Mount signing JWKS volume to agent container

[petetomasik]

In v0.28.0-beta5 the changes introduced a bug where the SigningJWKSVolume is not mounted to the agent container, but the agent requires access to the JWKS file at startup for validation. This causes the following error in the agent container logs:

2025-11-06 20:23:43 FATAL  Signing JWKS failed validation: Failed to read job signing keyset: open /buildkite/signing-jwks/key: no such file or directory

This change additionally mounts the signing key volume to the agent container, similar to the existing verification key volume mount.

A workaround to this missing volume is to explicitly mount the signing key volume to the agent container by patching PodSpec when config.agent-config.signingJWKSVolume and config.agent-config.verificationJWKSVolume are correctly configured:

config:
...
  agent-config:
    signing-jwks-file: key
    signing-jwks-key-id: my-jwks-key
    signingJWKSVolume:
      name: buildkite-signing-jwks
      secret:
        secretName: my-signing-key
    verification-jwks-file: key
    verificationJWKSVolume:
      name: buildkite-verification-jwks
      secret:
        secretName: my-verification-key
  pod-spec-patch:
    containers:
    - name: agent
      volumeMounts:
      - name: buildkite-signing-jwks
        mountPath: /buildkite/signing-jwks

[DrJosh9000]

LGTM, thanks!