percona · jeltz · Jun 6, 2025 · Jun 4, 2025 · May 30, 2025 · May 30, 2025
@@ -17,12 +17,14 @@ cd ..
 echo $SCRIPT_DIR
 pykmip-server -f "$SCRIPT_DIR/../contrib/pg_tde/pykmip-server.conf" -l /tmp/kmip-server.log &
 
-TV=$(mktemp)
-{ exec >$TV; vault server -dev; } &
+CLUSTER_INFO=$(mktemp)
+vault server -dev -dev-tls -dev-cluster-json="$CLUSTER_INFO" > /dev/null &
 sleep 10
-export ROOT_TOKEN_FILE=$(mktemp)
-cat $TV | grep "Root Token" | cut -d ":" -f 2 | xargs echo -n > $ROOT_TOKEN_FILE
-echo "export ROOT_TOKEN_FILE=$ROOT_TOKEN_FILE"
+export VAULT_ROOT_TOKEN_FILE=$(mktemp)
+jq -r .root_token "$CLUSTER_INFO" > "$VAULT_ROOT_TOKEN_FILE"
+export VAULT_CACERT_FILE=$(jq -r .ca_cert_path "$CLUSTER_INFO")
+rm "$CLUSTER_INFO"
 if [ -v GITHUB_ACTIONS ]; then
-    echo "ROOT_TOKEN_FILE=$ROOT_TOKEN_FILE" >> $GITHUB_ENV
+    echo "VAULT_ROOT_TOKEN_FILE=$VAULT_ROOT_TOKEN_FILE" >> $GITHUB_ENV
+    echo "VAULT_CACERT_FILE=$VAULT_CACERT_FILE" >> $GITHUB_ENV
 fi
@@ -31,9 +31,9 @@ The following example is for testing purposes only. Use secure tokens and proper
 SELECT pg_tde_add_global_key_provider_vault_v2(
     'my-vault',
     '/path/to/token_file',
-    'http://vault.vault.svc.cluster.local:8200',
+    'https://vault.vault.svc.cluster.local:8200',
     'secret/data',
-    NULL
+    '/path/to/ca_cert.pem'
 );
 ```
 

@@ -1,6 +1,7 @@
 CREATE EXTENSION IF NOT EXISTS pg_tde;
-\getenv root_token_file ROOT_TOKEN_FILE
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
+\getenv root_token_file VAULT_ROOT_TOKEN_FILE
+\getenv cacert_file VAULT_CACERT_FILE
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','https://127.0.0.1:8200','DUMMY-TOKEN',:'cacert_file');
  pg_tde_add_database_key_provider_vault_v2 
 -------------------------------------------
 
@@ -16,7 +17,7 @@ CREATE TABLE test_enc(
 	) USING tde_heap;
 ERROR:  principal key not configured
 HINT:  create one using pg_tde_set_key before using encrypted tables
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','http://127.0.0.1:8200','secret',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','https://127.0.0.1:8200','secret',:'cacert_file');
  pg_tde_add_database_key_provider_vault_v2 
 -------------------------------------------
 
@@ -52,6 +53,15 @@ SELECT pg_tde_verify_key();
 
 DROP TABLE test_enc;
 -- Creating provider fails if we can't connect to vault
-SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
 ERROR:  HTTP(S) request to keyring provider "will-not-work" failed
+-- Changing provider fails if we can't connect to vault
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
+ERROR:  HTTP(S) request to keyring provider "vault-v2" failed
+-- HTTPS without cert fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:8200', 'secret', NULL);
+ERROR:  HTTP(S) request to keyring provider "vault-v2" failed
+-- HTTP against HTTPS server fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:8200', 'secret', NULL);
+ERROR:  Listing secrets of "http://127.0.0.1:8200" at mountpoint "secret" failed
 DROP EXTENSION pg_tde;
@@ -1,8 +1,9 @@
 CREATE EXTENSION IF NOT EXISTS pg_tde;
 
-\getenv root_token_file ROOT_TOKEN_FILE
+\getenv root_token_file VAULT_ROOT_TOKEN_FILE
+\getenv cacert_file VAULT_CACERT_FILE
 
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','https://127.0.0.1:8200','DUMMY-TOKEN',:'cacert_file');
 -- FAILS
 SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-incorrect');
 
@@ -12,7 +13,7 @@ CREATE TABLE test_enc(
 	  PRIMARY KEY (id)
 	) USING tde_heap;
 
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','http://127.0.0.1:8200','secret',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','https://127.0.0.1:8200','secret',:'cacert_file');
 SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-v2');
 
 CREATE TABLE test_enc(
@@ -32,6 +33,15 @@ SELECT pg_tde_verify_key();
 DROP TABLE test_enc;
 
 -- Creating provider fails if we can't connect to vault
-SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
+
+-- Changing provider fails if we can't connect to vault
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
+
+-- HTTPS without cert fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:8200', 'secret', NULL);
+
+-- HTTP against HTTPS server fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:8200', 'secret', NULL);
 
 DROP EXTENSION pg_tde;
@@ -22,7 +22,8 @@
 	q{SELECT oid FROM pg_catalog.pg_database WHERE datname = 'postgres'});
 my $options;
 
-my $token_file = $ENV{ROOT_TOKEN_FILE};
+my $token_file = "${PostgreSQL::Test::Utils::tmp_check}/vault_token";
+append_to_file($token_file, 'DUMMY');
 
 $node->stop;
 
@@ -65,13 +66,13 @@
 		$db_oid,
 		'database-provider',
 		'vault-v2',
-		'http://vault-server.example:8200/',
+		'https://vault-server.example:8200/',
 		$token_file,
 		'mount-path',
 		'/tmp/ca_path',
 	],
 	qr/Key provider updated successfully!/,
-	'updates key provider to vault-v2 type');
+	'updates key provider to vault-v2 type with https');
 
 $node->start;
 
@@ -90,7 +91,7 @@
 is($options->{tokenPath}, $token_file,
 	'tokenPath is set correctly for vault-v2 provider');
 is( $options->{url},
-	'http://vault-server.example:8200/',
+	'https://vault-server.example:8200/',
 	'url is set correctly for vault-v2 provider');
 is($options->{mountPath}, 'mount-path',
 	'mount path is set correctly for vault-v2 provider');
@@ -99,6 +100,45 @@
 
 $node->stop;
 
+command_like(
+	[
+		'pg_tde_change_key_provider',
+		'-D' => $node->data_dir,
+		$db_oid,
+		'database-provider',
+		'vault-v2',
+		'http://vault-server.example:8200/',
+		$token_file,
+		'mount-path-2',
+	],
+	qr/Key provider updated successfully!/,
+	'updates key provider to vault-v2 type with http');
+
+$node->start;
+
+is( $node->safe_psql(
+		'postgres',
+		q{SELECT provider_type FROM pg_tde_list_all_database_key_providers() WHERE provider_name = 'database-provider'}
+	),
+	'vault-v2',
+	'provider type is set to vault-v2');
+
+$options = decode_json(
+	$node->safe_psql(
+		'postgres',
+		q{SELECT options FROM pg_tde_list_all_database_key_providers() WHERE provider_name = 'database-provider'}
+	));
+is($options->{tokenPath}, $token_file,
+	'tokenPath is set correctly for vault-v2 provider');
+is( $options->{url},
+	'http://vault-server.example:8200/',
+	'url is set correctly for vault-v2 provider');
+is($options->{mountPath}, 'mount-path-2',
+	'mount path is set correctly for vault-v2 provider');
+is($options->{caPath}, '', 'CA path is set correctly for vault-v2 provider');
+
+$node->stop;
+
 command_like(
 	[
 		'pg_tde_change_key_provider',