a = native_tls::TlsConnector::new().unwrap(); - let mut mk: postgres_native_tls::MakeTlsConnector = postgres_native_tls::MakeTlsConnector::new(a); - let tls: postgres_native_tls::TlsConnector = MakeTlsConnect::::make_tls_connect(&mut mk, "asdf")?; - // TODO: establish a secure connection to the DB. let (socket_addr, mut stream) = self.connect_raw().await?; - let (client, connection) = self.0.connect_raw(&mut stream, tls).await?; + let (client, connection) = self.0.connect_raw(&mut stream, NoTls).await?; info!("connected to compute node at {socket_addr}"); // This is very ugly but as of now there's no better way to