config: Enable AWS/rpm testing on staging

config/jobs.yaml

@@ -1591,6 +1591,7 @@ jobs:
       - 'stable'
       - 'stable-rc'
       - 'next'
+      - 'kernelci'
 
   blktests-ddp-x86:
     template: blktests-ddp.jinja2

doc/install.md

@@ -34,8 +34,23 @@ In the configuration file, you need to have the following section:
 ```
 [jwt]
 secret = "ABCDEFGH..."
+# Optional: shared HS256 key accepted as a fallback alongside `secret`.
+# Set to the same value used by kernelci-api (UNIFIED_SECRET),
+# kernelci-storage (unified_secret) and kcidb-restd-rs (UNIFIED_SECRET)
+# so a single token authenticates a user across all KernelCI services.
+# See UNIFIED_TOKEN.md in the kernelci-deploy repo for the full spec.
+#unified_secret = "ABCDEFGH..."
 ```
 
+Generate either secret with:
+```
+openssl rand -hex 32
+```
+
+The pipeline `lava-callback` validates incoming JWTs against `secret` first
+and falls back to `unified_secret` on signature failure (see
+`decode_jwt()` in `src/lava_callback.py`).
+
 ## Generating tokens for user
 
 You can use the `jwt_generator.py` script in the tools directory to generate user tokens.

kube/aks/kernelci-secrets.toml.example

@@ -25,6 +25,16 @@ origin = "kernelci_api"
 
 [timeout]
 
+# JWT secret used by lava-callback to validate incoming Pipeline API tokens.
+# `secret` is the legacy per-service key; `unified_secret` is the shared
+# HS256 key also installed on kernelci-api (UNIFIED_SECRET),
+# kernelci-storage (unified_secret) and kcidb-restd-rs (UNIFIED_SECRET).
+# Generate either with `openssl rand -hex 32`.  See UNIFIED_TOKEN.md in
+# the kernelci-deploy repo for the full spec.
+#[jwt]
+#secret = "REPLACE-WITH-PIPELINE-JWT-SECRET"
+#unified_secret = "REPLACE-WITH-UNIFIED-SECRET"
+
 [storage.staging]
 storage_cred = "/home/kernelci/data/ssh/id_rsa_tarball"