From 77beacec539d9960e3b0e84be82201642fcf2f56 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Fri, 2 Jan 2026 03:55:08 -0300 Subject: [PATCH] keycloak: switch realm job to kcadm --- services/keycloak/realm-settings-job.yaml | 118 ++++------------------ 1 file changed, 19 insertions(+), 99 deletions(-) diff --git a/services/keycloak/realm-settings-job.yaml b/services/keycloak/realm-settings-job.yaml index 2952e1c..22843cb 100644 --- a/services/keycloak/realm-settings-job.yaml +++ b/services/keycloak/realm-settings-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-realm-settings-3 + name: keycloak-realm-settings-4 namespace: sso spec: backoffLimit: 2 @@ -21,9 +21,9 @@ spec: restartPolicy: OnFailure containers: - name: configure - image: python:3.11-alpine + image: quay.io/keycloak/keycloak:26.0.7 env: - - name: KEYCLOAK_URL + - name: KEYCLOAK_SERVER value: http://keycloak.sso.svc.cluster.local - name: KEYCLOAK_REALM value: atlas @@ -53,99 +53,19 @@ spec: args: - | set -euo pipefail - python - <<'PY' - import json - import os - import time - import urllib.error - import urllib.parse - import urllib.request - - base_url = os.environ["KEYCLOAK_URL"].rstrip("/") - realm = os.environ["KEYCLOAK_REALM"] - admin_user = os.environ["KEYCLOAK_ADMIN_USER"] - admin_password = os.environ["KEYCLOAK_ADMIN_PASSWORD"] - - smtp_defaults = { - "host": os.environ["KEYCLOAK_SMTP_HOST"], - "port": os.environ["KEYCLOAK_SMTP_PORT"], - "from": os.environ["KEYCLOAK_SMTP_FROM"], - "fromDisplayName": os.environ["KEYCLOAK_SMTP_FROM_NAME"], - "replyTo": os.environ["KEYCLOAK_SMTP_REPLY_TO"], - "replyToDisplayName": os.environ["KEYCLOAK_SMTP_REPLY_TO_NAME"], - "auth": "false", - "starttls": "false", - "ssl": "false", - } - - def request(path, method="GET", data=None, headers=None): - if headers is None: - headers = {} - payload = None - if data is not None: - payload = json.dumps(data).encode() - headers = dict(headers) - headers["Content-Type"] = "application/json" - req = urllib.request.Request( - f"{base_url}{path}", - data=payload, - headers=headers, - method=method, - ) - return urllib.request.urlopen(req, timeout=10) - - for _ in range(60): - try: - with request("/health/ready") as resp: - if resp.status == 200: - break - except Exception: - time.sleep(2) - else: - raise SystemExit("Keycloak API did not become ready in time") - - token_data = urllib.parse.urlencode( - { - "grant_type": "password", - "client_id": "admin-cli", - "username": admin_user, - "password": admin_password, - } - ).encode() - token_req = urllib.request.Request( - f"{base_url}/realms/master/protocol/openid-connect/token", - data=token_data, - headers={"Content-Type": "application/x-www-form-urlencoded"}, - method="POST", - ) - with urllib.request.urlopen(token_req, timeout=10) as resp: - token_body = json.loads(resp.read().decode()) - access_token = token_body["access_token"] - auth_headers = {"Authorization": f"Bearer {access_token}"} - - with request(f"/admin/realms/{realm}", headers=auth_headers) as resp: - realm_data = json.loads(resp.read().decode()) - - changed = False - if not realm_data.get("resetPasswordAllowed", False): - realm_data["resetPasswordAllowed"] = True - changed = True - - smtp = realm_data.get("smtpServer") or {} - if not smtp.get("host"): - smtp.update(smtp_defaults) - realm_data["smtpServer"] = smtp - changed = True - - if not changed: - raise SystemExit(0) - - with request( - f"/admin/realms/{realm}", - method="PUT", - data=realm_data, - headers=auth_headers, - ) as resp: - if resp.status not in (200, 204): - raise SystemExit(f"Unexpected response: {resp.status}") - PY + /opt/keycloak/bin/kcadm.sh config credentials \ + --server "${KEYCLOAK_SERVER}" \ + --realm master \ + --user "${KEYCLOAK_ADMIN_USER}" \ + --password "${KEYCLOAK_ADMIN_PASSWORD}" + /opt/keycloak/bin/kcadm.sh update "realms/${KEYCLOAK_REALM}" \ + -s resetPasswordAllowed=true \ + -s "smtpServer.host=${KEYCLOAK_SMTP_HOST}" \ + -s "smtpServer.port=${KEYCLOAK_SMTP_PORT}" \ + -s "smtpServer.from=${KEYCLOAK_SMTP_FROM}" \ + -s "smtpServer.fromDisplayName=${KEYCLOAK_SMTP_FROM_NAME}" \ + -s "smtpServer.replyTo=${KEYCLOAK_SMTP_REPLY_TO}" \ + -s "smtpServer.replyToDisplayName=${KEYCLOAK_SMTP_REPLY_TO_NAME}" \ + -s smtpServer.auth=false \ + -s smtpServer.starttls=false \ + -s smtpServer.ssl=false