# services/keycloak/realm-settings-job.yaml apiVersion: batch/v1 kind: Job metadata: name: keycloak-realm-settings-6 namespace: sso spec: backoffLimit: 2 template: spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: hardware operator: In values: ["rpi5","rpi4"] - key: node-role.kubernetes.io/worker operator: Exists restartPolicy: OnFailure containers: - name: configure image: python:3.11-alpine env: - name: KEYCLOAK_SERVER value: http://keycloak.sso.svc.cluster.local - name: KEYCLOAK_REALM value: atlas - name: KEYCLOAK_ADMIN_USER valueFrom: secretKeyRef: name: keycloak-admin key: username - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak-admin key: password - name: KEYCLOAK_SMTP_HOST value: mailu-front.mailu-mailserver.svc.cluster.local - name: KEYCLOAK_SMTP_PORT value: "25" - name: KEYCLOAK_SMTP_FROM value: no-reply@bstein.dev - name: KEYCLOAK_SMTP_FROM_NAME value: Atlas SSO - name: KEYCLOAK_SMTP_REPLY_TO value: no-reply@bstein.dev - name: KEYCLOAK_SMTP_REPLY_TO_NAME value: Atlas SSO command: ["/bin/sh", "-c"] args: - | set -euo pipefail python - <<'PY' import json import os import urllib.parse import urllib.request base_url = os.environ["KEYCLOAK_SERVER"].rstrip("/") realm = os.environ["KEYCLOAK_REALM"] admin_user = os.environ["KEYCLOAK_ADMIN_USER"] admin_password = os.environ["KEYCLOAK_ADMIN_PASSWORD"] token_data = urllib.parse.urlencode( { "grant_type": "password", "client_id": "admin-cli", "username": admin_user, "password": admin_password, } ).encode() token_req = urllib.request.Request( f"{base_url}/realms/master/protocol/openid-connect/token", data=token_data, headers={"Content-Type": "application/x-www-form-urlencoded"}, method="POST", ) with urllib.request.urlopen(token_req, timeout=10) as resp: token_body = json.loads(resp.read().decode()) access_token = token_body["access_token"] payload = { "resetPasswordAllowed": True, "smtpServer": { "host": os.environ["KEYCLOAK_SMTP_HOST"], "port": os.environ["KEYCLOAK_SMTP_PORT"], "from": os.environ["KEYCLOAK_SMTP_FROM"], "fromDisplayName": os.environ["KEYCLOAK_SMTP_FROM_NAME"], "replyTo": os.environ["KEYCLOAK_SMTP_REPLY_TO"], "replyToDisplayName": os.environ["KEYCLOAK_SMTP_REPLY_TO_NAME"], "auth": "false", "starttls": "false", "ssl": "false", }, } update_req = urllib.request.Request( f"{base_url}/admin/realms/{realm}", data=json.dumps(payload).encode(), headers={ "Authorization": f"Bearer {access_token}", "Content-Type": "application/json", }, method="PUT", ) with urllib.request.urlopen(update_req, timeout=10) as resp: if resp.status not in (200, 204): raise SystemExit(f"Unexpected response: {resp.status}") PY