fix(official-bots): mount JWT public key from ncs-jwt-keys (#413)

The official-bots rollout never mounted the ncs-jwt-keys secret nor set
JWT_PUBLIC_KEY_PATH, so the service fell back to the image-baked
public.pem, which does not match the deployed signing key. Every token
failed RS256 verification -> 401.

Mount ncs-jwt-keys at /secrets/jwt and point JWT_PUBLIC_KEY_PATH there,
mirroring account/core/tournament. Verify-only, no private key.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Reviewed-on: #413
This commit was merged in pull request #413.
This commit is contained in:
2026-06-17 09:43:05 +02:00
parent 669159b098
commit 2d5047cc63
+10
View File
@@ -441,6 +441,12 @@ spec:
key: INTERNAL_SECRET
- name: ACCOUNT_SERVICE_URL
value: http://nowchess-account:8083
- name: JWT_PUBLIC_KEY_PATH
value: /secrets/jwt/public.pem
volumeMounts:
- name: jwt-keys
mountPath: /secrets/jwt
readOnly: true
ports:
- containerPort: 8088
protocol: TCP
@@ -463,6 +469,10 @@ spec:
limits:
cpu: "500m"
memory: "256Mi"
volumes:
- name: jwt-keys
secret:
secretName: ncs-jwt-keys
rollbackWindow:
revisions: 3
strategy: