Phil/agent jwt secret

Tiltfile

@@ -164,6 +164,7 @@ local_resource(
         "DATABASE_URL": DATABASE_URL,
         "RUST_LOG": "info",
         "SSL_CERT_FILE": CA_CERT_PATH,
+        "CONTROL_PLANE_JWT_SECRET": "super-secret-jwt-token-with-at-least-32-characters-long",
     },
     resource_deps=['reactor', 'gazette']
 )

crates/agent/src/controllers/periodic.rs

@@ -68,12 +68,14 @@ pub fn start_periodic_publish_update<C: ControlPlane>(
     pending
 }
 
+// TODO: periodic publications are temporarily disabled
 fn is_spec_disabled(state: &ControllerState) -> bool {
-    state
-        .live_spec
-        .as_ref()
-        // Collections are never considered disabled, since they can still be
-        // captured or materialized even if derivation shards are disabled.
-        .map(|ls| ls.catalog_type() != models::CatalogType::Collection && !ls.is_enabled())
-        .unwrap_or(true)
+    true
+    // state
+    //     .live_spec
+    //     .as_ref()
+    //     // Collections are never considered disabled, since they can still be
+    //     // captured or materialized even if derivation shards are disabled.
+    //     .map(|ls| ls.catalog_type() != models::CatalogType::Collection && !ls.is_enabled())
+    //     .unwrap_or(true)
 }

crates/agent/src/integration_tests/periodic_publications.rs

@@ -1,5 +1,7 @@
 use std::collections::BTreeSet;
 
+// TODO: temporarily disabled
+/*
 use crate::{
     controllers::{ControllerState, Status},
     integration_tests::harness::{
@@ -182,3 +184,5 @@ async fn specs_are_published_periodically() {
         disabled_cap_end.last_build_id
     );
 }
+
+*/

crates/agent/src/main.rs

@@ -157,9 +157,8 @@ async fn async_main(args: Args) -> Result<(), anyhow::Error> {
     let system_user_id = agent_sql::get_user_id_for_email(&args.accounts_email, &pg_pool)
         .await
         .context("querying for agent user id")?;
-    let jwt_secret: String = sqlx::query_scalar(r#"show app.settings.jwt_secret;"#)
-        .fetch_one(&pg_pool)
-        .await?;
+    let jwt_secret: String =
+        std::env::var("CONTROL_PLANE_JWT_SECRET").context("missing CONTROL_PLANE_JWT_SECRET")?;
 
     if args.builds_root.scheme() == "file" {
         std::fs::create_dir_all(args.builds_root.path())

supabase/migrations/20241212195226_jwt_secret.sql

@@ -0,0 +1,15 @@
+
+begin;
+
+select vault.create_secret('super-secret-jwt-token-with-at-least-32-characters-long', 'app.jwt_secret', 'The jwt secret');
+
+CREATE OR REPLACE FUNCTION internal.access_token_jwt_secret() RETURNS text
+    LANGUAGE sql STABLE
+    AS $$
+
+    select decrypted_secret
+       from vault.decrypted_secrets
+       where name = 'app.jwt_secret';
+$$;
+
+commit;