diff --git a/services/keycloak/actual-oidc-secret-ensure-job.yaml b/services/keycloak/actual-oidc-secret-ensure-job.yaml
index 22ba34f..3dadb52 100644
--- a/services/keycloak/actual-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/actual-oidc-secret-ensure-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: actual-oidc-secret-ensure-2
+  name: actual-oidc-secret-ensure-3
   namespace: sso
 spec:
   backoffLimit: 0
diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml
index 9d97f72..f5679cb 100644
--- a/services/keycloak/mas-secrets-ensure-job.yaml
+++ b/services/keycloak/mas-secrets-ensure-job.yaml
@@ -10,7 +10,7 @@ imagePullSecrets:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-secrets-ensure-19
+  name: mas-secrets-ensure-20
   namespace: sso
 spec:
   backoffLimit: 0
@@ -49,6 +49,13 @@ spec:
               umask 077
 
               KC_URL="http://keycloak.sso.svc.cluster.local"
+              for attempt in 1 2 3 4 5 6 7 8 9 10; do
+                if curl -fsS "${KC_URL}/realms/master" >/dev/null 2>&1; then
+                  break
+                fi
+                echo "Waiting for Keycloak to be reachable (attempt ${attempt})" >&2
+                sleep $((attempt * 2))
+              done
               ACCESS_TOKEN=""
               for attempt in 1 2 3 4 5; do
                 TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
diff --git a/services/keycloak/scripts/actual_oidc_secret_ensure.sh b/services/keycloak/scripts/actual_oidc_secret_ensure.sh
index 3ed6e6a..deb019a 100644
--- a/services/keycloak/scripts/actual_oidc_secret_ensure.sh
+++ b/services/keycloak/scripts/actual_oidc_secret_ensure.sh
@@ -5,6 +5,13 @@ set -euo pipefail
 
 KC_URL="http://keycloak.sso.svc.cluster.local"
 ACCESS_TOKEN=""
+for attempt in 1 2 3 4 5 6 7 8 9 10; do
+  if curl -fsS "${KC_URL}/realms/master" >/dev/null 2>&1; then
+    break
+  fi
+  echo "Waiting for Keycloak to be reachable (attempt ${attempt})" >&2
+  sleep $((attempt * 2))
+done
 for attempt in 1 2 3 4 5; do
   TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
     -H 'Content-Type: application/x-www-form-urlencoded' \
@@ -35,7 +42,7 @@ if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
     -H 'Content-Type: application/json' \
     -d "${create_payload}" \
     "$KC_URL/admin/realms/atlas/clients")"
-  if [ "$status" != "201" ] && [ "$status" != "204" ]; then
+  if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
     echo "Keycloak client create failed (status ${status})" >&2
     exit 1
   fi