keycloak: make token exchange permissions job idempotent

services/keycloak/portal-e2e-token-exchange-permissions-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-e2e-token-exchange-permissions-3
+  name: keycloak-portal-e2e-token-exchange-permissions-4
   namespace: sso
 spec:
   backoffLimit: 6
@@ -189,9 +189,23 @@ spec:
                       token,
                       create_rep,
                   )
-                  if status != 201 or not isinstance(created, dict) or not created.get("id"):
-                      raise SystemExit(f"Failed creating policy {policy_name!r} (status={status}) resp={created}")
-                  policy = created
+                  if status == 409:
+                      status, policies = http_json(
+                          "GET",
+                          f"{base_url}/admin/realms/{realm}/clients/{rm_uuid}/authz/resource-server/policy/search?name={urllib.parse.quote(policy_name)}&fields=id,name,type,config",
+                          token,
+                      )
+                      if status == 200 and isinstance(policies, list):
+                          for item in policies:
+                              if isinstance(item, dict) and item.get("name") == policy_name:
+                                  policy = item
+                                  break
+                      if policy is None:
+                          raise SystemExit(f"Policy {policy_name!r} exists but could not be retrieved")
+                  else:
+                      if status != 201 or not isinstance(created, dict) or not created.get("id"):
+                          raise SystemExit(f"Failed creating policy {policy_name!r} (status={status}) resp={created}")
+                      policy = created
 
               policy_id = policy.get("id")
               if not isinstance(policy_id, str) or not policy_id: