fix(official-bots): mount JWT public key from ncs-jwt-keys
Delete PR Branch On Close / delete-branch (pull_request) Successful in 6s

The official-bots rollout never mounted the ncs-jwt-keys secret nor set
JWT_PUBLIC_KEY_PATH, so the service fell back to the image-baked
public.pem, which does not match the deployed signing key. Every token
failed RS256 verification -> 401.

Mount ncs-jwt-keys at /secrets/jwt and point JWT_PUBLIC_KEY_PATH there,
mirroring account/core/tournament. Verify-only, no private key.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-17 09:42:21 +02:00
parent 06e70a5e8a
commit cfb25eff8c
+10
View File
@@ -441,6 +441,12 @@ spec:
key: INTERNAL_SECRET key: INTERNAL_SECRET
- name: ACCOUNT_SERVICE_URL - name: ACCOUNT_SERVICE_URL
value: http://nowchess-account:8083 value: http://nowchess-account:8083
- name: JWT_PUBLIC_KEY_PATH
value: /secrets/jwt/public.pem
volumeMounts:
- name: jwt-keys
mountPath: /secrets/jwt
readOnly: true
ports: ports:
- containerPort: 8088 - containerPort: 8088
protocol: TCP protocol: TCP
@@ -463,6 +469,10 @@ spec:
limits: limits:
cpu: "500m" cpu: "500m"
memory: "256Mi" memory: "256Mi"
volumes:
- name: jwt-keys
secret:
secretName: ncs-jwt-keys
rollbackWindow: rollbackWindow:
revisions: 3 revisions: 3
strategy: strategy: