titan-iac/services/keycloak/realm-settings-job.yaml

# services/keycloak/realm-settings-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-realm-settings-5
  namespace: sso
spec:
  backoffLimit: 2
  template:
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5","rpi4"]
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
      restartPolicy: OnFailure
      containers:
        - name: configure
          image: quay.io/keycloak/keycloak:26.0.7
          env:
            - name: KEYCLOAK_SERVER
              value: http://keycloak.sso.svc.cluster.local
            - name: KEYCLOAK_REALM
              value: atlas
            - name: KEYCLOAK_ADMIN_USER
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
            - name: KEYCLOAK_SMTP_HOST
              value: mailu-front.mailu-mailserver.svc.cluster.local
            - name: KEYCLOAK_SMTP_PORT
              value: "25"
            - name: KEYCLOAK_SMTP_FROM
              value: no-reply@bstein.dev
            - name: KEYCLOAK_SMTP_FROM_NAME
              value: Atlas SSO
            - name: KEYCLOAK_SMTP_REPLY_TO
              value: no-reply@bstein.dev
            - name: KEYCLOAK_SMTP_REPLY_TO_NAME
              value: Atlas SSO
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              /opt/keycloak/bin/kcadm.sh config credentials \
                --server "${KEYCLOAK_SERVER}" \
                --realm master \
                --user "${KEYCLOAK_ADMIN_USER}" \
                --password "${KEYCLOAK_ADMIN_PASSWORD}"
              smtp_json="$(cat <<EOF
              {"host":"${KEYCLOAK_SMTP_HOST}","port":"${KEYCLOAK_SMTP_PORT}","from":"${KEYCLOAK_SMTP_FROM}","fromDisplayName":"${KEYCLOAK_SMTP_FROM_NAME}","replyTo":"${KEYCLOAK_SMTP_REPLY_TO}","replyToDisplayName":"${KEYCLOAK_SMTP_REPLY_TO_NAME}","auth":"false","starttls":"false","ssl":"false"}
              EOF
              )"
              /opt/keycloak/bin/kcadm.sh update "realms/${KEYCLOAK_REALM}" \
                -s resetPasswordAllowed=true \
                -s "smtpServer=${smtp_json}"
keycloak: enable reset password 2026-01-02 03:38:50 -03:00			`# services/keycloak/realm-settings-job.yaml`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
keycloak: set realm smtp server 2026-01-02 03:58:37 -03:00			`name: keycloak-realm-settings-5`
keycloak: enable reset password 2026-01-02 03:38:50 -03:00			`namespace: sso`
			`spec:`
			`backoffLimit: 2`
			`template:`
			`spec:`
keycloak: pin realm job to rpi nodes 2026-01-02 03:45:44 -03:00			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5","rpi4"]`
			`- key: node-role.kubernetes.io/worker`
			`operator: Exists`
keycloak: enable reset password 2026-01-02 03:38:50 -03:00			`restartPolicy: OnFailure`
			`containers:`
			`- name: configure`
keycloak: switch realm job to kcadm 2026-01-02 03:55:08 -03:00			`image: quay.io/keycloak/keycloak:26.0.7`
keycloak: enable reset password 2026-01-02 03:38:50 -03:00			`env:`
keycloak: switch realm job to kcadm 2026-01-02 03:55:08 -03:00			`- name: KEYCLOAK_SERVER`
keycloak: fix realm job service URL 2026-01-02 03:49:19 -03:00			`value: http://keycloak.sso.svc.cluster.local`
keycloak: enable reset password 2026-01-02 03:38:50 -03:00			`- name: KEYCLOAK_REALM`
			`value: atlas`
			`- name: KEYCLOAK_ADMIN_USER`
			`valueFrom:`
			`secretKeyRef:`
			`name: keycloak-admin`
			`key: username`
			`- name: KEYCLOAK_ADMIN_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: keycloak-admin`
			`key: password`
			`- name: KEYCLOAK_SMTP_HOST`
			`value: mailu-front.mailu-mailserver.svc.cluster.local`
			`- name: KEYCLOAK_SMTP_PORT`
			`value: "25"`
			`- name: KEYCLOAK_SMTP_FROM`
			`value: no-reply@bstein.dev`
			`- name: KEYCLOAK_SMTP_FROM_NAME`
			`value: Atlas SSO`
			`- name: KEYCLOAK_SMTP_REPLY_TO`
			`value: no-reply@bstein.dev`
			`- name: KEYCLOAK_SMTP_REPLY_TO_NAME`
			`value: Atlas SSO`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -euo pipefail`
keycloak: switch realm job to kcadm 2026-01-02 03:55:08 -03:00			`/opt/keycloak/bin/kcadm.sh config credentials \`
			`--server "${KEYCLOAK_SERVER}" \`
			`--realm master \`
			`--user "${KEYCLOAK_ADMIN_USER}" \`
			`--password "${KEYCLOAK_ADMIN_PASSWORD}"`
keycloak: set realm smtp server 2026-01-02 03:58:37 -03:00			`smtp_json="$(cat <<EOF`
			`{"host":"${KEYCLOAK_SMTP_HOST}","port":"${KEYCLOAK_SMTP_PORT}","from":"${KEYCLOAK_SMTP_FROM}","fromDisplayName":"${KEYCLOAK_SMTP_FROM_NAME}","replyTo":"${KEYCLOAK_SMTP_REPLY_TO}","replyToDisplayName":"${KEYCLOAK_SMTP_REPLY_TO_NAME}","auth":"false","starttls":"false","ssl":"false"}`
			`EOF`
			`)"`
keycloak: switch realm job to kcadm 2026-01-02 03:55:08 -03:00			`/opt/keycloak/bin/kcadm.sh update "realms/${KEYCLOAK_REALM}" \`
			`-s resetPasswordAllowed=true \`
keycloak: set realm smtp server 2026-01-02 03:58:37 -03:00			`-s "smtpServer=${smtp_json}"`