# services/keycloak/oneoffs/portal-e2e-execute-actions-email-test-job.yaml
# One-off job for sso/keycloak-portal-e2e-execute-actions-email-14.
# Purpose: keycloak portal e2e execute actions email 14 (see container args/env in this file).
# Run by setting spec.suspend to false, reconcile, then set it back to true.
# Safe to delete the finished Job/pod; it should not run continuously.
apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-portal-e2e-execute-actions-email-14
  namespace: sso
spec:
  suspend: true
  backoffLimit: 3
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/role: "sso"
        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
          {{ with secret "kv/data/atlas/shared/keycloak-admin" }}
          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
          {{ end }}
          {{ with secret "kv/data/atlas/sso/keycloak-db" }}
          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
          {{ end }}
          {{ with secret "kv/data/atlas/shared/portal-e2e-client" }}
          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
          {{ end }}
          {{ with secret "kv/data/atlas/sso/openldap-admin" }}
          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
          {{ end }}
          {{ with secret "kv/data/atlas/shared/postmark-relay" }}
          export KEYCLOAK_SMTP_USER="{{ index .Data.data "apikey" }}"
          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "apikey" }}"
          {{ end }}
    spec:
      restartPolicy: Never
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
      serviceAccountName: sso-vault
      containers:
        - name: test
          image: python:3.11-alpine
          env:
            - name: KEYCLOAK_SERVER
              value: http://keycloak.sso.svc.cluster.local
            - name: KEYCLOAK_REALM
              value: atlas
            - name: E2E_PROBE_USERNAME
              value: robotuser
            - name: E2E_PROBE_EMAIL
              value: robotuser@bstein.dev
            - name: EXECUTE_ACTIONS_CLIENT_ID
              value: bstein-dev-home
            - name: EXECUTE_ACTIONS_REDIRECT_URI
              value: https://bstein.dev/
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -eu
              . /vault/secrets/keycloak-env.sh
              python /scripts/test_keycloak_execute_actions_email.py
          volumeMounts:
            - name: tests
              mountPath: /scripts
              readOnly: true
      volumes:
        - name: tests
          configMap:
            name: portal-e2e-tests
            defaultMode: 0555