fix(official-bots): mount JWT public key from ncs-jwt-keys (#413)
The official-bots rollout never mounted the ncs-jwt-keys secret nor set JWT_PUBLIC_KEY_PATH, so the service fell back to the image-baked public.pem, which does not match the deployed signing key. Every token failed RS256 verification -> 401. Mount ncs-jwt-keys at /secrets/jwt and point JWT_PUBLIC_KEY_PATH there, mirroring account/core/tournament. Verify-only, no private key. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Reviewed-on: #413
This commit was merged in pull request #413.
This commit is contained in:
@@ -441,6 +441,12 @@ spec:
|
|||||||
key: INTERNAL_SECRET
|
key: INTERNAL_SECRET
|
||||||
- name: ACCOUNT_SERVICE_URL
|
- name: ACCOUNT_SERVICE_URL
|
||||||
value: http://nowchess-account:8083
|
value: http://nowchess-account:8083
|
||||||
|
- name: JWT_PUBLIC_KEY_PATH
|
||||||
|
value: /secrets/jwt/public.pem
|
||||||
|
volumeMounts:
|
||||||
|
- name: jwt-keys
|
||||||
|
mountPath: /secrets/jwt
|
||||||
|
readOnly: true
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8088
|
- containerPort: 8088
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
@@ -463,6 +469,10 @@ spec:
|
|||||||
limits:
|
limits:
|
||||||
cpu: "500m"
|
cpu: "500m"
|
||||||
memory: "256Mi"
|
memory: "256Mi"
|
||||||
|
volumes:
|
||||||
|
- name: jwt-keys
|
||||||
|
secret:
|
||||||
|
secretName: ncs-jwt-keys
|
||||||
rollbackWindow:
|
rollbackWindow:
|
||||||
revisions: 3
|
revisions: 3
|
||||||
strategy:
|
strategy:
|
||||||
|
|||||||
Reference in New Issue
Block a user