From 3779cdc379a4b204ccf9ca7bcc2875092c3fe48f Mon Sep 17 00:00:00 2001
From: Jackson Roberts <jrobe3221@gmail.com>
Date: Wed, 25 Feb 2026 21:17:00 -0600
Subject: [PATCH] fix tls and key secrets

---
 kubernetes/deployment.yaml    |  2 ++
 kubernetes/ingress.yaml       |  3 ++-
 kubernetes/migration-job.yaml |  2 ++
 src/constants.ts              | 12 +++++++-----
 4 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/kubernetes/deployment.yaml b/kubernetes/deployment.yaml
index 830f13a..2c216fa 100644
--- a/kubernetes/deployment.yaml
+++ b/kubernetes/deployment.yaml
@@ -20,6 +20,8 @@ spec:
           envFrom:
             - secretRef:
                 name: api-env-secret
+            - secretRef:
+                name: optima-keys-secret
           ports:
             - containerPort: 3000
       imagePullSecrets:
diff --git a/kubernetes/ingress.yaml b/kubernetes/ingress.yaml
index f31cfb8..4b451b9 100644
--- a/kubernetes/ingress.yaml
+++ b/kubernetes/ingress.yaml
@@ -4,7 +4,8 @@ metadata:
   name: optima-api-ingress
   namespace: optima
   annotations:
-    ingress.kubernetes.io/ssl-redirect: "false"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   tls:
     - secretName: osdci-net-cert
diff --git a/kubernetes/migration-job.yaml b/kubernetes/migration-job.yaml
index 4748474..b886822 100644
--- a/kubernetes/migration-job.yaml
+++ b/kubernetes/migration-job.yaml
@@ -16,6 +16,8 @@ spec:
           envFrom:
             - secretRef:
                 name: api-env-secret
+            - secretRef:
+                name: optima-keys-secret
       restartPolicy: Never
       imagePullSecrets:
         - name: github-container-registry
diff --git a/src/constants.ts b/src/constants.ts
index d17a3a3..9c91465 100644
--- a/src/constants.ts
+++ b/src/constants.ts
@@ -26,21 +26,23 @@ export const refreshTokenDuration = "30d";
 
 const isProduction = process.env.NODE_ENV === "production";
 
+const readKeyFile = (path: string) => readFileSync(path).toString();
+
 export const accessTokenPrivateKey = isProduction
   ? process.env.ACCESS_TOKEN_PRIVATE_KEY!
-  : readFileSync(`.accessToken.key`).toString();
+  : readKeyFile(`.accessToken.key`);
 export const refreshTokenPrivateKey = isProduction
   ? process.env.REFRESH_TOKEN_PRIVATE_KEY!
-  : readFileSync(`.refreshToken.key`).toString();
+  : readKeyFile(`.refreshToken.key`);
 export const permissionsPrivateKey = isProduction
   ? process.env.PERMISSIONS_PRIVATE_KEY!
-  : readFileSync(`.permissions.key`).toString();
+  : readKeyFile(`.permissions.key`);
 export const secureValuesPrivateKey = isProduction
   ? process.env.SECURE_VALUES_PRIVATE_KEY!
-  : readFileSync(`.secureValues.key`).toString();
+  : readKeyFile(`.secureValues.key`);
 export const secureValuesPublicKey = isProduction
   ? process.env.SECURE_VALUES_PUBLIC_KEY!
-  : readFileSync(`public-keys/.secureValues.pub`).toString();
+  : readKeyFile(`public-keys/.secureValues.pub`);
 
 // Microsoft Auth Constants
 const msalConfig: msal.Configuration = {