fix(official-bots): mount JWT public key from ncs-jwt-keys #415

Closed
Janis wants to merge 3 commits from fix/official-bots-jwt-mount into main

3 Commits

Author SHA1 Message Date
Janis dfb2dfcd32 fix(official-bots): set JWT verify props via env
Delete PR Branch On Close / delete-branch (pull_request) Has been skipped
Logs show JWTAuthContextInfo with publicKeyLocation=null and
issuedBy=null -> "Verification key is unresolvable". The running image
has no mp.jwt.verify config, and JWT_PUBLIC_KEY_PATH only matters if the
baked config references it, which this image does not.

Set the MicroProfile properties directly through the environment
(MP_JWT_VERIFY_PUBLICKEY_LOCATION, MP_JWT_VERIFY_ISSUER) so verification
works on the current image without a rebuild. The mounted ncs-jwt-keys
secret supplies the matching public key.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 09:59:08 +02:00
Janis f0dc9fd145 chore(official-bots): debug logging for JWT verify on staging
Delete PR Branch On Close / delete-branch (pull_request) Successful in 6s
Enable DEBUG for io.smallrye.jwt and io.quarkus.security on the
official-bots rollout in staging only (container env, not the shared
ConfigMap) to diagnose the persistent 401. Remove after root cause.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 09:50:04 +02:00
Janis cfb25eff8c fix(official-bots): mount JWT public key from ncs-jwt-keys
Delete PR Branch On Close / delete-branch (pull_request) Successful in 6s
The official-bots rollout never mounted the ncs-jwt-keys secret nor set
JWT_PUBLIC_KEY_PATH, so the service fell back to the image-baked
public.pem, which does not match the deployed signing key. Every token
failed RS256 verification -> 401.

Mount ncs-jwt-keys at /secrets/jwt and point JWT_PUBLIC_KEY_PATH there,
mirroring account/core/tournament. Verify-only, no private key.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 09:42:21 +02:00