Problem Statement
The OpenShift install guide instructs users to disable pkiInitJob but only mentions the need to pre-create the sandbox JWT signing Secret as an afterthought note below the helm install command. Every user hits a MountVolume.SetUp failure for the openshell-jwt-keys Secret on first install and has to manually create the Secret and restart the pod.
Reference: https://github.com/NVIDIA/OpenShell/blob/main/docs/kubernetes/openshift.mdx?plain=1#L61-L63
Resolution
The pkiInitJob certgen Job works on OpenShift without being disabled — its security context is compatible with the restricted SCC. The original guidance to disable it was stale.
Changes span three files:
docs/kubernetes/openshift.mdx — removed pkiInitJob.enabled=false override, removed manual JWT secret creation step, updated disableTls table row description
deploy/helm/openshell/README.md.gotmpl — matching quick-start snippet cleanup, fixed OpenShift install guide link
deploy/helm/openshell/README.md — regenerated via mise run helm:docs
Agent Investigation
Traced the secret requirements through the codebase:
- Secret name:
openshell-jwt-keys (from openshell.sandboxJwtSecretName helper in _helpers.tpl)
- Secret keys:
signing.pem, public.pem, kid (from jwt_signing_secret() in certgen.rs)
- Key type: Ed25519 PKCS#8/SPKI PEM (from
PkiBundle struct in openshell-bootstrap/src/pki.rs)
- Kid format: 16 bytes hex-encoded (from test assertion in
pki.rs)
- Certgen Job security context:
allowPrivilegeEscalation: false, capabilities.drop: [ALL], no hardcoded runAsUser or fsGroup — compatible with OpenShift's restricted SCC
Problem Statement
The OpenShift install guide instructs users to disable
pkiInitJobbut only mentions the need to pre-create the sandbox JWT signing Secret as an afterthought note below thehelm installcommand. Every user hits aMountVolume.SetUpfailure for theopenshell-jwt-keysSecret on first install and has to manually create the Secret and restart the pod.Reference: https://github.com/NVIDIA/OpenShell/blob/main/docs/kubernetes/openshift.mdx?plain=1#L61-L63
Resolution
The
pkiInitJobcertgen Job works on OpenShift without being disabled — its security context is compatible with therestrictedSCC. The original guidance to disable it was stale.Changes span three files:
docs/kubernetes/openshift.mdx— removedpkiInitJob.enabled=falseoverride, removed manual JWT secret creation step, updateddisableTlstable row descriptiondeploy/helm/openshell/README.md.gotmpl— matching quick-start snippet cleanup, fixed OpenShift install guide linkdeploy/helm/openshell/README.md— regenerated viamise run helm:docsAgent Investigation
Traced the secret requirements through the codebase:
openshell-jwt-keys(fromopenshell.sandboxJwtSecretNamehelper in_helpers.tpl)signing.pem,public.pem,kid(fromjwt_signing_secret()incertgen.rs)PkiBundlestruct inopenshell-bootstrap/src/pki.rs)pki.rs)allowPrivilegeEscalation: false,capabilities.drop: [ALL], no hardcodedrunAsUserorfsGroup— compatible with OpenShift'srestrictedSCC