sso: harden keycloak jobs and rerun
This commit is contained in:
parent
1b4f46bb41
commit
33e35193fb
@ -2,7 +2,7 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: keycloak-realm-settings-29
|
||||
name: keycloak-realm-settings-30
|
||||
namespace: sso
|
||||
spec:
|
||||
backoffLimit: 0
|
||||
@ -78,6 +78,7 @@ spec:
|
||||
python - <<'PY'
|
||||
import json
|
||||
import os
|
||||
import time
|
||||
import urllib.parse
|
||||
import urllib.error
|
||||
import urllib.request
|
||||
@ -117,18 +118,27 @@ spec:
|
||||
"password": admin_password,
|
||||
}
|
||||
).encode()
|
||||
token_req = urllib.request.Request(
|
||||
f"{base_url}/realms/master/protocol/openid-connect/token",
|
||||
data=token_data,
|
||||
headers={"Content-Type": "application/x-www-form-urlencoded"},
|
||||
method="POST",
|
||||
)
|
||||
try:
|
||||
with urllib.request.urlopen(token_req, timeout=10) as resp:
|
||||
token_body = json.loads(resp.read().decode())
|
||||
except urllib.error.HTTPError as exc:
|
||||
body = exc.read().decode(errors="replace")
|
||||
raise SystemExit(f"Token request failed: status={exc.code} body={body}")
|
||||
token_body = None
|
||||
for attempt in range(1, 11):
|
||||
token_req = urllib.request.Request(
|
||||
f"{base_url}/realms/master/protocol/openid-connect/token",
|
||||
data=token_data,
|
||||
headers={"Content-Type": "application/x-www-form-urlencoded"},
|
||||
method="POST",
|
||||
)
|
||||
try:
|
||||
with urllib.request.urlopen(token_req, timeout=10) as resp:
|
||||
token_body = json.loads(resp.read().decode())
|
||||
break
|
||||
except urllib.error.HTTPError as exc:
|
||||
body = exc.read().decode(errors="replace")
|
||||
raise SystemExit(f"Token request failed: status={exc.code} body={body}")
|
||||
except urllib.error.URLError as exc:
|
||||
if attempt == 10:
|
||||
raise SystemExit(f"Token request failed after retries: {exc}")
|
||||
time.sleep(attempt * 2)
|
||||
if not token_body:
|
||||
raise SystemExit("Token request failed without response")
|
||||
access_token = token_body["access_token"]
|
||||
|
||||
# Update realm settings safely by fetching the full realm representation first.
|
||||
|
||||
@ -5,6 +5,13 @@ set -euo pipefail
|
||||
|
||||
KC_URL="http://keycloak.sso.svc.cluster.local"
|
||||
ACCESS_TOKEN=""
|
||||
for attempt in 1 2 3 4 5 6 7 8 9 10; do
|
||||
if curl -fsS "${KC_URL}/realms/master" >/dev/null 2>&1; then
|
||||
break
|
||||
fi
|
||||
echo "Waiting for Keycloak to be reachable (attempt ${attempt})" >&2
|
||||
sleep $((attempt * 2))
|
||||
done
|
||||
for attempt in 1 2 3 4 5; do
|
||||
TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
|
||||
-H 'Content-Type: application/x-www-form-urlencoded' \
|
||||
@ -35,7 +42,7 @@ if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
|
||||
-H 'Content-Type: application/json' \
|
||||
-d "${create_payload}" \
|
||||
"$KC_URL/admin/realms/atlas/clients")"
|
||||
if [ "$status" != "201" ] && [ "$status" != "204" ]; then
|
||||
if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
|
||||
echo "Keycloak client create failed (status ${status})" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: vault-oidc-secret-ensure-7
|
||||
name: vault-oidc-secret-ensure-8
|
||||
namespace: sso
|
||||
spec:
|
||||
backoffLimit: 0
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user