Add GUC for specifying sslmode in connections to workers

src/backend/distributed/connection/connection_management.c

@@ -28,9 +28,11 @@
 
 
 int NodeConnectionTimeout = 5000;
+int CitusSSLMode = CITUS_SSL_MODE_PREFER;
 HTAB *ConnectionHash = NULL;
 MemoryContext ConnectionContext = NULL;
 
+
 static uint32 ConnectionHashHash(const void *key, Size keysize);
 static int ConnectionHashCompare(const void *a, const void *b, Size keysize);
 static MultiConnection * StartConnectionEstablishment(ConnectionHashKey *key);
@@ -591,14 +593,15 @@ StartConnectionEstablishment(ConnectionHashKey *key)
 	char nodePortString[12];
 	const char *clientEncoding = GetDatabaseEncodingName();
 	MultiConnection *connection = NULL;
+	const char *sslmode = CitusSSLModeString();
 
 	const char *keywords[] = {
-		"host", "port", "dbname", "user",
+		"host", "port", "dbname", "user", "sslmode",
 		"client_encoding", "fallback_application_name",
 		NULL
 	};
 	const char *values[] = {
-		key->hostname, nodePortString, key->database, key->user,
+		key->hostname, nodePortString, key->database, key->user, sslmode,
 		clientEncoding, "citus", NULL
 	};
 
@@ -624,6 +627,52 @@ StartConnectionEstablishment(ConnectionHashKey *key)
 }
 
 
+/*
+ * CitusSSLModeString returns the current value of citus.sslmode.
+ */
+char *
+CitusSSLModeString(void)
+{
+	switch (CitusSSLMode)
+	{
+		case CITUS_SSL_MODE_DISABLE:
+		{
+			return "disable";
+		}
+
+		case CITUS_SSL_MODE_ALLOW:
+		{
+			return "allow";
+		}
+
+		case CITUS_SSL_MODE_PREFER:
+		{
+			return "prefer";
+		}
+
+		case CITUS_SSL_MODE_REQUIRE:
+		{
+			return "require";
+		}
+
+		case CITUS_SSL_MODE_VERIFY_CA:
+		{
+			return "verify-ca";
+		}
+
+		case CITUS_SSL_MODE_VERIFY_FULL:
+		{
+			return "verify-full";
+		}
+
+		default:
+		{
+			ereport(ERROR, (errmsg("unrecognized value for citus.sslmode")));
+		}
+	}
+}
+
+
 /*
  * Close all remote connections if necessary anymore (i.e. not session
  * lifetime), or if in a failed state.

src/backend/distributed/shared_library_init.c

@@ -22,7 +22,6 @@
 #include "distributed/backend_data.h"
 #include "distributed/citus_nodefuncs.h"
 #include "distributed/connection_management.h"
-#include "distributed/connection_management.h"
 #include "distributed/distributed_deadlock_detection.h"
 #include "distributed/maintenanced.h"
 #include "distributed/master_metadata_utility.h"
@@ -110,6 +109,16 @@ static const struct config_enum_entry multi_shard_commit_protocol_options[] = {
 	{ NULL, 0, false }
 };
 
+static const struct config_enum_entry citus_ssl_mode_options[] = {
+	{ "disable", CITUS_SSL_MODE_DISABLE, false },
+	{ "allow", CITUS_SSL_MODE_ALLOW, false },
+	{ "prefer", CITUS_SSL_MODE_PREFER, false },
+	{ "require", CITUS_SSL_MODE_REQUIRE, false },
+	{ "verify-ca", CITUS_SSL_MODE_VERIFY_CA, false },
+	{ "verify-full", CITUS_SSL_MODE_VERIFY_FULL, false },
+	{ NULL, 0, false }
+};
+
 static const struct config_enum_entry multi_task_query_log_level_options[] = {
 	{ "off", MULTI_TASK_QUERY_INFO_OFF, false },
 	{ "debug", DEBUG2, false },
@@ -304,6 +313,19 @@ RegisterCitusConfigVariables(void)
 		NULL, NULL, NULL);
 	NormalizeWorkerListPath();
 
+	DefineCustomEnumVariable(
+		"citus.sslmode",
+		gettext_noop("SSL mode to use for connections to worker nodes."),
+		gettext_noop("When connecting to a worker node, specify whether the SSL mode"
+					 "mode for the connection is 'disable', 'allow', 'prefer' "
+					 "(the default), 'require', 'verify-ca' or 'verify-full'."),
+		&CitusSSLMode,
+		CITUS_SSL_MODE_PREFER,
+		citus_ssl_mode_options,
+		PGC_POSTMASTER,
+		GUC_SUPERUSER_ONLY,
+		NULL, NULL, NULL);
+
 	DefineCustomBoolVariable(
 		"citus.binary_master_copy_format",
 		gettext_noop("Use the binary master copy format."),

src/include/distributed/connection_management.h

@@ -14,6 +14,7 @@
 #include "distributed/transaction_management.h"
 #include "distributed/remote_transaction.h"
 #include "lib/ilist.h"
+#include "utils/guc.h"
 #include "utils/hsearch.h"
 #include "utils/timestamp.h"
 
@@ -106,6 +107,23 @@ typedef struct ConnectionHashEntry
 	dlist_head *connections;
 } ConnectionHashEntry;
 
+/*
+ * SSL modes available for connecting to worker nodes.
+ */
+enum CitusSSLMode
+{
+	CITUS_SSL_MODE_DISABLE = 1 << 0,
+	CITUS_SSL_MODE_ALLOW = 1 << 1,
+	CITUS_SSL_MODE_PREFER = 1 << 2,
+	CITUS_SSL_MODE_REQUIRE = 1 << 3,
+	CITUS_SSL_MODE_VERIFY_CA = 1 << 4,
+	CITUS_SSL_MODE_VERIFY_FULL = 1 << 5
+};
+
+
+/* SSL mode to use when connecting to worker nodes */
+extern int CitusSSLMode;
+
 /* maximum duration to wait for connection */
 extern int NodeConnectionTimeout;
 
@@ -133,6 +151,7 @@ extern MultiConnection * StartNodeUserDatabaseConnection(uint32 flags,
 														 int32 port,
 														 const char *user,
 														 const char *database);
+extern char * CitusSSLModeString(void);
 extern void CloseNodeConnectionsAfterTransaction(char *nodeName, int nodePort);
 extern void CloseConnection(MultiConnection *connection);
 extern void ShutdownConnection(MultiConnection *connection);