From 9769769c2cbedc05444d303d3c18725c0c42ce3b Mon Sep 17 00:00:00 2001
From: Jan Novak <jan.novak@livesport.eu>
Date: Sun, 1 Mar 2026 23:39:00 +0100
Subject: [PATCH] ci: add debug output to Kanidm token exchange step

Capture HTTP status code and full response body separately so failures
show the actual error from the server instead of silently dying.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/kubernetes-deploy.yaml | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/kubernetes-deploy.yaml b/.gitea/workflows/kubernetes-deploy.yaml
index ec55d0b..daf1fc2 100644
--- a/.gitea/workflows/kubernetes-deploy.yaml
+++ b/.gitea/workflows/kubernetes-deploy.yaml
@@ -42,16 +42,31 @@ jobs:
       - name: Exchange for K8s OIDC token via Kanidm
         id: k8s
         run: |
-          RESPONSE=$(curl -sf -X POST "https://idm.home.hrajfrisbee.cz/oauth2/token" \
+          API_TOKEN="${{ steps.vault.outputs.api_token }}"
+          echo "api_token length: ${#API_TOKEN}" >&2
+          echo "api_token prefix (first 8 chars): ${API_TOKEN:0:8}..." >&2
+
+          HTTP_BODY=$(mktemp)
+          HTTP_STATUS=$(curl -sS -X POST "https://idm.home.hrajfrisbee.cz/oauth2/token" \
             -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
             -d "client_id=k8s" \
-            -d "subject_token=${{ steps.vault.outputs.api_token }}" \
+            -d "subject_token=${API_TOKEN}" \
             -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
             -d "audience=k8s" \
-            -d "scope=openid groups")
+            -d "scope=openid groups" \
+            -o "$HTTP_BODY" -w "%{http_code}")
 
-          ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token')
-          [ "$ID_TOKEN" != "null" ] && [ -n "$ID_TOKEN" ] || { echo "::error::Kanidm token exchange failed"; echo "$RESPONSE" | jq . >&2; exit 1; }
+          echo "HTTP status: $HTTP_STATUS" >&2
+          echo "Response body:" >&2
+          cat "$HTTP_BODY" >&2
+
+          RESPONSE=$(cat "$HTTP_BODY")
+          ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token // empty')
+
+          if [ -z "$ID_TOKEN" ]; then
+            echo "::error::Kanidm token exchange failed (HTTP $HTTP_STATUS)"
+            exit 1
+          fi
 
           echo "::add-mask::${ID_TOKEN}"
           echo "id_token=${ID_TOKEN}" >> "$GITHUB_OUTPUT"