titan-iac/services/keycloak/realm-settings-job.yaml

# services/keycloak/realm-settings-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-realm-settings-4
  namespace: sso
spec:
  backoffLimit: 2
  template:
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5","rpi4"]
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
      restartPolicy: OnFailure
      containers:
        - name: configure
          image: quay.io/keycloak/keycloak:26.0.7
          env:
            - name: KEYCLOAK_SERVER
              value: http://keycloak.sso.svc.cluster.local
            - name: KEYCLOAK_REALM
              value: atlas
            - name: KEYCLOAK_ADMIN_USER
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
            - name: KEYCLOAK_SMTP_HOST
              value: mailu-front.mailu-mailserver.svc.cluster.local
            - name: KEYCLOAK_SMTP_PORT
              value: "25"
            - name: KEYCLOAK_SMTP_FROM
              value: no-reply@bstein.dev
            - name: KEYCLOAK_SMTP_FROM_NAME
              value: Atlas SSO
            - name: KEYCLOAK_SMTP_REPLY_TO
              value: no-reply@bstein.dev
            - name: KEYCLOAK_SMTP_REPLY_TO_NAME
              value: Atlas SSO
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              /opt/keycloak/bin/kcadm.sh config credentials \
                --server "${KEYCLOAK_SERVER}" \
                --realm master \
                --user "${KEYCLOAK_ADMIN_USER}" \
                --password "${KEYCLOAK_ADMIN_PASSWORD}"
              /opt/keycloak/bin/kcadm.sh update "realms/${KEYCLOAK_REALM}" \
                -s resetPasswordAllowed=true \
                -s "smtpServer.host=${KEYCLOAK_SMTP_HOST}" \
                -s "smtpServer.port=${KEYCLOAK_SMTP_PORT}" \
                -s "smtpServer.from=${KEYCLOAK_SMTP_FROM}" \
                -s "smtpServer.fromDisplayName=${KEYCLOAK_SMTP_FROM_NAME}" \
                -s "smtpServer.replyTo=${KEYCLOAK_SMTP_REPLY_TO}" \
                -s "smtpServer.replyToDisplayName=${KEYCLOAK_SMTP_REPLY_TO_NAME}" \
                -s smtpServer.auth=false \
                -s smtpServer.starttls=false \
                -s smtpServer.ssl=false