# services/keycloak/realm-settings-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-realm-settings-5
  namespace: sso
spec:
  backoffLimit: 2
  template:
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5","rpi4"]
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
      restartPolicy: OnFailure
      containers:
        - name: configure
          image: quay.io/keycloak/keycloak:26.0.7
          env:
            - name: KEYCLOAK_SERVER
              value: http://keycloak.sso.svc.cluster.local
            - name: KEYCLOAK_REALM
              value: atlas
            - name: KEYCLOAK_ADMIN_USER
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
            - name: KEYCLOAK_SMTP_HOST
              value: mailu-front.mailu-mailserver.svc.cluster.local
            - name: KEYCLOAK_SMTP_PORT
              value: "25"
            - name: KEYCLOAK_SMTP_FROM
              value: no-reply@bstein.dev
            - name: KEYCLOAK_SMTP_FROM_NAME
              value: Atlas SSO
            - name: KEYCLOAK_SMTP_REPLY_TO
              value: no-reply@bstein.dev
            - name: KEYCLOAK_SMTP_REPLY_TO_NAME
              value: Atlas SSO
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              /opt/keycloak/bin/kcadm.sh config credentials \
                --server "${KEYCLOAK_SERVER}" \
                --realm master \
                --user "${KEYCLOAK_ADMIN_USER}" \
                --password "${KEYCLOAK_ADMIN_PASSWORD}"
              smtp_json="$(cat <<EOF
              {"host":"${KEYCLOAK_SMTP_HOST}","port":"${KEYCLOAK_SMTP_PORT}","from":"${KEYCLOAK_SMTP_FROM}","fromDisplayName":"${KEYCLOAK_SMTP_FROM_NAME}","replyTo":"${KEYCLOAK_SMTP_REPLY_TO}","replyToDisplayName":"${KEYCLOAK_SMTP_REPLY_TO_NAME}","auth":"false","starttls":"false","ssl":"false"}
              EOF
              )"
              /opt/keycloak/bin/kcadm.sh update "realms/${KEYCLOAK_REALM}" \
                -s resetPasswordAllowed=true \
                -s "smtpServer=${smtp_json}"