The TDE_MODE environment variable disables tests we actually want to run
in our Github Actions. This change is also necessary to in a future
commit disable the pg_tde tests in the global TDE mode.
Just as we use pgindent to validate that our c files conform to postgres
coding standards, we also run pgperltidy to do the same for perl files.
We only run it on our own code in contrib/pg_tde/
This doesn't actually run pgperltidy as we need to inject some options
in a way that didn't seem possible in that script. Instead it does the
same thing with some slight changes.
We also bump the ubuntu version for this google actions job to the
newest LTS as the older ubuntu version seems to have a version of
perltidy that doesn't support the options used by pgperltidy.
The reason to do this is that the old approach created an unnecessary
diff against upstream where they had forgot SinglePartitionSpec in
typedefs.list.
Additionally add two new structs from our SMGR patch to the list.
- Added code coverage to link repo to codecov.io for coverage stats on
PR and merge.
- Added coverage badge on the landing page (readme) of the repo.
- Updated GH action to run on PUSH/MERGE, as this is required for code
coverage.
- Updated bash files in ci_scripts folder to accommodate tde
installcheck only.
- Added percona server version scheme verification TAP test case.
By changing the parameter to regclass you can pass any parameter of
the following types to it: text, oid, regclass; and there will be
an automatic cast. More user freindly than accepting text.
Also modify the earthdistance test to only list objects from the
public schema.
This way it doesn't need modification every time pg_tde has modifiations
in the public interface.
As this causes issues with overload resolution, this commit instead
separates global and local key handling into differently named
functions. From now on, functions that deal with global keys have
"global" in the name.
I run multiple instances of PostgreSQL on my machine so I would rather
not have it rely on using pgrep to detect if the server is running.
To make this new code more reliable we add set -e so the script aborts
directly e.g. if the port is already in use.
* [PG-938] - Add automated bash script to verify pg_tde backup/restore functionality using pg_basebackup
* [PG-1367] Create separate script for server and tde configuration
New dependencies have been added since we last updated this list, e.g.
zstd and icu. And additionally we just fix diffs where Ubuntu packages
have been renamed or the official package thinks we should install
some package.
Apt does not require keys to be de-armored if they use the correct
extension. Additional put the key in the directory recommended by
Debian and Ubuntu.
Instead of automatically creating a default keyring, from now on
we require users to expicitly create a WAL key. Most of these
steps were required even without change anyway, as the default
configuration was highly unsecore.
This eliminates the possiblity of users forgetting to change the
unsecure default, ending up with an encryption that doesn't work
in practice.
The required steps are outlined in the new tap test, that tries
to enable wal encryption:
* Enable the extension in at least one database
* Create a global key provider
* Create a global principal key
* Create the WAL key using the new `pg_tde_create_wal_key()` function
* Set `pg_tde.wal_encrypt = 1` in the conf file or with `ALTER SYSTEM`
* Restart the server
Setting the GUC variable to ON without the previous steps results
in the startup failing with an error message explaining the requirements.
* The make CI action now also runs the entire installcheck-world
with pg_tde setup for all tests
* The meson CI runner doesn't do this yet
* Tools that only worked with the heap am based on an OID check now
also check for the tde_heap OID
* The get_tde_table_am_oid helper function is now moved inside the core,
as it is required by other contrib modules, which do not have access
to the tde code otherwise.
* A few tests that do a custom server setup was disabled based on the
TDE_MODE environment variable. These tests would fail because they
expect that after an initdb and start, the regression suite works,
but that's not the case with tde_heap. These tests can be re-enabled
again after we have options to do this with initdb
