From 6a40f4093215d165c914d7fed9935a86bdcc3151 Mon Sep 17 00:00:00 2001
From: jenkins <jenkins@bstein.dev>
Date: Tue, 9 Jun 2026 01:26:22 -0300
Subject: [PATCH] keycloak: make veles realm job idempotent

---
 services/keycloak/oneoffs/veles-realm-ensure-job.yaml | 5 +++--
 services/veles/NOTES.md                               | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/services/keycloak/oneoffs/veles-realm-ensure-job.yaml b/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
index 2b27db42..a415c882 100644
--- a/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
+++ b/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
@@ -1,11 +1,11 @@
 # services/keycloak/oneoffs/veles-realm-ensure-job.yaml
-# One-off job for sso/veles-realm-ensure-2.
+# One-off job for sso/veles-realm-ensure-3.
 # Purpose: create the Veles realm, groups, OIDC client, SMTP settings, and Vault client secret.
 # Keep suspended until Veles Vault paths/policies have reconciled, then unsuspend once.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: veles-realm-ensure-2
+  name: veles-realm-ensure-3
   namespace: sso
 spec:
   suspend: true
@@ -273,6 +273,7 @@ spec:
                   raise SystemExit(f"Mapper lookup failed: status={status}")
               mapper_id = next((mapper.get("id") for mapper in mappers or [] if mapper.get("name") == "groups"), None)
               if mapper_id:
+                  mapper_payload["id"] = mapper_id
                   status, body = request(
                       "PUT",
                       f"{base_url}/admin/realms/{realm}/clients/{client_uuid}/protocol-mappers/models/{mapper_id}",
diff --git a/services/veles/NOTES.md b/services/veles/NOTES.md
index 1a2e16cf..902964c7 100644
--- a/services/veles/NOTES.md
+++ b/services/veles/NOTES.md
@@ -53,7 +53,7 @@ tolerations:
 3. Confirm the node normalizer applies the Veles labels and taint.
 4. Add Oceanus Longhorn disks at paths tagged by the Longhorn tag ensure job.
 5. Let Vault policy reconciliation run, then unsuspend `veles-secrets-ensure-2`.
-6. Unsuspend `veles-realm-ensure-2` in `services/keycloak` to create the realm/client secret.
+6. Unsuspend `veles-realm-ensure-3` in `services/keycloak` to create the realm/client secret.
 7. Create the Harbor `veles` project or robot access before image automation is enabled in production.
 8. Scale `veles-postgres`, then backend/frontend once app images exist.