Add neon.safekeeper_conninfo_options GUC

[tristan957]

In order to enable TLS connections between computes and safekeepers, we need to provide the control plane with a way to configure the various libpq keyword parameters, sslmode and sslrootcert. neon.safekeepers is a comma separated list of safekeepers formatted as host:port, so isn't available for extension in the same way that neon.pageserver_connstring is. This could be remedied in a future PR.

Part-of: https://github.com/neondatabase/cloud/issues/25823
Link: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS

[github-actions]

If this PR added a GUC in the Postgres fork or neon extension,
please regenerate the Postgres settings in the cloud repo:

make NEON_WORKDIR=path/to/neon/checkout \
  -C goapp/internal/shareddomain/postgres generate

If you're an external contributor, a Neon employee will assist in
making sure this step is done.

[github-actions]

8492 tests run: 7944 passed, 0 failed, 548 skipped (full report)

---

Flaky tests (5)

Postgres 17

• test_sharding_split_failures[failure3]: debug-x86-64-without-lfc
• test_storcon_create_delete_sk_down[DeletionSubject.TENANT-RestartStorcon.RESTART]: release-arm64-with-lfc
• test_storcon_create_delete_sk_down[DeletionSubject.TIMELINE-RestartStorcon.RESTART]: release-arm64-with-lfc

Postgres 16

• test_lfc_prewarm_under_workload[compute-ctl]: release-x86-64-with-lfc

Postgres 15

• test_pageserver_restarts_under_worload: release-arm64-with-lfc

Code coverage* (full report)

• functions: 32.3% (9053 of 27987 functions)
• lines: 48.5% (79448 of 163662 lines)

* collected from Rust tests only

---

_{The comment gets automatically updated with the latest test results
4b188aa at 2025-05-27T02:31:58.294Z :recycle:}

[problame]

I don't have much context on this and the PR lacks description of how the new field is going to be used.

That said, I can't spot a problem wrt the changed Rust code that requires the CODEOWNERS approval from storage team.

Nit on naming: why not call it just safekeeper_extra_conninfo?
The _options suffix is confusing to me because there is already an options='-c timeline_id=...' piece in the libpq connstring that we assemble, and this new GUC here will not be part of that option string, but just a prefix to the conninfo.

An even more precise name would be safekeeper_conninfo_prepend.

[tristan957]

I don't have much context on this and the PR lacks description of how the new field is going to be used.

I will amend the commit and PR. Thanks!

That said, I can't spot a problem wrt the changed Rust code that requires the CODEOWNERS approval from storage team.

Nit on naming: why not call it just safekeeper_extra_conninfo? The _options suffix is confusing to me because there is already an options='-c timeline_id=...' piece in the libpq connstring that we assemble, and this new GUC here will not be part of that option string, but just a prefix to the conninfo.

libpq calls the structure a PQconninfoOption: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PQCONNINFO. I've just taken the name from that.

An even more precise name would be safekeeper_conninfo_prepend.

Hmm, I'm open to adding the prepend, but the reason I added it in the beginning of the connection strings was so that the extension always overwrites if host, port, or options is passed via the GUC. Eventually this GUC could turn into neon.safekeeper_connstrings. Let me know if you want me to change it on the next review.

[DimasKovas]

LGTM, let's merge