From 1fa6ff5eddc74fd2e5ef63d845ee1d668b48c960 Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Sat, 10 Jan 2026 03:09:28 +0900 Subject: [PATCH] FIX: Use sessionKeysFile for Zot OIDC session encryption - Change from hashKeyFile/blockKeyFile inside sessionDriver to sessionKeysFile at auth config level - Update ExternalSecret to generate session-keys.json with both hashKey and encryptKey in correct JSON format - Fix securecookie validation error during OIDC callback --- zot/helm-values.yaml | 12 ++++-------- zot/manifests/secret.yaml | 10 +++++++++- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/zot/helm-values.yaml b/zot/helm-values.yaml index 9134e76..00e79ac 100644 --- a/zot/helm-values.yaml +++ b/zot/helm-values.yaml @@ -100,11 +100,8 @@ persistence: type: secret name: zot-session-keys globalMounts: - - path: /etc/zot/session-hashkey - subPath: hashKey - readOnly: true - - path: /etc/zot/session-blockkey - subPath: blockKey + - path: /etc/zot/session-keys.json + subPath: session-keys.json readOnly: true configMaps: @@ -146,12 +143,11 @@ configMaps: } } }, + "sessionKeysFile": "/etc/zot/session-keys.json", "sessionDriver": { "name": "redis", "url": "redis://authelia-redis-master.authelia.svc.cluster.local:6379", - "keyprefix": "zot", - "hashKeyFile": "/etc/zot/session-hashkey", - "blockKeyFile": "/etc/zot/session-blockkey" + "keyprefix": "zot" } } }, diff --git a/zot/manifests/secret.yaml b/zot/manifests/secret.yaml index dd4549c..e90bab0 100644 --- a/zot/manifests/secret.yaml +++ b/zot/manifests/secret.yaml @@ -61,12 +61,20 @@ spec: target: name: zot-session-keys creationPolicy: Owner + template: + engineVersion: v2 + data: + session-keys.json: | + { + "hashKey": "{{ .hashKey }}", + "encryptKey": "{{ .encryptKey }}" + } data: - secretKey: hashKey remoteRef: key: zot property: SESSION_HASH_KEY - - secretKey: blockKey + - secretKey: encryptKey remoteRef: key: zot property: SESSION_BLOCK_KEY