sso: fix mas encryption secret

2026-01-08 03:35:40 -03:00 · 2026-01-08 03:35:40 -03:00 · 072af083bc
commit 072af083bc
parent 39d8c9e687
1 changed files with 9 additions and 4 deletions
--- a/services/keycloak/mas-secrets-ensure-job.yaml
+++ b/services/keycloak/mas-secrets-ensure-job.yaml
@ -8,7 +8,7 @@ metadata:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-secrets-ensure-8
+  name: mas-secrets-ensure-9
  namespace: sso
 spec:
  backoffLimit: 0
@ -64,7 +64,7 @@ spec:
              fi

              printf '%s' "$CLIENT_SECRET" > /work/keycloak_client_secret
-              openssl rand -base64 32 > /work/encryption
+              openssl rand -hex 32 > /work/encryption
              openssl rand -hex 32 > /work/matrix_shared_secret
              openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /work/rsa_key >/dev/null 2>&1
              chmod 0644 /work/*
@ -89,14 +89,19 @@ spec:
          args:
            - |
              set -euo pipefail
+              current=""
              if kubectl -n comms get secret mas-secrets-runtime >/dev/null 2>&1; then
-                exit 0
+                current="$(kubectl -n comms get secret mas-secrets-runtime -o jsonpath='{.data.encryption}' | base64 -d 2>/dev/null || true)"
+                if printf '%s' "${current}" | grep -Eq '^[0-9a-fA-F]{64}$'; then
+                  exit 0
+                fi
              fi
              kubectl -n comms create secret generic mas-secrets-runtime \
                --from-file=encryption=/work/encryption \
                --from-file=matrix_shared_secret=/work/matrix_shared_secret \
                --from-file=keycloak_client_secret=/work/keycloak_client_secret \
-                --from-file=rsa_key=/work/rsa_key >/dev/null
+                --from-file=rsa_key=/work/rsa_key \
+                --dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null
          volumeMounts:
            - name: work
              mountPath: /work