FIX: Use sessionKeysFile for Zot OIDC session encryption

- Change from hashKeyFile/blockKeyFile inside sessionDriver to
  sessionKeysFile at auth config level
- Update ExternalSecret to generate session-keys.json with both
  hashKey and encryptKey in correct JSON format
- Fix securecookie validation error during OIDC callback

zot/helm-values.yaml

@@ -100,11 +100,8 @@ persistence:
     type: secret
     name: zot-session-keys
     globalMounts:
-    - path: /etc/zot/session-hashkey
+    - path: /etc/zot/session-keys.json
-      subPath: hashKey
+      subPath: session-keys.json
-      readOnly: true
-    - path: /etc/zot/session-blockkey
-      subPath: blockKey
       readOnly: true
 
 configMaps:
@@ -146,12 +143,11 @@ configMaps:
                   }
                 }
               },
+              "sessionKeysFile": "/etc/zot/session-keys.json",
               "sessionDriver": {
                 "name": "redis",
                 "url": "redis://authelia-redis-master.authelia.svc.cluster.local:6379",
-                "keyprefix": "zot",
+                "keyprefix": "zot"
-                "hashKeyFile": "/etc/zot/session-hashkey",
-                "blockKeyFile": "/etc/zot/session-blockkey"
               }
             }
           },

zot/manifests/secret.yaml

@@ -61,12 +61,20 @@ spec:
   target:
     name: zot-session-keys
     creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        session-keys.json: |
+          {
+            "hashKey": "{{ .hashKey }}",
+            "encryptKey": "{{ .encryptKey }}"
+          }
   data:
   - secretKey: hashKey
     remoteRef:
       key: zot
       property: SESSION_HASH_KEY
-  - secretKey: blockKey
+  - secretKey: encryptKey
     remoteRef:
       key: zot
       property: SESSION_BLOCK_KEY