fix(tasks) Add rpc_secret to taskworker#593
Conversation
In production we need an RPC secret to sign requests to taskbroker. Instead of using the existing shared secret between launchpad and sentry, we should use a different key.
Sentry Build Distribution
|
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| app.set_config({ | ||
| "rpc_secret": os.getenv("TASKWORKER_SHARED_SECRET"), | ||
| }) |
There was a problem hiding this comment.
Bug: os.getenv("TASKWORKER_SHARED_SECRET") is called without a default value or validation. If the environment variable is not set, None is passed as the rpc_secret, likely causing runtime failures.
Severity: HIGH
Suggested Fix
Add a validation check to ensure the value from os.getenv("TASKWORKER_SHARED_SECRET") is not None before calling app.set_config(). If the value is missing, raise a RuntimeError to fail fast, similar to the pattern used for LAUNCHPAD_RPC_SHARED_SECRET elsewhere in the codebase.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: src/launchpad/worker/app.py#L104-L106
Potential issue: The `rpc_secret` configuration is set using
`os.getenv("TASKWORKER_SHARED_SECRET")` without a default value or subsequent
validation. If this environment variable is not set, the function returns `None`, which
is then passed to `app.set_config()`. Since the secret is described as mandatory for
production, passing `None` to the `taskbroker-client` library will likely result in a
runtime `TypeError` or silent authentication failures when the worker attempts to
communicate with the taskbroker. This contrasts with existing patterns in the codebase
where a missing secret raises a `RuntimeError`.
Did we get this right? 👍 / 👎 to inform future reviews.
the launchpad env vars have just a string (for now) so we need to do some munging to get it into the correct shape for taskbroker-client
this variable comes from deployment manifests and the shared taskbroker-secrets.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
2 participants
In production we need an RPC secret to sign requests to taskbroker. Instead of using the existing shared secret between launchpad and sentry, we should use a different key.