titan-iac/services/keycloak/synapse-oidc-secret-ensure-job.yaml

# services/keycloak/synapse-oidc-secret-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: synapse-oidc-secret-ensure-3
  namespace: sso
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 3600
  template:
    spec:
      serviceAccountName: mas-secrets-ensure
      restartPolicy: Never
      containers:
        - name: apply
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              apk add --no-cache curl jq kubectl >/dev/null

              KC_URL="http://keycloak.sso.svc.cluster.local"
              ACCESS_TOKEN=""
              for attempt in 1 2 3 4 5; do
                TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
                  -H 'Content-Type: application/x-www-form-urlencoded' \
                  -d "grant_type=password" \
                  -d "client_id=admin-cli" \
                  -d "username=${KEYCLOAK_ADMIN}" \
                  -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
                ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
                if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
                  break
                fi
                echo "Keycloak token request failed (attempt ${attempt})" >&2
                sleep $((attempt * 2))
              done
              if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
                echo "Failed to fetch Keycloak admin token" >&2
                exit 1
              fi

              CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients?clientId=synapse" | jq -r '.[0].id' 2>/dev/null || true)"
              if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                echo "Keycloak client synapse not found" >&2
                exit 1
              fi
              CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
              if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
                echo "Keycloak client secret not found" >&2
                exit 1
              fi

              existing="$(kubectl -n comms get secret synapse-oidc -o jsonpath='{.data.client-secret}' 2>/dev/null || true)"
              if [ -n "${existing}" ]; then
                exit 0
              fi

              kubectl -n comms create secret generic synapse-oidc \
                --from-literal=client-secret="${CLIENT_SECRET}" \
                --dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null
          env:
            - name: KEYCLOAK_ADMIN
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password