G2P-4380 Status of secrets read from cluster rather than relying on a markup file

pjoshi751 · pjoshi751 · commit 6630bb2aa62f · 2026-03-24T11:56:29.000+05:30
diff --git a/automation/lib/env-phase1.sh b/automation/lib/env-phase1.sh
@@ -493,9 +493,10 @@ GWEOF
 env_phase1_step7_keycloak_secret() {
     local env_name=$(cfg "environment")
     local step_id="env-${env_name}.phase1.keycloak_secret"
-    skip_if_done "$step_id" "Keycloak secret in '${env_name}'" && return 0
 
-    log_step "E1.7" "Creating Keycloak client-manager secret in namespace '${env_name}'"
+    # Always verify the secret exists on the cluster — don't trust the state
+    # marker alone, because cleanup/uninstall may have deleted it.
+    log_step "E1.7" "Ensuring Keycloak client-manager secret in namespace '${env_name}'"
 
     ensure_kubeconfig || return 1
 
@@ -510,6 +511,7 @@ env_phase1_step7_keycloak_secret() {
     if kubectl -n "$env_name" get secret keycloak-client-manager &>/dev/null; then
         log_info "Secret 'keycloak-client-manager' already exists in namespace '${env_name}'."
     else
+        log_info "Creating secret 'keycloak-client-manager'..."
         kubectl -n "$env_name" create secret generic keycloak-client-manager \
             --from-literal=keycloak-client-manager-password="$cm_pass" || {
             log_error "Failed to create keycloak-client-manager secret" \
diff --git a/automation/lib/env-phase2.sh b/automation/lib/env-phase2.sh
@@ -198,10 +198,28 @@ env_phase2_step1_commons_base() {
     # Clean uninstall if stale release exists (full cleanup: secrets + PVCs)
     clean_uninstall_release "$env_name" "$release_name" "full"
 
-    # Recreate keycloak-client-manager secret (may have been deleted by full cleanup)
-    if [[ -n "$cm_pass" ]] && ! kubectl -n "$env_name" get secret keycloak-client-manager &>/dev/null; then
-        kubectl -n "$env_name" create secret generic keycloak-client-manager \
-            --from-literal=keycloak-client-manager-password="$cm_pass" > /dev/null 2>&1 || true
+    # Always ensure keycloak-client-manager secret exists before install.
+    # It may have been deleted by full cleanup above, by a manual uninstall,
+    # or may never have been created if phase 1 was skipped.
+    if [[ -n "$cm_pass" ]]; then
+        if kubectl -n "$env_name" get secret keycloak-client-manager &>/dev/null; then
+            log_info "Secret 'keycloak-client-manager' already exists."
+        else
+            log_info "Creating secret 'keycloak-client-manager' in namespace '${env_name}'..."
+            kubectl -n "$env_name" create secret generic keycloak-client-manager \
+                --from-literal=keycloak-client-manager-password="$cm_pass" || {
+                log_error "Failed to create keycloak-client-manager secret" \
+                          "This secret is required by the commons chart" \
+                          "Check namespace and credentials"
+                return 1
+            }
+            log_success "Secret 'keycloak-client-manager' created."
+        fi
+    else
+        log_error "Keycloak client-manager password not available" \
+                  "Cannot create the required keycloak-client-manager secret" \
+                  "Set keycloak.client_manager_password in env config or check saved state"
+        return 1
     fi
 
     log_info "Chart:    ${chart_ref}"
