From 2d5047cc63df2ba2d3bf782ddc4e5165b78594d2 Mon Sep 17 00:00:00 2001 From: Janis Date: Wed, 17 Jun 2026 09:43:05 +0200 Subject: [PATCH] fix(official-bots): mount JWT public key from ncs-jwt-keys (#413) The official-bots rollout never mounted the ncs-jwt-keys secret nor set JWT_PUBLIC_KEY_PATH, so the service fell back to the image-baked public.pem, which does not match the deployed signing key. Every token failed RS256 verification -> 401. Mount ncs-jwt-keys at /secrets/jwt and point JWT_PUBLIC_KEY_PATH there, mirroring account/core/tournament. Verify-only, no private key. Co-Authored-By: Claude Opus 4.8 Reviewed-on: https://git.janis-eccarius.de/NowChess/GitOps/pulls/413 --- nowchess/base/nowchess-rollouts.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nowchess/base/nowchess-rollouts.yaml b/nowchess/base/nowchess-rollouts.yaml index 11baa8b..108dc04 100755 --- a/nowchess/base/nowchess-rollouts.yaml +++ b/nowchess/base/nowchess-rollouts.yaml @@ -441,6 +441,12 @@ spec: key: INTERNAL_SECRET - name: ACCOUNT_SERVICE_URL value: http://nowchess-account:8083 + - name: JWT_PUBLIC_KEY_PATH + value: /secrets/jwt/public.pem + volumeMounts: + - name: jwt-keys + mountPath: /secrets/jwt + readOnly: true ports: - containerPort: 8088 protocol: TCP @@ -463,6 +469,10 @@ spec: limits: cpu: "500m" memory: "256Mi" + volumes: + - name: jwt-keys + secret: + secretName: ncs-jwt-keys rollbackWindow: revisions: 3 strategy: