diff --git a/services/keycloak/realm-settings-job.yaml b/services/keycloak/realm-settings-job.yaml index 2eb6771..483bc0c 100644 --- a/services/keycloak/realm-settings-job.yaml +++ b/services/keycloak/realm-settings-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-realm-settings-29 + name: keycloak-realm-settings-30 namespace: sso spec: backoffLimit: 0 @@ -78,6 +78,7 @@ spec: python - <<'PY' import json import os + import time import urllib.parse import urllib.error import urllib.request @@ -117,18 +118,27 @@ spec: "password": admin_password, } ).encode() - token_req = urllib.request.Request( - f"{base_url}/realms/master/protocol/openid-connect/token", - data=token_data, - headers={"Content-Type": "application/x-www-form-urlencoded"}, - method="POST", - ) - try: - with urllib.request.urlopen(token_req, timeout=10) as resp: - token_body = json.loads(resp.read().decode()) - except urllib.error.HTTPError as exc: - body = exc.read().decode(errors="replace") - raise SystemExit(f"Token request failed: status={exc.code} body={body}") + token_body = None + for attempt in range(1, 11): + token_req = urllib.request.Request( + f"{base_url}/realms/master/protocol/openid-connect/token", + data=token_data, + headers={"Content-Type": "application/x-www-form-urlencoded"}, + method="POST", + ) + try: + with urllib.request.urlopen(token_req, timeout=10) as resp: + token_body = json.loads(resp.read().decode()) + break + except urllib.error.HTTPError as exc: + body = exc.read().decode(errors="replace") + raise SystemExit(f"Token request failed: status={exc.code} body={body}") + except urllib.error.URLError as exc: + if attempt == 10: + raise SystemExit(f"Token request failed after retries: {exc}") + time.sleep(attempt * 2) + if not token_body: + raise SystemExit("Token request failed without response") access_token = token_body["access_token"] # Update realm settings safely by fetching the full realm representation first. diff --git a/services/keycloak/scripts/vault_oidc_secret_ensure.sh b/services/keycloak/scripts/vault_oidc_secret_ensure.sh index e8cfe5b..a951cfa 100755 --- a/services/keycloak/scripts/vault_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/vault_oidc_secret_ensure.sh @@ -5,6 +5,13 @@ set -euo pipefail KC_URL="http://keycloak.sso.svc.cluster.local" ACCESS_TOKEN="" +for attempt in 1 2 3 4 5 6 7 8 9 10; do + if curl -fsS "${KC_URL}/realms/master" >/dev/null 2>&1; then + break + fi + echo "Waiting for Keycloak to be reachable (attempt ${attempt})" >&2 + sleep $((attempt * 2)) +done for attempt in 1 2 3 4 5; do TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \ -H 'Content-Type: application/x-www-form-urlencoded' \ @@ -35,7 +42,7 @@ if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then -H 'Content-Type: application/json' \ -d "${create_payload}" \ "$KC_URL/admin/realms/atlas/clients")" - if [ "$status" != "201" ] && [ "$status" != "204" ]; then + if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then echo "Keycloak client create failed (status ${status})" >&2 exit 1 fi diff --git a/services/keycloak/vault-oidc-secret-ensure-job.yaml b/services/keycloak/vault-oidc-secret-ensure-job.yaml index 3bd29c2..3aa3ca5 100644 --- a/services/keycloak/vault-oidc-secret-ensure-job.yaml +++ b/services/keycloak/vault-oidc-secret-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: vault-oidc-secret-ensure-7 + name: vault-oidc-secret-ensure-8 namespace: sso spec: backoffLimit: 0