fix(chart): bake CATALYST_HANDOVER_KEY_PATH into api-deployment (#630)

* fix(catalyst-api): magic-link URL must include /api/v1 prefix Email link was https://console.openova.io/sovereign/auth/magic?token=... but the registered route is /api/v1/auth/magic. After Traefik strips /sovereign, catalyst-api received /auth/magic — 404. Both magicURL and magicLinkAudience updated to include /api/v1. * fix(chart): bake CATALYST_HANDOVER_KEY_PATH into api-deployment Without this env, kubectl set env is ephemeral — Flux/Helm reconciles the deployment back without it on next chart roll, magic-link returns 503 'handover signer unavailable'. --------- Co-authored-by: hatiyildiz <hatiyildiz@openova.io>
2026-05-02 20:50:47 +04:00 · 2026-05-02 20:50:47 +04:00 · 12cf4ac48c
commit 12cf4ac48c
parent 7a1ddb1878
1 changed files with 6 additions and 0 deletions
--- a/products/catalyst/chart/templates/api-deployment.yaml
+++ b/products/catalyst/chart/templates/api-deployment.yaml
@ -322,6 +322,12 @@ spec:
            # time. optional=true: Catalyst-Zero side leaves this unset.
            - name: CATALYST_HANDOVER_JWT_PUBLIC_KEY_PATH
              value: /var/lib/catalyst/handover-jwt-public.jwk
+            # CATALYST_HANDOVER_KEY_PATH — path to the RS256 PRIVATE key
+            # catalyst-api uses to mint magic-link + handover JWTs. The
+            # signer auto-generates the keypair on first start if absent.
+            # MUST be on a writable PVC mount. Catalyst-Zero only.
+            - name: CATALYST_HANDOVER_KEY_PATH
+              value: /var/lib/catalyst/handover-jwt-private.pem
            # ── Magic-link auth (issue #608, Phase-8b Agent A) ──────────────
            # CATALYST_KC_CLIENT_ID — OIDC client ID for the Catalyst-Zero
            # UI (catalyst-zero-ui PKCE client). Defaults to "catalyst-zero-ui"