storcon: require safekeeper jwt's in strict mode (#11116)

We have introduced the ability to specify safekeeper JWTs for the storage controller. It now does heartbeats. We now want to also require the presence of those JWTs. Let's merge this PR shortly after the release cutoff. Part of / follow-up of https://github.com/neondatabase/cloud/issues/24727
2026-01-07 21:42:56 +00:00 · 2025-03-07 14:29:48 +01:00
parent db77896e92
commit f1b18874c3
1 changed files with 2 additions and 7 deletions
--- a/storage_controller/src/main.rs
+++ b/storage_controller/src/main.rs
@@ -286,18 +286,13 @@ async fn async_main() -> anyhow::Result<()> {

    let secrets = Secrets::load(&args).await?;

-    // TODO: once we've rolled out the safekeeper JWT token everywhere, put it into the validation code below
-    tracing::info!(
-        "safekeeper_jwt_token set: {:?}",
-        secrets.safekeeper_jwt_token.is_some()
-    );
-
    // Validate required secrets and arguments are provided in strict mode
    match strict_mode {
        StrictMode::Strict
            if (secrets.public_key.is_none()
                || secrets.pageserver_jwt_token.is_none()
-                || secrets.control_plane_jwt_token.is_none()) =>
+                || secrets.control_plane_jwt_token.is_none()
+                || secrets.safekeeper_jwt_token.is_none()) =>
        {
            // Production systems should always have secrets configured: if public_key was not set
            // then we would implicitly disable auth.