set sni_host option in SNI proxy

proxy/src/auth/backend/link.rs

@@ -87,6 +87,20 @@ pub(super) async fn authenticate(
         .dbname(&db_info.dbname)
         .user(&db_info.user);
 
+    // That is a hack to support new way of accessing compute without using a
+    // NodePort. Now to access compute in cross-k8s setup (console->compute
+    // and link-proxy->compute) we need to connect to the pg_sni_router service
+    // using a TLS. Destination compute address is encoded in domain/SNI.
+    //
+    // However, for link-proxy it is hard add support for outgoing TLS connections
+    // as our trick with stealing stream from tokio-postgres doesn't work with TLS.
+    // So set sni_host option and use unencrupted connection instead. Once we add
+    // encryption support for outgoing connections to the proxy, we can remove
+    // this hack.
+    if db_info.host.contains("cluster.local") {
+        config.options(format!("sni_host={}", db_info.host).as_str());
+    }
+
     if let Some(password) = db_info.password {
         config.password(password.as_ref());
     }

proxy/src/compute.rs

@@ -199,16 +199,11 @@ pub struct PostgresConnection {
 
 impl ConnCfg {
     async fn do_connect(&self) -> Result<PostgresConnection, ConnectionError> {
-
-        let a = native_tls::TlsConnector::new().unwrap();
-        let mut mk: postgres_native_tls::MakeTlsConnector = postgres_native_tls::MakeTlsConnector::new(a);
-        let tls: postgres_native_tls::TlsConnector = MakeTlsConnect::<tokio::net::TcpStream>::make_tls_connect(&mut mk, "asdf")?;
-
         // TODO: establish a secure connection to the DB.
         let (socket_addr, mut stream) = self.connect_raw().await?;
 
 
-        let (client, connection) = self.0.connect_raw(&mut stream, tls).await?;
+        let (client, connection) = self.0.connect_raw(&mut stream, NoTls).await?;
         info!("connected to compute node at {socket_addr}");
 
         // This is very ugly but as of now there's no better way to