Instead of automatically creating a default keyring, from now on
we require users to expicitly create a WAL key. Most of these
steps were required even without change anyway, as the default
configuration was highly unsecore.
This eliminates the possiblity of users forgetting to change the
unsecure default, ending up with an encryption that doesn't work
in practice.
The required steps are outlined in the new tap test, that tries
to enable wal encryption:
* Enable the extension in at least one database
* Create a global key provider
* Create a global principal key
* Create the WAL key using the new `pg_tde_create_wal_key()` function
* Set `pg_tde.wal_encrypt = 1` in the conf file or with `ALTER SYSTEM`
* Restart the server
Setting the GUC variable to ON without the previous steps results
in the startup failing with an error message explaining the requirements.
* The make CI action now also runs the entire installcheck-world
with pg_tde setup for all tests
* The meson CI runner doesn't do this yet
* Tools that only worked with the heap am based on an OID check now
also check for the tde_heap OID
* The get_tde_table_am_oid helper function is now moved inside the core,
as it is required by other contrib modules, which do not have access
to the tde code otherwise.
* A few tests that do a custom server setup was disabled based on the
TDE_MODE environment variable. These tests would fail because they
expect that after an initdb and start, the regression suite works,
but that's not the case with tde_heap. These tests can be re-enabled
again after we have options to do this with initdb
