keycloak: fix logs oauth2 cookie secret

2026-01-09 08:57:13 -03:00 · 2026-01-09 08:57:13 -03:00 · 7a9cf1df98
commit 7a9cf1df98
parent b9383c9709
1 changed files with 10 additions and 3 deletions
--- a/services/keycloak/logs-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/logs-oidc-secret-ensure-job.yaml
@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: logs-oidc-secret-ensure-1
+  name: logs-oidc-secret-ensure-2
  namespace: sso
 spec:
  backoffLimit: 0
@ -74,10 +74,17 @@ spec:
              fi

              if kubectl -n logging get secret oauth2-proxy-logs-oidc >/dev/null 2>&1; then
-                exit 0
+                current_cookie="$(kubectl -n logging get secret oauth2-proxy-logs-oidc -o jsonpath='{.data.cookie_secret}' 2>/dev/null || true)"
+                if [ -n "${current_cookie}" ]; then
+                  decoded="$(printf '%s' "${current_cookie}" | base64 -d 2>/dev/null || true)"
+                  length="$(printf '%s' "${decoded}" | wc -c | tr -d ' ')"
+                  if [ "${length}" = "16" ] || [ "${length}" = "24" ] || [ "${length}" = "32" ]; then
+                    exit 0
+                  fi
+                fi
              fi

-              COOKIE_SECRET="$(openssl rand -base64 32 | tr -d '\n')"
+              COOKIE_SECRET="$(openssl rand -hex 16 | tr -d '\n')"
              kubectl -n logging create secret generic oauth2-proxy-logs-oidc \
                --from-literal=client_id="logs" \
                --from-literal=client_secret="${CLIENT_SECRET}" \