From 8d1284412fec7b987098aab5b6456c51af5b1983 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 8 Jan 2026 03:43:06 -0300
Subject: [PATCH] sso: validate mas encryption length

---
 services/keycloak/mas-secrets-ensure-job.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml
index 230473c..2ba6104 100644
--- a/services/keycloak/mas-secrets-ensure-job.yaml
+++ b/services/keycloak/mas-secrets-ensure-job.yaml
@@ -8,7 +8,7 @@ metadata:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-secrets-ensure-10
+  name: mas-secrets-ensure-11
   namespace: sso
 spec:
   backoffLimit: 0
@@ -92,7 +92,8 @@ spec:
               current=""
               if kubectl -n comms get secret mas-secrets-runtime >/dev/null 2>&1; then
                 current="$(kubectl -n comms get secret mas-secrets-runtime -o jsonpath='{.data.encryption}' | base64 -d 2>/dev/null || true)"
-                if printf '%s' "${current}" | grep -Eq '^[0-9a-fA-F]{64}$'; then
+                current_len="$(printf '%s' "${current}" | wc -c | tr -d ' ')"
+                if [ "${current_len}" = "64" ] && printf '%s' "${current}" | grep -Eq '^[0-9a-fA-F]{64}$'; then
                   exit 0
                 fi
               fi