keycloak: allow mailu_email + groups

2026-01-03 03:32:38 -03:00 · 2026-01-03 03:32:38 -03:00 · 0b211520cb
commit 0b211520cb
parent 5c618c6560
1 changed files with 51 additions and 1 deletions
--- a/services/keycloak/realm-settings-job.yaml
+++ b/services/keycloak/realm-settings-job.yaml
@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-11
+  name: keycloak-realm-settings-12
  namespace: sso
 spec:
  backoffLimit: 0
@ -137,6 +137,56 @@ spec:
              if status not in (200, 204):
                  raise SystemExit(f"Unexpected realm update response: {status}")

+              # Ensure required custom user-profile attributes exist.
+              profile_url = f"{base_url}/admin/realms/{realm}/users/profile"
+              status, profile = http_json("GET", profile_url, access_token)
+              if status == 200 and isinstance(profile, dict):
+                  attrs = profile.get("attributes")
+                  if not isinstance(attrs, list):
+                      attrs = []
+                  has_mailu_email = any(
+                      isinstance(item, dict) and item.get("name") == "mailu_email" for item in attrs
+                  )
+                  if not has_mailu_email:
+                      attrs.append(
+                          {
+                              "name": "mailu_email",
+                              "displayName": "Atlas Mailbox",
+                              "multivalued": False,
+                              "annotations": {"group": "user-metadata"},
+                              "permissions": {"view": ["admin"], "edit": ["admin"]},
+                              "validations": {"email": {}, "length": {"max": 255}},
+                          }
+                      )
+                      profile["attributes"] = attrs
+                      status, _ = http_json("PUT", profile_url, access_token, profile)
+                      if status not in (200, 204):
+                          raise SystemExit(f"Unexpected user-profile update response: {status}")
+
+              # Ensure basic realm groups exist for provisioning.
+              for group_name in ("dev", "admin"):
+                  status, groups = http_json(
+                      "GET",
+                      f"{base_url}/admin/realms/{realm}/groups?search={urllib.parse.quote(group_name)}",
+                      access_token,
+                  )
+                  exists = False
+                  if status == 200 and isinstance(groups, list):
+                      for item in groups:
+                          if isinstance(item, dict) and item.get("name") == group_name:
+                              exists = True
+                              break
+                  if exists:
+                      continue
+                  status, _ = http_json(
+                      "POST",
+                      f"{base_url}/admin/realms/{realm}/groups",
+                      access_token,
+                      {"name": group_name},
+                  )
+                  if status not in (201, 204):
+                      raise SystemExit(f"Unexpected group create response for {group_name}: {status}")
+
              # Ensure MFA is on by default for newly-created users.
              status, required_actions = http_json(
                  "GET",