storage-scrubber: enable jwt auth with storage controller

Signed-off-by: Alex Chi Z <[email protected]>
neondatabase · Aug 5, 2024 · b1ff185 · b1ff185
1 parent 64c9eab
commit b1ff185
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 4 deletions.
diff --git a/charts/neon-storage-scrubber/Chart.yaml b/charts/neon-storage-scrubber/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: neon-storage-scrubber
 description: neon-storage-scrubber
 type: application
-version: 1.0.0
+version: 1.1.0
 appVersion: "v0.1.0"
 sources:
   - https://github.com/neondatabase/neon/tree/main/storage_scrubber
diff --git a/charts/neon-storage-scrubber/README.md b/charts/neon-storage-scrubber/README.md
@@ -44,8 +44,11 @@ $ helm install neon-storage-scrubber neondatabase/neon-storage-scrubber
 | settings.sentryUrl | string | `""` | url (will be converted into `SENTRY_DSN` environment variable) used by sentry to collect error/panic events in neon-pg-sni-router |
 | storageScrubber.awsBucket | string | `""` | The AWS bucket for the pageserver storage |
 | storageScrubber.awsRegion | string | `""` | The AWS region to run the scrubber |
-| storageScrubber.command | list | `["/usr/local/bin/storage_scrubber","pageserver-physical-gc","--min-age=1week"]` | The command to run |
+| storageScrubber.command | list | `["pageserver-physical-gc","--min-age=1week"]` | The command to run |
+| storageScrubber.enableStorageControllerConnection | bool | `false` | Enable storage controller related functionalities |
 | storageScrubber.schedule | string | `"0 18 * * *"` |  |
+| storageScrubber.storageControllerJwtToken | string | `""` | Control plane / storage controller JWT token for connecting to the storage controller  |
+| storageScrubber.storageControllerUrl | string | `""` | URL of the storage controller |
 | storageScrubber.timeZone | string | `"Etc/UTC"` | The timezone for the cron job |
 | tolerations | list | `[]` | Tolerations for pod assignment. |
 

diff --git a/charts/neon-storage-scrubber/templates/cronjob.yaml b/charts/neon-storage-scrubber/templates/cronjob.yaml
@@ -40,12 +40,21 @@ spec:
               image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
               imagePullPolicy: {{ .Values.image.pullPolicy }}
               command:
+                - /usr/local/bin/storage_scrubber
+                {{- if .Values.storageScrubber.enableStorageControllerConnection }}
+                - "--controller-jwt"
+                - {{ .Values.storageScrubber.storageControllerJwtToken | quote }}
+                - "--controller-api"
+                - {{ .Values.storageScrubber.storageControllerUrl | quote }}
+                {{- end -}}
                 {{- toYaml .Values.storageScrubber.command | nindent 16 }}
               env:
                 - name: BUCKET
                   value: {{ .Values.storageScrubber.awsBucket }}
                 - name: REGION
                   value: {{ .Values.storageScrubber.awsRegion }}
+                - name: STORAGE_CONTROLLER_URL
+                  value: {{ .Values.storageScrubber.storageControllerUrl | quote }}
                 {{- if .Values.settings }}
                 {{- with .Values.settings.sentryUrl }}
                 - name: SENTRY_DSN
@@ -59,6 +68,9 @@ spec:
                 {{- toYaml . | nindent 16 }}
                 {{- end }}
                 {{- end }}
+              envFrom:
+                - secretRef:
+                    name: {{ include "neon-storage-scrubber.fullname" . }}-env-vars
               resources:
                 {{- toYaml .Values.resources | nindent 16 }}
           {{- with .Values.nodeSelector }}

diff --git a/charts/neon-storage-scrubber/templates/secrets.yaml b/charts/neon-storage-scrubber/templates/secrets.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "neon-storage-scrubber.fullname" . }}-env-vars
+  labels:
+    {{- include "neon-storage-scrubber.labels" . | nindent 4 }}
+type: Opaque
+data:
+  STORAGE_CONTROLLER_JWT_TOKEN: {{ .Values.storageScrubber.storageControllerJwtToken | b64enc | quote }}
diff --git a/charts/neon-storage-scrubber/values.yaml b/charts/neon-storage-scrubber/values.yaml
@@ -31,7 +31,7 @@ settings:
   sentryUrl: ""
   # settings.sentryEnvironment -- "development" or "production". It will be visible in sentry in order to filter issues
   sentryEnvironment: "development"
-  # -- extra env variables when running the job
+  # settings.extraEnvs -- extra env variables when running the job
   extraEnvs:
     - name: RUST_BACKTRACE
       value: '1'
@@ -49,9 +49,15 @@ storageScrubber:
   schedule: "0 18 * * *"
   # -- The command to run
   command:
-    - /usr/local/bin/storage_scrubber
     - pageserver-physical-gc
     - --min-age=1week
+  # -- Enable storage controller related functionalities
+  enableStorageControllerConnection: false
+  # -- Control plane / storage controller JWT token for connecting to the storage controller 
+  storageControllerJwtToken: ""
+  # -- URL of the storage controller
+  storageControllerUrl: ""
+
 
 # -- Annotations for neon-storage-scrubber pods
 podAnnotations: {}