keycloak: apply realm smtp via api

services/keycloak/realm-settings-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-5
+  name: keycloak-realm-settings-6
   namespace: sso
 spec:
   backoffLimit: 2
@@ -21,7 +21,7 @@ spec:
       restartPolicy: OnFailure
       containers:
         - name: configure
-          image: quay.io/keycloak/keycloak:26.0.7
+          image: python:3.11-alpine
           env:
             - name: KEYCLOAK_SERVER
               value: http://keycloak.sso.svc.cluster.local
@@ -53,15 +53,60 @@ spec:
           args:
             - |
               set -euo pipefail
-              /opt/keycloak/bin/kcadm.sh config credentials \
-                --server "${KEYCLOAK_SERVER}" \
-                --realm master \
-                --user "${KEYCLOAK_ADMIN_USER}" \
-                --password "${KEYCLOAK_ADMIN_PASSWORD}"
-              smtp_json="$(cat <<EOF
-              {"host":"${KEYCLOAK_SMTP_HOST}","port":"${KEYCLOAK_SMTP_PORT}","from":"${KEYCLOAK_SMTP_FROM}","fromDisplayName":"${KEYCLOAK_SMTP_FROM_NAME}","replyTo":"${KEYCLOAK_SMTP_REPLY_TO}","replyToDisplayName":"${KEYCLOAK_SMTP_REPLY_TO_NAME}","auth":"false","starttls":"false","ssl":"false"}
-              EOF
-              )"
-              /opt/keycloak/bin/kcadm.sh update "realms/${KEYCLOAK_REALM}" \
-                -s resetPasswordAllowed=true \
-                -s "smtpServer=${smtp_json}"
+              python - <<'PY'
+              import json
+              import os
+              import urllib.parse
+              import urllib.request
+
+              base_url = os.environ["KEYCLOAK_SERVER"].rstrip("/")
+              realm = os.environ["KEYCLOAK_REALM"]
+              admin_user = os.environ["KEYCLOAK_ADMIN_USER"]
+              admin_password = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
+
+              token_data = urllib.parse.urlencode(
+                  {
+                      "grant_type": "password",
+                      "client_id": "admin-cli",
+                      "username": admin_user,
+                      "password": admin_password,
+                  }
+              ).encode()
+              token_req = urllib.request.Request(
+                  f"{base_url}/realms/master/protocol/openid-connect/token",
+                  data=token_data,
+                  headers={"Content-Type": "application/x-www-form-urlencoded"},
+                  method="POST",
+              )
+              with urllib.request.urlopen(token_req, timeout=10) as resp:
+                  token_body = json.loads(resp.read().decode())
+              access_token = token_body["access_token"]
+
+              payload = {
+                  "resetPasswordAllowed": True,
+                  "smtpServer": {
+                      "host": os.environ["KEYCLOAK_SMTP_HOST"],
+                      "port": os.environ["KEYCLOAK_SMTP_PORT"],
+                      "from": os.environ["KEYCLOAK_SMTP_FROM"],
+                      "fromDisplayName": os.environ["KEYCLOAK_SMTP_FROM_NAME"],
+                      "replyTo": os.environ["KEYCLOAK_SMTP_REPLY_TO"],
+                      "replyToDisplayName": os.environ["KEYCLOAK_SMTP_REPLY_TO_NAME"],
+                      "auth": "false",
+                      "starttls": "false",
+                      "ssl": "false",
+                  },
+              }
+
+              update_req = urllib.request.Request(
+                  f"{base_url}/admin/realms/{realm}",
+                  data=json.dumps(payload).encode(),
+                  headers={
+                      "Authorization": f"Bearer {access_token}",
+                      "Content-Type": "application/json",
+                  },
+                  method="PUT",
+              )
+              with urllib.request.urlopen(update_req, timeout=10) as resp:
+                  if resp.status not in (200, 204):
+                      raise SystemExit(f"Unexpected response: {resp.status}")
+              PY