From f51befff179d9618be8b37f9ec134e0848fedd70 Mon Sep 17 00:00:00 2001
From: Kochetkov S <kochetkov.s@sarex.io>
Date: Wed, 15 Apr 2026 15:13:52 +0300
Subject: [PATCH] fix

---
 clusters/yc-k8s-test/infrastructure/patches/kafka.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/clusters/yc-k8s-test/infrastructure/patches/kafka.yaml b/clusters/yc-k8s-test/infrastructure/patches/kafka.yaml
index f797136..16a3925 100644
--- a/clusters/yc-k8s-test/infrastructure/patches/kafka.yaml
+++ b/clusters/yc-k8s-test/infrastructure/patches/kafka.yaml
@@ -10,6 +10,7 @@ spec:
     defaultInitContainers:
       prepareConfig:
         extraInit: |
+          set -euxo pipefail
           perl -0pi -e 's/password="\s*([^"\n]+)"/password="$1"/g' /config/server.properties
           perl -0pi -e 's/user_controller_user="\s*([^"\n]+)"/user_controller_user="$1"/g' /config/server.properties
           perl -0pi -e 's/user_inter_broker_user="\s*([^"\n]+)"/user_inter_broker_user="$1"/g' /config/server.properties
@@ -21,6 +22,14 @@ spec:
 
           openssl pkcs8 -topk8 -nocrypt -in /mounted-certs/tls.key -out /tmp/tls.key.pk8
 
+          # Валидация: key должен читаться
+          openssl pkey -in /tmp/tls.key.pk8 -text -noout >/dev/null
+
+          # Валидация: cert и key должны совпадать
+          openssl pkey -in /tmp/tls.key.pk8 -pubout -out /tmp/key.pub
+          openssl x509 -in /mounted-certs/tls.crt -pubkey -noout > /tmp/cert.pub
+          diff -u /tmp/key.pub /tmp/cert.pub >/dev/null
+
           {
             printf '\nssl.keystore.key='
             awk '{ sub(/\r$/, ""); printf "%s\\\\n", $0 }' /tmp/tls.key.pk8