Hashicorp Plugin: Provide Key rotation

The Hashicorp Plugin seems to recognise new encryption keys in vault - but does not rotate them.

Reproduce by:

• Install mariadb-server & mariadb-plugin-hashicorp-key-management 10.9.1
• Install hashicorp vault, init and unseal vault
• create secret engine & set a secret key:

  vault secrets enable -path /mariadb -version=2 kv

  vault kv put /mariadb/1 data=$(openssl rand -hex 32)

• enable encryption by adding the following block to mariadb section in /etc/mysql/mariadb.conf.d/50-server.cnf:

  [mariadb]

  plugin_load_add = hashicorp_key_management

  hashicorp-key-management-vault-url=http://127.0.0.1:8200/v1/mariadb

  hashicorp-key-management-token=xxxxxxxxxxxxxxxxx

  innodb_encrypt_tables = FORCE

  innodb_encrypt_log = ON

  innodb_encrypt_temporary_tables = ON

  encrypt_tmp_disk_tables = ON

  encrypt_tmp_files = ON

  encrypt_binlog = ON

  aria_encrypt_tables = ON

  innodb_encryption_threads = 4

  innodb_encryption_rotation_iops = 2000

  log_error=server.log

• set new key version

  vault kv put /mariadb/1 data=$(openssl rand -hex 32)

• service mariadb restart
• set a new version of the encryption key to vault:

  vault kv put /mariadb/1 data=$(openssl rand -hex 32)

  information_schema.INNODB_TABLESPACES_ENCRYPTION shows the following content now:

  MariaDB [(none)]> select * from information_schema.INNODB_TABLESPACES_ENCRYPTION;

  +-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+

  | SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | CURRENT_KEY_ID | ROTATING_OR_FLUSHING |

  +-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+

  | 0 | innodb_system | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 |

  | 1 | mysql/innodb_table_stats | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 |

  | 2 | mysql/innodb_index_stats | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 |

  | 4 | mysql/gtid_slave_pos | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 |

  | 3 | mysql/transaction_registry | 1 | 0 | 1 | 2 | NULL | NULL | 1 | 0 |

  +-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+

  5 rows in set (0.008 sec)

CURRENT_KEY_VERSION -> 2
CURRENT_KEY_ID -> 1

there seems to be no possibility to re-encrypt the tables.
In the documentation the Hashicorp Plugin ist not listed as "with-" nor "without Key Rotation Support":
https://mariadb.com/kb/en/encryption-key-management/#support-for-key-rotation-in-encryption-plugins