Description

Follow up on #34659

• Some discussions are on the pull request too: Enhance the Keycloak Operator with Network Policies #34788

When Kubernetes network policies are enabled in the Keycloak Operator, the user must be able to configure the rules for the incoming traffic.

The simplest proposal is below, where 3 new attributes are added to the Keycloak CR: http, https and management.

networkPolicy:
    enabled: true
    http: -> array of `NetworkPolicyPeer`
    https: -> array of `NetworkPolicyPeer`
    management: -> array of `NetworkPolicyPeer`

Discussion

No response

Motivation

No response

Details

• The reason to have http and https attributes is that Keycloak allows ports 8443 (HTTPS) and 8080 (HTTP) to be enabled simultaneously.
• The NetworkPolicyPeer is a Kubernetes Resource (Reference here).
• Feature will be moved from "experimental" to "preview" after this change.

Example of a Keycloak CR

networkPolicy:
    enabled: true
    https:
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    management:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: monitoring

• Allow traffic to the HTTPS port from the pods in the namespace myproject and must contain the label role with the value frontend.
• Allow traffic to the management port from all pods in namespace monitoring (for example, to scrape metrics using Prometheus).