feat(secrets): wire POD_TOKEN_SIGNING_SECRET for stateless pod tokens (client-runtime#79)

[saadqbal]

Chart side of client-runtime#79 (stateless signed pod-proxy tokens, code in client-runtime#89). Deploying the signing secret is what flips the runtime from the legacy pod_tokens table into stateless mode — the jobs-manager mints HMAC-signed tokens, the requests-proxy verifies them by signature+expiry, and the token-revoke-while-live race class (#52–#58, #86) ceases to exist.

Changes

• secrets.yaml — add POD_TOKEN_SIGNING_SECRET to the Opaque secret. Stable across upgrades via lookup: explicit .Values.podTokenSigningSecret > value already stored in the live Secret > freshly generated randAlphaNum 48. So a token minted before an upgrade still verifies after. Only added to the release-namespace secret (not the node-agents mirror, which exists solely for the resource-monitor's CLIENT_ID/PASSWORD).
• jobs-manager-deployment.yaml — inject POD_TOKEN_SIGNING_SECRET (secretKeyRef) + POD_TOKEN_TTL_SECONDS (value).
• requests-proxy-deployment.yaml — inject POD_TOKEN_SIGNING_SECRET (secretKeyRef), verify side.
• values.yaml — podTokenSigningSecret: "" (auto-generate) + podTokenTtlSeconds: 604800.
• Chart.yaml — 1.4.5 → 1.5.0.

Safety / rollout notes

• The secret is never injected into training pods (untrusted code) — only the minted REQUESTS_PROXY_TOKEN reaches them.
• Auto-generates by default; operators can pin or rotate via podTokenSigningSecret (rotation invalidates live tokens → pods respawn).
• Set podTokenTtlSeconds to comfortably exceed the longest training-job duration (default 7d), else a long job 401s mid-run when its token expires.
• helm template + helm lint pass.
• Cutover: in-flight pods carrying old UUID tokens will 401 against a stateless proxy until replaced — brief, one-time.

Refs client-runtime#79, client-runtime#89. Closes #204.

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes authentication wiring for the requests-proxy path and secret stability across upgrades; rollout can briefly break in-flight pods using legacy tokens.

Overview
Helm chart 1.5.0 deploys the shared HMAC secret that switches pod-proxy auth from the legacy pod_tokens table to stateless signed tokens (jobs-manager mints, requests-proxy verifies by signature + expiry).

secrets.yaml adds POD_TOKEN_SIGNING_SECRET with upgrade-stable resolution: explicit podTokenSigningSecret → existing Secret via lookup → randAlphaNum 48 on first install. The key is not copied to the node-agents secret mirror.

jobs-manager gets POD_TOKEN_SIGNING_SECRET and POD_TOKEN_TTL_SECONDS (default 7 days). requests-proxy gets the same signing secret env only.

values.yaml documents optional pin/rotation and TTL; mis-set TTL can 401 long-running jobs mid-run. In-flight pods with old UUID tokens may 401 until respawned after cutover.

^{Reviewed by Cursor Bugbot for commit d06e846. Bugbot is set up for automated code reviews on this repo. Configure here.}

[LukasWodka]

👋 Heads-up — Code review queue is at 16 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• averaging-service#102 — chore(kanban): declare staging as prod-truth branch via .kanban.yml · author: @LukasWodka · no reviewer assigned
• averaging-service#98 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• backend#732 — feat(experiments): add per-experiment aggregation_strategy field (#730) · author: @LukasWodka · reviewer: @saqlainsyed007, @shujaatTracebloc
• cli#53 — feat: add dataset list command · author: @aptracebloc · no reviewer assigned
• data-ingestors#146 — test(schema): lock category enum to the engine's TaskCategory (anti-drift) · author: @LukasWodka · reviewer: @saadqbal
• data-ingestors#148 — Develop to prod · author: @divyasinghds · reviewer: @saadqbal
• design-system#19 — fix: un-track coverage/ and node_modules/ from git · author: @LukasWodka · no reviewer assigned
• design-system#22 — ci: add Vitest test workflow · author: @LukasWodka · reviewer: @aptracebloc
• design-system#23 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• docs#47 — docs(environment-setup): Installer UX: drop PriorityClass, fix namespace, one-per-machine guard, surface version #192 namespace/workspace flow (hold for client#192) · author: @LukasWodka · reviewer: @saadqbal

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)