From ff3a361aa0ed682c0c819bb1c8eca546fe64e6ac Mon Sep 17 00:00:00 2001
From: phact <estevezsebastian@gmail.com>
Date: Mon, 12 Jan 2026 14:12:36 -0500
Subject: [PATCH] pre generate keys in tui for rootless podman

---
 docker-compose.yml |  2 +-
 src/tui/main.py    | 52 +++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 79826b3a..c99205a6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -81,7 +81,7 @@ services:
       - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
     volumes:
       - ${OPENRAG_DOCUMENTS_PATH:-./openrag-documents}:/app/openrag-documents:Z
-      - ${OPENRAG_KEYS_PATH:-./keys}:/app/keys:Z
+      - ${OPENRAG_KEYS_PATH:-./keys}:/app/keys:U,z
       - ${OPENRAG_FLOWS_PATH:-./flows}:/app/flows:U,z
       - ${OPENRAG_CONFIG_PATH:-./config}:/app/config:Z
       - ${OPENRAG_DATA_PATH:-./data}:/app/data:Z
diff --git a/src/tui/main.py b/src/tui/main.py
index cd498c6e..eb6765ef 100644
--- a/src/tui/main.py
+++ b/src/tui/main.py
@@ -1,5 +1,7 @@
 """Main TUI application for OpenRAG."""
 
+import os
+import subprocess
 import sys
 from pathlib import Path
 from typing import Iterable, Optional
@@ -683,6 +685,51 @@ def migrate_legacy_data_directories():
     logger.info("Data migration completed successfully")
 
 
+def generate_jwt_keys(keys_dir: Path):
+    """Generate RSA keys for JWT signing if they don't exist.
+
+    This pre-generates keys on the host so containers can read them,
+    avoiding permission issues with Podman rootless mode.
+    """
+    private_key_path = keys_dir / "private_key.pem"
+    public_key_path = keys_dir / "public_key.pem"
+
+    if private_key_path.exists() and public_key_path.exists():
+        logger.debug("JWT keys already exist")
+        return
+
+    try:
+        # Generate private key
+        subprocess.run(
+            ["openssl", "genrsa", "-out", str(private_key_path), "2048"],
+            check=True,
+            capture_output=True,
+        )
+        # Set restrictive permissions on private key (readable by owner only)
+        os.chmod(private_key_path, 0o600)
+
+        # Generate public key from private key
+        subprocess.run(
+            [
+                "openssl",
+                "rsa",
+                "-in", str(private_key_path),
+                "-pubout",
+                "-out", str(public_key_path),
+            ],
+            check=True,
+            capture_output=True,
+        )
+        # Set permissions on public key (readable by all)
+        os.chmod(public_key_path, 0o644)
+
+        logger.info("Generated RSA keys for JWT signing")
+    except FileNotFoundError:
+        logger.warning("openssl not found, skipping JWT key generation (will be generated in container)")
+    except subprocess.CalledProcessError as e:
+        logger.error(f"Failed to generate RSA keys: {e}")
+
+
 def setup_host_directories():
     """Initialize OpenRAG directory structure on the host.
 
@@ -703,11 +750,14 @@ def setup_host_directories():
         base_dir / "data",
         base_dir / "data" / "opensearch-data",
     ]
-    
+
     for directory in directories:
         directory.mkdir(parents=True, exist_ok=True)
         logger.debug(f"Ensured directory exists: {directory}")
 
+    # Generate JWT keys on host to avoid container permission issues
+    generate_jwt_keys(base_dir / "keys")
+
 
 def run_tui():
     """Run the OpenRAG TUI application."""