From 268a1d9449da0740fd7908a9ba4770d09d64ac34 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sat, 17 Jan 2026 03:29:36 -0300
Subject: [PATCH] sso: retry mas secret lookup

---
 services/keycloak/mas-secrets-ensure-job.yaml | 27 +++++++++++++++----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml
index f5679cb..24c9e04 100644
--- a/services/keycloak/mas-secrets-ensure-job.yaml
+++ b/services/keycloak/mas-secrets-ensure-job.yaml
@@ -10,7 +10,7 @@ imagePullSecrets:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-secrets-ensure-20
+  name: mas-secrets-ensure-21
   namespace: sso
 spec:
   backoffLimit: 0
@@ -75,14 +75,31 @@ spec:
                 echo "Failed to fetch Keycloak admin token" >&2
                 exit 1
               fi
-              CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
-                "$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id' 2>/dev/null || true)"
+              CLIENT_ID=""
+              for attempt in 1 2 3 4 5; do
+                CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                  "$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" || true)"
+                CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
+                if [ -n "$CLIENT_ID" ] && [ "$CLIENT_ID" != "null" ]; then
+                  break
+                fi
+                echo "Keycloak client lookup failed (attempt ${attempt})" >&2
+                sleep $((attempt * 2))
+              done
               if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                 echo "Keycloak client othrys-mas not found" >&2
                 exit 1
               fi
-              CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
-                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
+              CLIENT_SECRET=""
+              for attempt in 1 2 3 4 5; do
+                CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
+                if [ -n "$CLIENT_SECRET" ] && [ "$CLIENT_SECRET" != "null" ]; then
+                  break
+                fi
+                echo "Keycloak client secret lookup failed (attempt ${attempt})" >&2
+                sleep $((attempt * 2))
+              done
               if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
                 echo "Keycloak client secret not found" >&2
                 exit 1