config: require shared key if using redis backed databroker (#1801)

config/options.go

@@ -496,7 +496,7 @@ func (o *Options) Validate() error {
 
 	if IsAll(o.Services) {
 		// mutual auth between services on the same host can be generated at runtime
-		if o.SharedKey == "" {
+		if o.SharedKey == "" && o.DataBrokerStorageType == StorageInMemoryName {
 			o.SharedKey = cryptutil.NewBase64Key()
 		}
 		// in all in one mode we are running just over the local socket

config/options_test.go

@@ -47,6 +47,11 @@ func Test_Validate(t *testing.T) {
 	badSignoutRedirectURL := testOptions()
 	badSignoutRedirectURL.SignOutRedirectURLString = "--"
 
+	missingSharedSecretWithPersistence := testOptions()
+	missingSharedSecretWithPersistence.SharedKey = ""
+	missingSharedSecretWithPersistence.DataBrokerStorageType = StorageRedisName
+	missingSharedSecretWithPersistence.DataBrokerStorageConnectionString = "redis://somehost:6379"
+
 	tests := []struct {
 		name     string
 		testOpts *Options
@@ -60,6 +65,7 @@ func Test_Validate(t *testing.T) {
 		{"invalid databroker storage type", invalidStorageType, true},
 		{"missing databroker storage dsn", missingStorageDSN, true},
 		{"invalid signout redirect url", badSignoutRedirectURL, true},
+		{"no shared key with databroker persistence", missingSharedSecretWithPersistence, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {