Skip to content

Persist Public-Private keypair used by Agent Manager Service for Token Generation #278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AnoshanJ wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Persist Public-Private keypair used by Agent Manager Service for Token Generation #278

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9e25b48
Add key generation persistence to amp service
AnoshanJ Jan 30, 2026
6169d65
Update key generation job image
AnoshanJ Feb 2, 2026
0b32fe7
Update permissions
AnoshanJ Feb 2, 2026
e9c60a6
Refactor code
AnoshanJ Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 11 additions & 6 deletions agent-manager-service/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,18 @@ set -e

echo "Starting agent-manager-service..."
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Remove duplicate startup message.

"Starting agent-manager-service..." is printed twice: once at line 24 and again at line 41. Consider removing the first occurrence since the actual startup happens after key handling.

Proposed fix 
 echo "Starting agent-manager-service..."
 
-# Check if JWT signing keys exist (mounted from Kubernetes Secret)
+# Check if JWT signing keys exist (mounted from Kubernetes Secret)

Or simply remove line 24:

-echo "Starting agent-manager-service..."
-
 # Check if JWT signing keys exist (mounted from Kubernetes Secret)

Also applies to: 41-41

🤖 Prompt for AI Agents 
In `@agent-manager-service/entrypoint.sh` at line 24, Remove the duplicate startup
echo by deleting the early echo "Starting agent-manager-service..." (the first
echo invocation) and keep the later echo that occurs after key handling;
specifically remove the initial echo statement so the single startup message
comes only from the post-key-handling echo.


# Generate JWT signing keys using the gen_keys.sh script
# This script will only generate keys if they don't already exist
if [ -f /app/scripts/gen_keys.sh ]; then
echo "Running key generation script..."
bash /app/scripts/gen_keys.sh "${JWT_SIGNING_ACTIVE_KEY_ID:-key-1}"
# Check if JWT signing keys exist (mounted from Kubernetes Secret)
if [ -f /app/keys/private.pem ] && [ -f /app/keys/public.pem ] && [ -f /app/keys/public-keys-config.json ]; then
echo "JWT signing keys found (mounted from Secret), skipping generation"
else
echo "Warning: gen_keys.sh script not found, skipping key generation"
# Generate JWT signing keys using the gen_keys.sh script (for local development)
# This script will only generate keys if they don't already exist
if [ -f /app/scripts/gen_keys.sh ]; then
echo "JWT signing keys not found, running key generation script..."
bash /app/scripts/gen_keys.sh "${JWT_SIGNING_ACTIVE_KEY_ID:-key-1}"
else
echo "Warning: gen_keys.sh script not found and keys not mounted, service may fail to start"
fi
fi

# Start the application
Expand Down
17 changes: 17 additions & 0 deletions deployments/helm-charts/wso2-ai-agent-management-platform/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,23 @@ PostgreSQL password secret key
{{- end }}
{{- end }}

{{/*
==============================================
JWT Keys Secret Helpers
==============================================
*/}}

{{/*
JWT Keys Secret name
*/}}
{{- define "agent-management-platform.jwtKeysSecretName" -}}
{{- if .Values.jwtSigning.existingSecret }}
{{- .Values.jwtSigning.existingSecret }}
{{- else }}
{{- printf "%s-jwt-keys" (include "agent-management-platform.fullname" .) }}
{{- end }}
{{- end }}

{{/*
==============================================
Image Pull Secrets
Expand Down
15 changes: 11 additions & 4 deletions ...-charts/wso2-ai-agent-management-platform/templates/agent-manager-service/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,14 +114,21 @@ spec:
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.volumeMounts }}
volumeMounts:
- name: jwt-keys
mountPath: /app/keys
readOnly: true
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.volumes }}
{{- end }}
volumes:
- name: jwt-keys
secret:
secretName: {{ include "agent-management-platform.jwtKeysSecretName" . }}
defaultMode: 0440
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.agentManagerService.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
110 changes: 110 additions & 0 deletions ...helm-charts/wso2-ai-agent-management-platform/templates/jobs/jwt-keys-generation-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
{{- if and .Values.jwtKeysGeneration.enabled (not .Values.jwtSigning.existingSecret) }}
apiVersion: batch/v1
kind: Job
metadata:
name: amp-jwt-keys-generation
labels:
{{- include "agent-management-platform.labels" . | nindent 4 }}
app.kubernetes.io/component: jwt-keys-generation
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
backoffLimit: {{ .Values.jwtKeysGeneration.backoffLimit }}
ttlSecondsAfterFinished: 300
template:
metadata:
name: amp-jwt-keys-generation
labels:
{{- include "agent-management-platform.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: jwt-keys-generation
spec:
{{- include "agent-management-platform.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ include "agent-management-platform.serviceAccountName" . }}
restartPolicy: Never
{{- with .Values.jwtKeysGeneration.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: jwt-keys-generation
{{- with .Values.jwtKeysGeneration.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "alpine:3.21"
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- |
set -euo pipefail

# Install required tools
apk add --no-cache openssl kubectl curl

# Check if secret already exists
if kubectl get secret {{ include "agent-management-platform.jwtKeysSecretName" . }} -n {{ .Release.Namespace }} &>/dev/null; then
echo "JWT keys Secret already exists, skipping generation"
exit 0
fi

echo "Generating JWT signing keys..."
mkdir -p /tmp/keys
cd /tmp/keys

# Generate RSA private key (4096 bits for security)
openssl genrsa -out private.pem 4096

# Extract public key
openssl rsa -in private.pem -pubout -out public.pem

# Use configured key ID from agentManagerService config
KEY_ID="{{ .Values.agentManagerService.config.jwtSigning.activeKeyId }}"
TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)

# Create public-keys-config.json matching the format expected by gen_keys.sh
cat > public-keys-config.json <<EOF
{
"keys": [
{
"kid": "${KEY_ID}",
"algorithm": "RS256",
"publicKeyPath": "/app/keys/public.pem",
"description": "JWT signing key generated by Helm",
"createdAt": "${TIMESTAMP}"
}
]
}
EOF
Comment on lines +68 to +80
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Heredoc indentation will produce malformed JSON.

The heredoc content is indented with leading spaces which will be included in the generated JSON file, making it invalid. The JSON keys will have leading whitespace.

Proposed fix: Use unindented heredoc or remove leading spaces 
               # Create public-keys-config.json matching the format expected by gen_keys.sh
-              cat > public-keys-config.json <<EOF
-              {
-                "keys": [
-                  {
-                    "kid": "${KEY_ID}",
-                    "algorithm": "RS256",
-                    "publicKeyPath": "/app/keys/public.pem",
-                    "description": "JWT signing key generated by Helm",
-                    "createdAt": "${TIMESTAMP}"
-                  }
-                ]
-              }
-              EOF
+              cat > public-keys-config.json <<'EOF'
+{
+  "keys": [
+    {
+      "kid": "PLACEHOLDER_KEY_ID",
+      "algorithm": "RS256",
+      "publicKeyPath": "/app/keys/public.pem",
+      "description": "JWT signing key generated by Helm",
+      "createdAt": "PLACEHOLDER_TIMESTAMP"
+    }
+  ]
+}
+EOF
+              # Replace placeholders with actual values
+              sed -i "s/PLACEHOLDER_KEY_ID/${KEY_ID}/g" public-keys-config.json
+              sed -i "s/PLACEHOLDER_TIMESTAMP/${TIMESTAMP}/g" public-keys-config.json

Or use a simpler approach with printf/echo:

               # Create public-keys-config.json matching the format expected by gen_keys.sh
-              cat > public-keys-config.json <<EOF
-              {
-                ...
-              }
-              EOF
+              cat > public-keys-config.json << EOF
+{
+  "keys": [
+    {
+      "kid": "${KEY_ID}",
+      "algorithm": "RS256",
+      "publicKeyPath": "/app/keys/public.pem",
+      "description": "JWT signing key generated by Helm",
+      "createdAt": "${TIMESTAMP}"
+    }
+  ]
+}
+EOF

Note: The EOF marker must be at the start of the line (no leading indentation).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
cat > public-keys-config.json <<EOF
{
"keys": [
{
"kid": "${KEY_ID}",
"algorithm": "RS256",
"publicKeyPath": "/app/keys/public.pem",
"description": "JWT signing key generated by Helm",
"createdAt": "${TIMESTAMP}"
}
]
}
EOF
cat > public-keys-config.json << EOF
{
"keys": [
{
"kid": "${KEY_ID}",
"algorithm": "RS256",
"publicKeyPath": "/app/keys/public.pem",
"description": "JWT signing key generated by Helm",
"createdAt": "${TIMESTAMP}"
}
]
}
EOF
🤖 Prompt for AI Agents 
In
`@deployments/helm-charts/wso2-ai-agent-management-platform/templates/jobs/jwt-keys-generation-job.yaml`
around lines 68 - 80, The heredoc used to write public-keys-config.json is
indented, which inserts leading spaces into the JSON and breaks it; modify the
JWT keys generation step in jwt-keys-generation-job.yaml to use an unindented
heredoc (ensure the "cat > public-keys-config.json <<EOF" and the terminating
"EOF" are at column 0) or replace the heredoc with a non-indenting alternative
(e.g., printf/echo) to write the JSON, preserving the KEY_ID and TIMESTAMP
substitutions and the publicKeyPath/public keys structure unchanged.


# Verify keys were generated
if [[ ! -f private.pem ]] || [[ ! -f public.pem ]] || [[ ! -f public-keys-config.json ]]; then
echo "ERROR: Key generation failed - missing key files"
exit 1
fi
Comment on lines +83 to +86
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Bash syntax [[ ]] not supported in Alpine's /bin/sh.

The script uses [[ ]] test syntax which is a bash-ism, but Alpine's default shell is ash/busybox sh, which doesn't support this syntax. This will cause the job to fail with a syntax error.

Proposed fix: Use POSIX-compliant test syntax 
-              if [[ ! -f private.pem ]] || [[ ! -f public.pem ]] || [[ ! -f public-keys-config.json ]]; then
+              if [ ! -f private.pem ] || [ ! -f public.pem ] || [ ! -f public-keys-config.json ]; then
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if [[ ! -f private.pem ]] || [[ ! -f public.pem ]] || [[ ! -f public-keys-config.json ]]; then
echo "ERROR: Key generation failed - missing key files"
exit 1
fi
if [ ! -f private.pem ] || [ ! -f public.pem ] || [ ! -f public-keys-config.json ]; then
echo "ERROR: Key generation failed - missing key files"
exit 1
fi
🤖 Prompt for AI Agents 
In
`@deployments/helm-charts/wso2-ai-agent-management-platform/templates/jobs/jwt-keys-generation-job.yaml`
around lines 83 - 86, The conditional check using bash-ism `[[ ... ]]` needs to
be converted to POSIX-compliant tests so the job can run under Alpine's /bin/sh;
locate the if-statement that checks for private.pem, public.pem, and
public-keys-config.json and replace the `[[`/`]]` usage with POSIX `test`/`[`
checks (e.g., use `-f` checks combined with `||`) so the script uses only
/bin/sh-compatible syntax and still exits with the same error message when any
file is missing.


echo "Creating Kubernetes Secret with JWT keys..."
kubectl create secret generic {{ include "agent-management-platform.jwtKeysSecretName" . }} \
-n {{ .Release.Namespace }} \
--from-file=private.pem=private.pem \
--from-file=public.pem=public.pem \
--from-file=public-keys-config.json=public-keys-config.json \
--dry-run=client -o yaml | \
kubectl apply -f -

# Add annotations for tracking
kubectl annotate secret {{ include "agent-management-platform.jwtKeysSecretName" . }} \
-n {{ .Release.Namespace }} \
amp.wso2.com/keys-version="1" \
amp.wso2.com/key-id="${KEY_ID}" \
amp.wso2.com/generated-at="${TIMESTAMP}" \
--overwrite

echo "JWT keys Secret created successfully with key ID: ${KEY_ID}"
{{- with .Values.jwtKeysGeneration.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
8 changes: 8 additions & 0 deletions deployments/helm-charts/wso2-ai-agent-management-platform/templates/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ metadata:
name: {{ include "agent-management-platform.fullname" . }}
labels:
{{- include "agent-management-platform.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-15"
"helm.sh/hook-delete-policy": before-hook-creation
rules:
{{- toYaml .Values.rbac.rules | nindent 2 }}
---
Expand All @@ -14,6 +18,10 @@ metadata:
name: {{ include "agent-management-platform.fullname" . }}
labels:
{{- include "agent-management-platform.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-15"
"helm.sh/hook-delete-policy": before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand Down
5 changes: 4 additions & 1 deletion deployments/helm-charts/wso2-ai-agent-management-platform/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,11 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
{{- include "agent-management-platform.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-15"
"helm.sh/hook-delete-policy": before-hook-creation
{{- with .Values.serviceAccount.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount | default true }}
Expand Down
22 changes: 22 additions & 0 deletions deployments/helm-charts/wso2-ai-agent-management-platform/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,28 @@ dbMigration:
podSecurityContext: {}
securityContext: {}

# JWT Keys Generation Job Configuration
jwtKeysGeneration:
enabled: true
backoffLimit: 3

resources:
requests:
memory: 64Mi
cpu: 50m
limits:
memory: 128Mi
cpu: 100m

podSecurityContext: {}
securityContext: {}

# JWT Signing Keys Configuration
jwtSigning:
# Specify an existing secret containing JWT keys (optional)
# If not specified, keys will be auto-generated by the jwt-keys-generation job
existingSecret: ""

# Ingress Configuration
ingress:
enabled: false
Expand Down