FIX(zot): add session keys for consistent cookie handling

- Add ExternalSecret for session hashKey and blockKey - Mount session keys from Vault - Configure sessionDriver with key files - Fix securecookie validation error in multi-replica setup
2026-01-10 03:00:53 +09:00
parent e1850865fb
commit b7eb527782
2 changed files with 36 additions and 1 deletions
--- a/zot/helm-values.yaml
+++ b/zot/helm-values.yaml
@@ -96,6 +96,16 @@ persistence:
    - path: /etc/zot/oidc-credentials.json
      subPath: credentials.json
      readOnly: true
+  session-keys:
+    type: secret
+    name: zot-session-keys
+    globalMounts:
+    - path: /etc/zot/session-hashkey
+      subPath: hashKey
+      readOnly: true
+    - path: /etc/zot/session-blockkey
+      subPath: blockKey
+      readOnly: true

 configMaps:
  config:
@@ -139,7 +149,9 @@ configMaps:
              "sessionDriver": {
                "name": "redis",
                "url": "redis://authelia-redis-master.authelia.svc.cluster.local:6379",
-                "keyprefix": "zot"
+                "keyprefix": "zot",
+                "hashKeyFile": "/etc/zot/session-hashkey",
+                "blockKeyFile": "/etc/zot/session-blockkey"
              }
            }
          },
--- a/zot/manifests/secret.yaml
+++ b/zot/manifests/secret.yaml
@@ -47,3 +47,26 @@ spec:
    remoteRef:
      key: zot
      property: OIDC_CLIENT_SECRET
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: zot-session-secret
+  namespace: zot
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: zot-session-keys
+    creationPolicy: Owner
+  data:
+  - secretKey: hashKey
+    remoteRef:
+      key: zot
+      property: SESSION_HASH_KEY
+  - secretKey: blockKey
+    remoteRef:
+      key: zot
+      property: SESSION_BLOCK_KEY