apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-db-init-v3
  namespace: pg-init
spec:
  ttlSecondsAfterFinished: 300
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: db-init
          image: postgres:17
          env:
            - name: PGHOST
              value: pgbouncer.default.svc.cluster.local
            - name: PGPORT
              value: "6432"
            - name: PGUSER
              value: pginit
            - name: PGDATABASE
              value: postgres
            - name: PGPASSWORD
              valueFrom:
                secretKeyRef:
                  name: pg-init-secret
                  key: password
            - name: KC_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-db-bootstrap-secret
                  key: password
          command:
            - bash
            - -ec
            - |
              psql -c "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || \
                psql -c "CREATE USER keycloak WITH PASSWORD '${KC_DB_PASSWORD}';"
              psql -c "GRANT keycloak TO pginit;"
              psql -c "SELECT 1 FROM pg_database WHERE datname='keycloak'" | grep -q 1 || \
                psql -c "CREATE DATABASE keycloak OWNER keycloak;"
              psql -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;"
              psql -d keycloak -c "GRANT ALL ON SCHEMA public TO keycloak;"