From d43b8fdab02841ccc3d69aa72dff45e9770e486e Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Wed, 4 Dec 2024 19:40:37 +0100
Subject: [PATCH] fix keycloak secrets drift (#508)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Summary by CodeRabbit

- **New Features**
- Enhanced management of Keycloak credentials by checking for existing
passwords stored in Kubernetes Secrets.
- Improved password management logic, allowing for the reuse of existing
passwords or the generation of new ones as needed.

- **Bug Fixes**
- Streamlined secret handling to avoid unnecessary random password
generation, improving security and maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Floppy Disk <kklinch0@gmail.com>
---
 packages/system/keycloak/templates/sts.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/packages/system/keycloak/templates/sts.yaml b/packages/system/keycloak/templates/sts.yaml
index 42d88dc8..d91b56cf 100644
--- a/packages/system/keycloak/templates/sts.yaml
+++ b/packages/system/keycloak/templates/sts.yaml
@@ -1,6 +1,11 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $host := index $cozyConfig.data "root-host" }}
+
+{{- $existingPassword := lookup "v1" "Secret" "cozy-keycloak" "{{ .Release.Name }}-credentials" }}
 {{- $password := randAlphaNum 16 -}}
+{{- if $existingPassword }}
+  {{- $password = index $existingPassword.data "password" | b64dec }}
+{{- end }}
 
 apiVersion: v1
 kind: Secret