sso: harden keycloak jobs and rerun

services/keycloak/realm-settings-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-29
+  name: keycloak-realm-settings-30
   namespace: sso
 spec:
   backoffLimit: 0
@@ -78,6 +78,7 @@ spec:
               python - <<'PY'
               import json
               import os
+              import time
               import urllib.parse
               import urllib.error
               import urllib.request
@@ -117,18 +118,27 @@ spec:
                       "password": admin_password,
                   }
               ).encode()
-              token_req = urllib.request.Request(
+              token_body = None
-                  f"{base_url}/realms/master/protocol/openid-connect/token",
+              for attempt in range(1, 11):
-                  data=token_data,
+                  token_req = urllib.request.Request(
-                  headers={"Content-Type": "application/x-www-form-urlencoded"},
+                      f"{base_url}/realms/master/protocol/openid-connect/token",
-                  method="POST",
+                      data=token_data,
-              )
+                      headers={"Content-Type": "application/x-www-form-urlencoded"},
-              try:
+                      method="POST",
-                  with urllib.request.urlopen(token_req, timeout=10) as resp:
+                  )
-                      token_body = json.loads(resp.read().decode())
+                  try:
-              except urllib.error.HTTPError as exc:
+                      with urllib.request.urlopen(token_req, timeout=10) as resp:
-                  body = exc.read().decode(errors="replace")
+                          token_body = json.loads(resp.read().decode())
-                  raise SystemExit(f"Token request failed: status={exc.code} body={body}")
+                          break
+                  except urllib.error.HTTPError as exc:
+                      body = exc.read().decode(errors="replace")
+                      raise SystemExit(f"Token request failed: status={exc.code} body={body}")
+                  except urllib.error.URLError as exc:
+                      if attempt == 10:
+                          raise SystemExit(f"Token request failed after retries: {exc}")
+                      time.sleep(attempt * 2)
+              if not token_body:
+                  raise SystemExit("Token request failed without response")
               access_token = token_body["access_token"]
 
               # Update realm settings safely by fetching the full realm representation first.

services/keycloak/scripts/vault_oidc_secret_ensure.sh

@@ -5,6 +5,13 @@ set -euo pipefail
 
 KC_URL="http://keycloak.sso.svc.cluster.local"
 ACCESS_TOKEN=""
+for attempt in 1 2 3 4 5 6 7 8 9 10; do
+  if curl -fsS "${KC_URL}/realms/master" >/dev/null 2>&1; then
+    break
+  fi
+  echo "Waiting for Keycloak to be reachable (attempt ${attempt})" >&2
+  sleep $((attempt * 2))
+done
 for attempt in 1 2 3 4 5; do
   TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
     -H 'Content-Type: application/x-www-form-urlencoded' \
@@ -35,7 +42,7 @@ if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
     -H 'Content-Type: application/json' \
     -d "${create_payload}" \
     "$KC_URL/admin/realms/atlas/clients")"
-  if [ "$status" != "201" ] && [ "$status" != "204" ]; then
+  if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
     echo "Keycloak client create failed (status ${status})" >&2
     exit 1
   fi

services/keycloak/vault-oidc-secret-ensure-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: vault-oidc-secret-ensure-7
+  name: vault-oidc-secret-ensure-8
   namespace: sso
 spec:
   backoffLimit: 0