using vault in tde_conf.json sends wrong http requests to vault

[Torkolis]

So I have managed to set up pg_tde using vault. Basically the 'mountPath' entry needs to match a mount of the kv secret engine (explanation in the docs would be cool, took me a while to figure it out). So when I created the first table it wrote a secret in that entry called "master-key-1" containing some data: But now I have a problem that it tries to access master-key-2 in vault which does not exist and returns 404. The usual database encryption actually works as expected, but I just don't understand why it makes GET requests to master-key-2... I think it is probably a bug. I did some tests and here are the nginx logs (my vault reachable behind an nginx):

create first table
<IP> - - [16/Dec/2023:10:21:10 +0000] "GET /v1/secret/data/master-key-1 HTTP/1.1" 404 14 "-" "-" 180 0.002 [vault-vault-8200] [] <another_IP>:8200 14 0.002 404 fc88f07d2dbbe795aa8b830bcb96f7b9
<IP> - - [16/Dec/2023:10:21:10 +0000] "GET /v1/secret/data/master-key-1 HTTP/1.1" 404 14 "-" "-" 180 0.001 [vault-vault-8200] [] <another_IP>:8200 14 0.001 404 1b02460c5b4561f8d52d892193ec4b4f
<IP> - - [16/Dec/2023:10:21:10 +0000] "POST /v1/secret/data/master-key-1 HTTP/1.1" 200 279 "-" "-" 250 0.001 [vault-vault-8200] [] <another_IP>:8200 279 0.001 200 067a6fe51844a7bba789a22326af51b9
<IP> - - [16/Dec/2023:10:21:10 +0000] "GET /v1/secret/data/master-key-2 HTTP/1.1" 404 14 "-" "-" 180 0.000 [vault-vault-8200] [] <another_IP>:8200 14 0.000 404 64123d6ceda08c8d5efd126ca52cc956
insert into first table
<IP> - - [16/Dec/2023:10:22:02 +0000] "GET /v1/secret/data/master-key-2 HTTP/1.1" 404 14 "-" "-" 180 0.001 [vault-vault-8200] [] <another_IP>:8200 14 0.001 404 ee2228486eb7d2a79d01e451c80832d1
create second table
<IP> - - [16/Dec/2023:10:24:40 +0000] "GET /v1/secret/data/master-key-2 HTTP/1.1" 404 14 "-" "-" 180 0.001 [vault-vault-8200] [] <another_IP>:8200 14 0.001 404 4cf928bfca9da1e0075d98605b1f276d
<IP> - - [16/Dec/2023:10:24:40 +0000] "GET /v1/secret/data/master-key-2 HTTP/1.1" 404 14 "-" "-" 180 0.001 [vault-vault-8200] [] <another_IP>:8200 14 0.001 404 df103fe6797026a6fe913bbc3416c069
insert into second table
<IP> - - [16/Dec/2023:10:25:08 +0000] "GET /v1/secret/data/master-key-2 HTTP/1.1" 404 14 "-" "-" 180 0.000 [vault-vault-8200] [] <another_IP>:8200 14 0.000 404 3590dd22539458ee83f3bc4ba209e42f

restart database
get from table
<IP> - - [16/Dec/2023:10:26:34 +0000] "GET /v1/secret/data/master-key-1 HTTP/1.1" 200 334 "-" "-" 180 0.001 [vault-vault-8200] [] <another_IP>:8200 334 0.001 200 80496b6837dace3c909a1c89f72711bc
<IP> - - [16/Dec/2023:10:26:34 +0000] "GET /v1/secret/data/master-key-2 HTTP/1.1" 404 14 "-" "-" 180 0.000 [vault-vault-8200] [] <another_IP>:8200 14 0.000 404 44098dfa1c28f10d55423b5ce0d242c7
create third table
<IP> - - [16/Dec/2023:10:26:57 +0000] "GET /v1/secret/data/master-key-2 HTTP/1.1" 404 14 "-" "-" 180 0.002 [vault-vault-8200] [] <another_IP>:8200 14 0.002 404 67eb0544a14c0aa2c1e57b08be1531e2
<IP> - - [16/Dec/2023:10:26:57 +0000] "GET /v1/secret/data/master-key-2 HTTP/1.1" 404 14 "-" "-" 180 0.001 [vault-vault-8200] [] <another_IP>:8200 14 0.001 404 39e43c5593ffd8707e344828d66df71e

all the /v1/secret/data/master-key-1 calls are fine, it is also nice that pg_tde only needs it once but the /v1/secret/data/master-key-2 calls are unnecessary and just create a lot of traffic.

If I create this secret manually in vault UI, then GET requests are sent to /v1/secret/data/master-key-3, creating that one manually too results in GET requests sent to /v1/secret/data/master-key-4 and so on. I think there needs to be configuration option in pg_tde.conf how many of these secrets should be used.

[dutow]

Thanks for the bug report!

Trying to access master-key-2 is related to key rotation / versioning support (we want to find the latest version of the key), but the behavior you described is indeed a bug, I'll look into it.