def-
diff --git a/‎Cargo.lock‎
Lines changed: 9 additions & 5 deletions b/‎Cargo.lock‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎src/adapter/src/catalog/builtin_table_updates.rs‎
Lines changed: 1 addition & 0 deletions b/‎src/adapter/src/catalog/builtin_table_updates.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/adapter/src/coord.rs‎
Lines changed: 16 additions & 9 deletions b/‎src/adapter/src/coord.rs‎
Lines changed: 16 additions & 9 deletions
diff --git a/‎src/persist/src/postgres.rs‎
Lines changed: 8 additions & 4 deletions b/‎src/persist/src/postgres.rs‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎src/postgres-util/src/lib.rs‎
Lines changed: 16 additions & 21 deletions b/‎src/postgres-util/src/lib.rs‎
Lines changed: 16 additions & 21 deletions
diff --git a/‎src/proto/Cargo.toml‎
Lines changed: 2 additions & 0 deletions b/‎src/proto/Cargo.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/proto/build.rs‎
Lines changed: 4 additions & 1 deletion b/‎src/proto/build.rs‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎src/proto/src/lib.rs‎
Lines changed: 12 additions & 0 deletions b/‎src/proto/src/lib.rs‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/proto/src/tokio_postgres.proto‎
Lines changed: 25 additions & 0 deletions b/‎src/proto/src/tokio_postgres.proto‎
Lines changed: 25 additions & 0 deletions
@@ -311,6 +311,7 @@ impl CatalogState {
                     mz_storage::client::connections::Connection::Csr { .. } => {
                         "confluent-schema-registry"
                     }
+                    mz_storage::client::connections::Connection::Postgres { .. } => "postgres",
                 }),
             ]),
             diff,
 
@@ -5501,7 +5501,7 @@ impl<S: Append + 'static> Coordinator<S> {
         let mut sinks_to_drop = vec![];
         let mut indexes_to_drop = vec![];
         let mut recorded_views_to_drop = vec![];
-        let mut replication_slots_to_drop: HashMap<String, Vec<String>> = HashMap::new();
+        let mut replication_slots_to_drop: Vec<(tokio_postgres::Config, String)> = vec![];
         let mut secrets_to_drop = vec![];
 
         for op in &ops {
@@ -5514,14 +5514,17 @@ impl<S: Append + 'static> Coordinator<S> {
                         sources_to_drop.push(*id);
                         match &source.source_desc.connection {
                             SourceConnection::Postgres(PostgresSourceConnection {
-                                conn,
+                                connection,
                                 details,
                                 ..
                             }) => {
-                                replication_slots_to_drop
-                                    .entry(conn.clone())
-                                    .or_insert_with(Vec::new)
-                                    .push(details.slot.clone());
+                                let config = connection
+                                    .config(&self.connection_context.secrets_reader)
+                                    .await
+                                    .unwrap_or_else(|e| {
+                                        panic!("Postgres source {id} missing secrets: {e}")
+                                    });
+                                replication_slots_to_drop.push((config, details.slot.clone()));
                             }
                             _ => {}
                         }
@@ -5607,12 +5610,16 @@ impl<S: Append + 'static> Coordinator<S> {
             if !replication_slots_to_drop.is_empty() {
                 // TODO(guswynn): see if there is more relevant info to add to this name
                 task::spawn(|| "drop_replication_slots", async move {
-                    for (conn, slot_names) in replication_slots_to_drop {
+                    for (config, slot_name) in replication_slots_to_drop {
                         // Try to drop the replication slots, but give up after a while.
                         let _ = Retry::default()
                             .max_duration(Duration::from_secs(30))
-                            .retry_async(|_state| {
-                                mz_postgres_util::drop_replication_slots(&conn, &slot_names)
+                            .retry_async(|_state| async {
+                                mz_postgres_util::drop_replication_slots(
+                                    config.clone(),
+                                    &[&slot_name],
+                                )
+                                .await
                             })
                             .await;
                     }
 
@@ -14,7 +14,9 @@ use std::time::Instant;
 use anyhow::{anyhow, bail, Context};
 use async_trait::async_trait;
 use bytes::Bytes;
-use openssl::ssl::{SslConnector, SslFiletype, SslMethod, SslVerifyMode};
+use openssl::pkey::PKey;
+use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
+use openssl::x509::X509;
 use postgres_openssl::MakeTlsConnector;
 use tokio::task::JoinHandle;
 use tokio_postgres::config::SslMode;
@@ -208,15 +210,17 @@ fn make_tls(config: &tokio_postgres::Config) -> Result<MakeTlsConnector, anyhow:
     // Configure certificates
     match (config.get_ssl_cert(), config.get_ssl_key()) {
         (Some(ssl_cert), Some(ssl_key)) => {
-            builder.set_certificate_file(ssl_cert, SslFiletype::PEM)?;
-            builder.set_private_key_file(ssl_key, SslFiletype::PEM)?;
+            builder.set_certificate(&*X509::from_pem(ssl_cert)?)?;
+            builder.set_private_key(&*PKey::private_key_from_pem(ssl_key)?)?;
         }
         (None, Some(_)) => bail!("must provide both sslcert and sslkey, but only provided sslkey"),
         (Some(_), None) => bail!("must provide both sslcert and sslkey, but only provided sslcert"),
         _ => {}
     }
     if let Some(ssl_root_cert) = config.get_ssl_root_cert() {
-        builder.set_ca_file(ssl_root_cert)?
+        builder
+            .cert_store_mut()
+            .add_cert(X509::from_pem(ssl_root_cert)?)?;
     }
 
     let mut tls_connector = MakeTlsConnector::new(builder.build());
 
@@ -10,7 +10,9 @@
 //! PostgreSQL utility library.
 
 use anyhow::{anyhow, bail};
-use openssl::ssl::{SslConnector, SslFiletype, SslMethod, SslVerifyMode};
+use openssl::pkey::PKey;
+use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
+use openssl::x509::X509;
 use postgres_openssl::MakeTlsConnector;
 use std::time::Duration;
 use tokio_postgres::config::{ReplicationMode, SslMode};
@@ -52,15 +54,17 @@ pub fn make_tls(config: &Config) -> Result<MakeTlsConnector, anyhow::Error> {
     // Configure certificates
     match (config.get_ssl_cert(), config.get_ssl_key()) {
         (Some(ssl_cert), Some(ssl_key)) => {
-            builder.set_certificate_file(ssl_cert, SslFiletype::PEM)?;
-            builder.set_private_key_file(ssl_key, SslFiletype::PEM)?;
+            builder.set_certificate(&*X509::from_pem(ssl_cert)?)?;
+            builder.set_private_key(&*PKey::private_key_from_pem(ssl_key)?)?;
         }
         (None, Some(_)) => bail!("must provide both sslcert and sslkey, but only provided sslkey"),
         (Some(_), None) => bail!("must provide both sslcert and sslkey, but only provided sslcert"),
         _ => {}
     }
     if let Some(ssl_root_cert) = config.get_ssl_root_cert() {
-        builder.set_ca_file(ssl_root_cert)?
+        builder
+            .cert_store_mut()
+            .add_cert(X509::from_pem(ssl_root_cert)?)?;
     }
 
     let mut tls_connector = MakeTlsConnector::new(builder.build());
@@ -85,13 +89,12 @@ pub fn make_tls(config: &Config) -> Result<MakeTlsConnector, anyhow::Error> {
 /// - Invalid connection string, user information, or user permissions.
 /// - Upstream publication does not exist or contains invalid values.
 pub async fn publication_info(
-    conn: &str,
+    config: &Config,
     publication: &str,
 ) -> Result<Vec<PostgresTableDesc>, anyhow::Error> {
-    let config = conn.parse()?;
     let tls = make_tls(&config)?;
     let (client, connection) = config.connect(tls).await?;
-    task::spawn(|| format!("postgres_publication_info:{conn}"), connection);
+    task::spawn(|| "postgres_publication_info", connection);
 
     client
         .query(
@@ -169,16 +172,12 @@ pub async fn publication_info(
     Ok(table_infos)
 }
 
-pub async fn drop_replication_slots(conn: &str, slots: &[String]) -> Result<(), anyhow::Error> {
-    let config = conn.parse()?;
+pub async fn drop_replication_slots(config: Config, slots: &[&str]) -> Result<(), anyhow::Error> {
     let tls = make_tls(&config)?;
-    let (client, connection) = tokio_postgres::connect(&conn, tls).await?;
-    task::spawn(
-        || format!("postgres_drop_replication_slots:{conn}"),
-        connection,
-    );
+    let (client, connection) = config.connect(tls).await?;
+    task::spawn(|| "postgres_drop_replication_slots", connection);
 
-    let replication_client = connect_replication(conn).await?;
+    let replication_client = connect_replication(config).await?;
     for slot in slots {
         let rows = client
             .query(
@@ -209,18 +208,14 @@ pub async fn drop_replication_slots(conn: &str, slots: &[String]) -> Result<(),
 }
 
 /// Starts a replication connection to the upstream database
-pub async fn connect_replication(conn: &str) -> Result<Client, anyhow::Error> {
-    let mut config: Config = conn.parse()?;
+pub async fn connect_replication(mut config: Config) -> Result<Client, anyhow::Error> {
     let tls = make_tls(&config)?;
     let (client, connection) = config
         .replication_mode(ReplicationMode::Logical)
         .connect_timeout(Duration::from_secs(30))
         .keepalives_idle(Duration::from_secs(10 * 60))
         .connect(tls)
         .await?;
-    task::spawn(
-        || format!("postgres_connect_replication:{conn}"),
-        connection,
-    );
+    task::spawn(|| "postgres_connect_replication", connection);
     Ok(client)
 }
@@ -15,7 +15,9 @@ mz-ore = { path = "../ore", default-features = false }
 proptest = { git = "https://github.com/MaterializeInc/proptest.git", default-features = false, features = ["std"] }
 prost = { version = "0.10.3", features = ["no-recursion-limit"] }
 regex = "1.6.0"
+serde = { version = "1.0.138", features = ["derive"] }
 serde_json = { version = "1.0.82", features = ["arbitrary_precision"] }
+tokio-postgres = { git = "https://github.com/MaterializeInc/rust-postgres", optional = true }
 url = { version = "2.2.2", features = ["serde"] }
 uuid = "1.1.2"
 
 
@@ -9,6 +9,9 @@
 
 fn main() {
     prost_build::Config::new()
-        .compile_protos(&["proto/src/proto.proto"], &[".."])
+        .compile_protos(
+            &["proto/src/proto.proto", "proto/src/tokio_postgres.proto"],
+            &[".."],
+        )
         .unwrap();
 }
@@ -16,6 +16,9 @@ use uuid::Uuid;
 
 use mz_ore::cast::CastFrom;
 
+#[cfg(feature = "tokio-postgres")]
+pub mod tokio_postgres;
+
 include!(concat!(env!("OUT_DIR"), "/mz_proto.rs"));
 
 /// An error thrown when trying to convert from a `*.proto`-generated type
@@ -38,6 +41,8 @@ pub enum TryFromProtoError {
     /// Indicates an `Option<U>` field in the `Proto$T` that should be set,
     /// but for some reason it is not. In practice this should never occur.
     MissingField(String),
+    /// Indicates an unknown enum variant in `Proto$T`.
+    UnknownEnumVariant(String),
     /// Indicates that the serialized ShardId value failed to deserialize, according
     /// to its custom deserialization logic.
     InvalidShardId(String),
@@ -59,6 +64,11 @@ impl TryFromProtoError {
     pub fn missing_field<T: ToString>(s: T) -> TryFromProtoError {
         TryFromProtoError::MissingField(s.to_string())
     }
+
+    /// Construct a new [`TryFromProtoError::UnknownEnumVariant`] instance.
+    pub fn unknown_enum_variant<T: ToString>(s: T) -> TryFromProtoError {
+        TryFromProtoError::UnknownEnumVariant(s.to_string())
+    }
 }
 
 impl From<TryFromIntError> for TryFromProtoError {
@@ -127,6 +137,7 @@ impl std::fmt::Display for TryFromProtoError {
             DeserializationError(error) => error.fmt(f),
             RowConversionError(msg) => write!(f, "Row packing failed: `{}`", msg),
             MissingField(field) => write!(f, "Missing value for `{}`", field),
+            UnknownEnumVariant(field) => write!(f, "Unknown enum value for `{}`", field),
             InvalidShardId(value) => write!(f, "Invalid value of ShardId found: `{}`", value),
             CodecMismatch(error) => error.fmt(f),
             InvalidPersistState(error) => error.fmt(f),
@@ -156,6 +167,7 @@ impl std::error::Error for TryFromProtoError {
             DateConversionError(_) => None,
             RowConversionError(_) => None,
             MissingField(_) => None,
+            UnknownEnumVariant(_) => None,
             InvalidShardId(_) => None,
             CodecMismatch(_) => None,
             InvalidPersistState(_) => None,
 
@@ -0,0 +1,25 @@
+// Copyright Materialize, Inc. and contributors. All rights reserved.
+//
+// Use of this software is governed by the Business Source License
+// included in the LICENSE file.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0.
+
+syntax = "proto3";
+
+import "google/protobuf/empty.proto";
+
+package mz_proto.tokio_postgres;
+
+message ProtoSslMode {
+    oneof kind {
+        google.protobuf.Empty unknown = 1;
+        google.protobuf.Empty disable = 2;
+        google.protobuf.Empty prefer = 3;
+        google.protobuf.Empty require = 4;
+        google.protobuf.Empty verify_ca = 5;
+        google.protobuf.Empty verify_full = 6;
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -311,6 +311,7 @@ impl CatalogState {`
`311`	`311`	`mz_storage::client::connections::Connection::Csr { .. } => {`
`312`	`312`	`"confluent-schema-registry"`
`313`	`313`	`}`
	`314`	`+ mz_storage::client::connections::Connection::Postgres { .. } => "postgres",`
`314`	`315`	`}),`
`315`	`316`	`]),`
`316`	`317`	`diff,`