sso: fix keycloak ldap provider parentId

services/keycloak/ldap-federation-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-ldap-federation-1
+  name: keycloak-ldap-federation-2
   namespace: sso
 spec:
   backoffLimit: 2
@@ -117,6 +117,16 @@ spec:
 
               token = wait_for_keycloak()
 
+              # Keycloak component "parentId" must be the realm UUID, not the realm name.
+              status, realm_rep, _ = http_json(
+                  "GET",
+                  f"{base_url}/admin/realms/{realm}",
+                  token,
+              )
+              if status != 200 or not realm_rep or not realm_rep.get("id"):
+                  raise SystemExit(f"Unable to resolve realm id for {realm} (status={status})")
+              realm_id = realm_rep["id"]
+
               # Find existing LDAP user federation provider (if any)
               status, components, _ = http_json(
                   "GET",
@@ -138,7 +148,7 @@ spec:
                   "name": "openldap",
                   "providerId": "ldap",
                   "providerType": "org.keycloak.storage.UserStorageProvider",
-                  "parentId": realm,
+                  "parentId": realm_id,
                   "config": {
                       "enabled": ["true"],
                       "priority": ["0"],