From d4c91fe80135e7ad71d913822c215ee8f1002e03 Mon Sep 17 00:00:00 2001
From: Nati Fridman <nafridma@redhat.com>
Date: Mon, 25 May 2026 14:25:54 +0300
Subject: [PATCH] docs(openshift): add manual JWT signing secret step

The PKI init job is disabled on OpenShift, but the docs omitted the
manual creation of the openshell-jwt-keys secret it would have generated,
leaving the gateway pod stuck in ContainerCreating.
---
 docs/kubernetes/openshift.mdx | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/kubernetes/openshift.mdx b/docs/kubernetes/openshift.mdx
index acad5ff79..bc3960e6b 100644
--- a/docs/kubernetes/openshift.mdx
+++ b/docs/kubernetes/openshift.mdx
@@ -40,6 +40,24 @@ Sandbox pods run under the `openshell-sandbox` service account in the `openshell
 oc adm policy add-scc-to-user privileged -z openshell-sandbox -n openshell
 ```
 
+## Create the JWT signing secret
+
+The PKI init job is disabled (see next step), so the JWT signing keys it would normally create must be provisioned manually:
+
+```shell
+openssl genpkey -algorithm Ed25519 -out /tmp/signing.pem
+openssl pkey -in /tmp/signing.pem -pubout -out /tmp/public.pem
+openssl rand -hex 16 > /tmp/kid
+
+oc create secret generic openshell-jwt-keys \
+  -n openshell \
+  --from-file=signing.pem=/tmp/signing.pem \
+  --from-file=public.pem=/tmp/public.pem \
+  --from-file=kid=/tmp/kid
+
+rm /tmp/signing.pem /tmp/public.pem /tmp/kid
+```
+
 ## Install the chart with OpenShift overrides
 
 ```shell