From 2aea7e36018d5e749f21c0adb114c92a93634864 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 8 Jan 2026 02:12:40 -0300
Subject: [PATCH] keycloak: retry MAS secret bootstrap

---
 services/keycloak/mas-secrets-ensure-job.yaml | 30 +++++++++++--------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml
index 7a6972a..99725c3 100644
--- a/services/keycloak/mas-secrets-ensure-job.yaml
+++ b/services/keycloak/mas-secrets-ensure-job.yaml
@@ -8,7 +8,7 @@ metadata:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-secrets-ensure-1
+  name: mas-secrets-ensure-2
   namespace: sso
 spec:
   backoffLimit: 2
@@ -30,27 +30,33 @@ spec:
               apk add --no-cache curl openssl jq >/dev/null
 
               KC_URL="http://keycloak.sso.svc.cluster.local"
-              TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
-                -H 'Content-Type: application/x-www-form-urlencoded' \
-                -d "grant_type=password" \
-                -d "client_id=admin-cli" \
-                -d "username=${KEYCLOAK_ADMIN}" \
-                -d "password=${KEYCLOAK_ADMIN_PASSWORD}")"
-              ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token')"
+              ACCESS_TOKEN=""
+              for attempt in 1 2 3 4 5; do
+                TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
+                  -H 'Content-Type: application/x-www-form-urlencoded' \
+                  -d "grant_type=password" \
+                  -d "client_id=admin-cli" \
+                  -d "username=${KEYCLOAK_ADMIN}" \
+                  -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
+                ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
+                if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
+                  break
+                fi
+                echo "Keycloak token request failed (attempt ${attempt})" >&2
+                sleep $((attempt * 2))
+              done
               if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
                 echo "Failed to fetch Keycloak admin token" >&2
                 exit 1
               fi
-
               CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
-                "$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id')"
+                "$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id' 2>/dev/null || true)"
               if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                 echo "Keycloak client othrys-mas not found" >&2
                 exit 1
               fi
-
               CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
-                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value')"
+                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
               if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
                 echo "Keycloak client secret not found" >&2
                 exit 1