ci: add debug output to Kanidm token exchange step

Capture HTTP status code and full response body separately so failures
show the actual error from the server instead of silently dying.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/kubernetes-deploy.yaml

@@ -42,16 +42,31 @@ jobs:
       - name: Exchange for K8s OIDC token via Kanidm
         id: k8s
         run: |
-          RESPONSE=$(curl -sf -X POST "https://idm.home.hrajfrisbee.cz/oauth2/token" \
+          API_TOKEN="${{ steps.vault.outputs.api_token }}"
+          echo "api_token length: ${#API_TOKEN}" >&2
+          echo "api_token prefix (first 8 chars): ${API_TOKEN:0:8}..." >&2
+
+          HTTP_BODY=$(mktemp)
+          HTTP_STATUS=$(curl -sS -X POST "https://idm.home.hrajfrisbee.cz/oauth2/token" \
             -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
             -d "client_id=k8s" \
-            -d "subject_token=${{ steps.vault.outputs.api_token }}" \
+            -d "subject_token=${API_TOKEN}" \
             -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
             -d "audience=k8s" \
-            -d "scope=openid groups")
+            -d "scope=openid groups" \
+            -o "$HTTP_BODY" -w "%{http_code}")
 
-          ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token')
-          [ "$ID_TOKEN" != "null" ] && [ -n "$ID_TOKEN" ] || { echo "::error::Kanidm token exchange failed"; echo "$RESPONSE" | jq . >&2; exit 1; }
+          echo "HTTP status: $HTTP_STATUS" >&2
+          echo "Response body:" >&2
+          cat "$HTTP_BODY" >&2
+
+          RESPONSE=$(cat "$HTTP_BODY")
+          ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token // empty')
+
+          if [ -z "$ID_TOKEN" ]; then
+            echo "::error::Kanidm token exchange failed (HTTP $HTTP_STATUS)"
+            exit 1
+          fi
 
           echo "::add-mask::${ID_TOKEN}"
           echo "id_token=${ID_TOKEN}" >> "$GITHUB_OUTPUT"