fix(deploy): run configure_maas_api_authpolicy after maas-api is ready

The helper existed but was never invoked, so kustomize + --external-oidc left maas-api-auth-policy without oidc-identities.jwt.issuerUrl and CI validation failed.

Call it after the Tenant reconciler creates maas-api; skip in operator mode (external OIDC via ModelsAsService CR).

Signed-off-by: Wen Liang <liangwen12year@gmail.com>

Author: liangwen12year

scripts/deploy.sh

@@ -616,6 +616,16 @@ main() {
     return 1
   fi
 
+  # External OIDC: merge-patch maas-api-auth-policy with Keycloak (or other IdP) JWT rules.
+  # The Tenant reconciler creates the base AuthPolicy; this must run after it exists.
+  # Operator mode uses ModelsAsService.spec.externalOIDC instead (see parse_arguments warning).
+  if [[ "$EXTERNAL_OIDC" == "true" ]] && [[ "$DEPLOYMENT_MODE" == "kustomize" ]]; then
+    if ! configure_maas_api_authpolicy; then
+      log_error "configure_maas_api_authpolicy failed — set OIDC_ISSUER_URL / OIDC_CLIENT_ID (or overlay params) and retry"
+      return 1
+    fi
+  fi
+
   log_info ""
   log_info "MaaS API and MaaS Controller deployment completed successfully!"
   local deployed_api_image deployed_ctrl_image