From cfb25eff8cb61bc8a77fb3d050bcbc35add3f03f Mon Sep 17 00:00:00 2001 From: Janis Date: Wed, 17 Jun 2026 09:42:21 +0200 Subject: [PATCH 1/3] fix(official-bots): mount JWT public key from ncs-jwt-keys The official-bots rollout never mounted the ncs-jwt-keys secret nor set JWT_PUBLIC_KEY_PATH, so the service fell back to the image-baked public.pem, which does not match the deployed signing key. Every token failed RS256 verification -> 401. Mount ncs-jwt-keys at /secrets/jwt and point JWT_PUBLIC_KEY_PATH there, mirroring account/core/tournament. Verify-only, no private key. Co-Authored-By: Claude Opus 4.8 --- nowchess/base/nowchess-rollouts.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nowchess/base/nowchess-rollouts.yaml b/nowchess/base/nowchess-rollouts.yaml index 11baa8b..108dc04 100755 --- a/nowchess/base/nowchess-rollouts.yaml +++ b/nowchess/base/nowchess-rollouts.yaml @@ -441,6 +441,12 @@ spec: key: INTERNAL_SECRET - name: ACCOUNT_SERVICE_URL value: http://nowchess-account:8083 + - name: JWT_PUBLIC_KEY_PATH + value: /secrets/jwt/public.pem + volumeMounts: + - name: jwt-keys + mountPath: /secrets/jwt + readOnly: true ports: - containerPort: 8088 protocol: TCP @@ -463,6 +469,10 @@ spec: limits: cpu: "500m" memory: "256Mi" + volumes: + - name: jwt-keys + secret: + secretName: ncs-jwt-keys rollbackWindow: revisions: 3 strategy: -- 2.52.0 From f0dc9fd145f74c8d0753b0e96763b8c112455618 Mon Sep 17 00:00:00 2001 From: Janis Date: Wed, 17 Jun 2026 09:50:04 +0200 Subject: [PATCH 2/3] chore(official-bots): debug logging for JWT verify on staging Enable DEBUG for io.smallrye.jwt and io.quarkus.security on the official-bots rollout in staging only (container env, not the shared ConfigMap) to diagnose the persistent 401. Remove after root cause. Co-Authored-By: Claude Opus 4.8 --- nowchess/eu-central-1-staging/kustomization.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/nowchess/eu-central-1-staging/kustomization.yaml b/nowchess/eu-central-1-staging/kustomization.yaml index 7718332..c316358 100755 --- a/nowchess/eu-central-1-staging/kustomization.yaml +++ b/nowchess/eu-central-1-staging/kustomization.yaml @@ -93,6 +93,21 @@ patches: name: nowchess-core spec: replicas: 1 +- patch: |- + apiVersion: argoproj.io/v1alpha1 + kind: Rollout + metadata: + name: nowchess-official-bots + spec: + template: + spec: + containers: + - name: nowchess-official-bots + env: + - name: QUARKUS_LOG_CATEGORY__IO_SMALLRYE_JWT__LEVEL + value: DEBUG + - name: QUARKUS_LOG_CATEGORY__IO_QUARKUS_SECURITY__LEVEL + value: DEBUG images: - name: ghcr.io/now-chess/now-chess-systems/account newTag: 0.24.0 -- 2.52.0 From dfb2dfcd32770df537cb8fa125bec6f09241a4ef Mon Sep 17 00:00:00 2001 From: Janis Date: Wed, 17 Jun 2026 09:59:08 +0200 Subject: [PATCH 3/3] fix(official-bots): set JWT verify props via env Logs show JWTAuthContextInfo with publicKeyLocation=null and issuedBy=null -> "Verification key is unresolvable". The running image has no mp.jwt.verify config, and JWT_PUBLIC_KEY_PATH only matters if the baked config references it, which this image does not. Set the MicroProfile properties directly through the environment (MP_JWT_VERIFY_PUBLICKEY_LOCATION, MP_JWT_VERIFY_ISSUER) so verification works on the current image without a rebuild. The mounted ncs-jwt-keys secret supplies the matching public key. Co-Authored-By: Claude Opus 4.8 --- nowchess/base/nowchess-rollouts.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nowchess/base/nowchess-rollouts.yaml b/nowchess/base/nowchess-rollouts.yaml index 108dc04..b13b0ad 100755 --- a/nowchess/base/nowchess-rollouts.yaml +++ b/nowchess/base/nowchess-rollouts.yaml @@ -441,8 +441,10 @@ spec: key: INTERNAL_SECRET - name: ACCOUNT_SERVICE_URL value: http://nowchess-account:8083 - - name: JWT_PUBLIC_KEY_PATH + - name: MP_JWT_VERIFY_PUBLICKEY_LOCATION value: /secrets/jwt/public.pem + - name: MP_JWT_VERIFY_ISSUER + value: nowchess volumeMounts: - name: jwt-keys mountPath: /secrets/jwt -- 2.52.0