From d3c3db612d983eff30baf396ede6ffaee3eefa97 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 8 Jan 2026 03:44:54 -0300
Subject: [PATCH] sso: recheck mas encryption bytes

---
 services/keycloak/mas-secrets-ensure-job.yaml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml
index 2ba6104..b949e2e 100644
--- a/services/keycloak/mas-secrets-ensure-job.yaml
+++ b/services/keycloak/mas-secrets-ensure-job.yaml
@@ -8,7 +8,7 @@ metadata:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-secrets-ensure-11
+  name: mas-secrets-ensure-12
   namespace: sso
 spec:
   backoffLimit: 0
@@ -89,11 +89,10 @@ spec:
           args:
             - |
               set -euo pipefail
-              current=""
               if kubectl -n comms get secret mas-secrets-runtime >/dev/null 2>&1; then
-                current="$(kubectl -n comms get secret mas-secrets-runtime -o jsonpath='{.data.encryption}' | base64 -d 2>/dev/null || true)"
-                current_len="$(printf '%s' "${current}" | wc -c | tr -d ' ')"
-                if [ "${current_len}" = "64" ] && printf '%s' "${current}" | grep -Eq '^[0-9a-fA-F]{64}$'; then
+                kubectl -n comms get secret mas-secrets-runtime -o jsonpath='{.data.encryption}' | base64 -d 2>/dev/null > /tmp/encryption.current || true
+                current_len="$(wc -c < /tmp/encryption.current | tr -d ' ')"
+                if [ "${current_len}" = "64" ] && grep -Eq '^[0-9a-fA-F]{64}$' /tmp/encryption.current; then
                   exit 0
                 fi
               fi