FIX(zot): add session keys for consistent cookie handling

- Add ExternalSecret for session hashKey and blockKey
- Mount session keys from Vault
- Configure sessionDriver with key files
- Fix securecookie validation error in multi-replica setup

zot/helm-values.yaml

@@ -96,6 +96,16 @@ persistence:
     - path: /etc/zot/oidc-credentials.json
       subPath: credentials.json
       readOnly: true
+  session-keys:
+    type: secret
+    name: zot-session-keys
+    globalMounts:
+    - path: /etc/zot/session-hashkey
+      subPath: hashKey
+      readOnly: true
+    - path: /etc/zot/session-blockkey
+      subPath: blockKey
+      readOnly: true
 
 configMaps:
   config:
@@ -139,7 +149,9 @@ configMaps:
               "sessionDriver": {
                 "name": "redis",
                 "url": "redis://authelia-redis-master.authelia.svc.cluster.local:6379",
-                "keyprefix": "zot"
+                "keyprefix": "zot",
+                "hashKeyFile": "/etc/zot/session-hashkey",
+                "blockKeyFile": "/etc/zot/session-blockkey"
               }
             }
           },

zot/manifests/secret.yaml

@@ -47,3 +47,26 @@ spec:
     remoteRef:
       key: zot
       property: OIDC_CLIENT_SECRET
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: zot-session-secret
+  namespace: zot
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: zot-session-keys
+    creationPolicy: Owner
+  data:
+  - secretKey: hashKey
+    remoteRef:
+      key: zot
+      property: SESSION_HASH_KEY
+  - secretKey: blockKey
+    remoteRef:
+      key: zot
+      property: SESSION_BLOCK_KEY