feat(sentinel): wire INTERNAL_BOOTSTRAP_SECRET + Discord login env

kubernetes/manifests/sentinel/core.yaml

@@ -67,6 +67,15 @@ spec:
             # group on each boot. Idempotent — safe to leave as-is.
             - name: ADMIN_ENTITY_IDS
               value: "ent_01kt38a23b9ya1w5x4t9dasd86"
+            # Shared secret each non-core service exchanges at startup
+            # for its pre-seeded bearer JWT. Same value as on every
+            # other sentinel-* deployment. Rotating it requires a
+            # rolling restart of every service so each can re-fetch.
+            - name: INTERNAL_BOOTSTRAP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: INTERNAL_BOOTSTRAP_SECRET
 ---
 apiVersion: v1
 kind: Service

kubernetes/manifests/sentinel/discord.yaml

@@ -69,6 +69,13 @@ spec:
                 secretKeyRef:
                   name: sentinel-secrets
                   key: DISCORD_TOKEN
+            # Same value as on core; used at startup to exchange for
+            # this service's pre-seeded bearer JWT.
+            - name: INTERNAL_BOOTSTRAP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: INTERNAL_BOOTSTRAP_SECRET
 ---
 apiVersion: v1
 kind: Service

kubernetes/manifests/sentinel/oauth.yaml

@@ -70,6 +70,31 @@ spec:
             # ID tokens have to be byte-identical for relying parties.
             - name: ISSUER
               value: https://sentinel-v5.gauchoracing.com
+            # Discord OAuth client config for the "Continue with Discord"
+            # login button. Client id/secret are the Discord application's
+            # credentials; the redirect URI must byte-match what the web
+            # client sends in its authorize call (and what's registered
+            # on the Discord application's OAuth2 settings).
+            - name: DISCORD_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: DISCORD_CLIENT_ID
+            - name: DISCORD_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: DISCORD_CLIENT_SECRET
+            - name: DISCORD_REDIRECT_URI
+              value: https://sentinel-v5.gauchoracing.com/auth/login/discord
+            # Shared secret exchanged at startup for this service's
+            # pre-seeded bearer JWT. Same value as every other
+            # sentinel-* deployment.
+            - name: INTERNAL_BOOTSTRAP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: INTERNAL_BOOTSTRAP_SECRET
 ---
 apiVersion: v1
 kind: Service

kubernetes/manifests/sentinel/saml.yaml

@@ -79,6 +79,14 @@ spec:
             # registered service provider.
             - name: ISSUER
               value: https://sentinel-v5.gauchoracing.com
+            # Shared secret exchanged at startup for this service's
+            # pre-seeded bearer JWT. Same value as every other
+            # sentinel-* deployment.
+            - name: INTERNAL_BOOTSTRAP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: INTERNAL_BOOTSTRAP_SECRET
 ---
 apiVersion: v1
 kind: Service