As this causes issues with overload resolution, this commit instead
separates global and local key handling into differently named
functions. From now on, functions that deal with global keys have
"global" in the name.
I run multiple instances of PostgreSQL on my machine so I would rather
not have it rely on using pgrep to detect if the server is running.
To make this new code more reliable we add set -e so the script aborts
directly e.g. if the port is already in use.
* [PG-938] - Add automated bash script to verify pg_tde backup/restore functionality using pg_basebackup
* [PG-1367] Create separate script for server and tde configuration
New dependencies have been added since we last updated this list, e.g.
zstd and icu. And additionally we just fix diffs where Ubuntu packages
have been renamed or the official package thinks we should install
some package.
Apt does not require keys to be de-armored if they use the correct
extension. Additional put the key in the directory recommended by
Debian and Ubuntu.
Instead of automatically creating a default keyring, from now on
we require users to expicitly create a WAL key. Most of these
steps were required even without change anyway, as the default
configuration was highly unsecore.
This eliminates the possiblity of users forgetting to change the
unsecure default, ending up with an encryption that doesn't work
in practice.
The required steps are outlined in the new tap test, that tries
to enable wal encryption:
* Enable the extension in at least one database
* Create a global key provider
* Create a global principal key
* Create the WAL key using the new `pg_tde_create_wal_key()` function
* Set `pg_tde.wal_encrypt = 1` in the conf file or with `ALTER SYSTEM`
* Restart the server
Setting the GUC variable to ON without the previous steps results
in the startup failing with an error message explaining the requirements.
* The make CI action now also runs the entire installcheck-world
with pg_tde setup for all tests
* The meson CI runner doesn't do this yet
* Tools that only worked with the heap am based on an OID check now
also check for the tde_heap OID
* The get_tde_table_am_oid helper function is now moved inside the core,
as it is required by other contrib modules, which do not have access
to the tde code otherwise.
* A few tests that do a custom server setup was disabled based on the
TDE_MODE environment variable. These tests would fail because they
expect that after an initdb and start, the regression suite works,
but that's not the case with tde_heap. These tests can be re-enabled
again after we have options to do this with initdb
