rhbk-chart/README.md.gotmpl at main · validatedpatterns/rhbk-chart · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}

<!-- markdownlint-disable MD013 -->
{{ template "chart.badgesSection" . }}
<!-- markdownlint-enable MD013 -->

<!-- markdownlint-disable MD013 -->
{{ template "chart.description" . }}
<!-- markdownlint-enable MD013 -->

This chart is used to serve as the template for Validated Patterns Charts

## Notable changes

{{ template "chart.homepageLine" . }}

{{ template "chart.maintainersSection" . }}

{{ template "chart.sourcesSection" . }}

{{ template "chart.requirementsSection" . }}

<!-- markdownlint-disable MD013 MD034 MD060 -->
{{ template "chart.valuesSection" . }}
<!-- markdownlint-enable MD013 MD034 MD060 -->

{{ template "helm-docs.versionFooter" . }}

## Network Policies

This chart supports deploying Kubernetes NetworkPolicies for network isolation
in the Keycloak namespace. Three layers are available:

### Default-deny policy

A namespace-wide default-deny NetworkPolicy that blocks all ingress and egress
traffic for every pod in the namespace unless an explicit allow policy exists.
Enable it by setting:

```yaml
defaultDenyNetworkPolicy:
  enabled: true
```

### Operator-managed ingress policy

The RHBK operator automatically creates and manages a `keycloak-network-policy`
that controls ingress to keycloak pods (ports 8443, 9000, and JGroups 7800/57800).
This policy is owned by the operator and should not be modified — the operator
will revert any changes.

### Per-pod allow rules

When the default-deny policy is enabled, additional NetworkPolicy templates
allow defining fine-grained rules for each pod type:

- `networkPolicy.keycloak` — egress rules for keycloak pods (ingress is
  managed by the operator policy above)
- `networkPolicy.postgresql` — ingress and egress rules for PostgreSQL pods
- `networkPolicy.operator` — ingress and egress rules for rhbk-operator pods

Example — allow keycloak egress to DNS and PostgreSQL, PostgreSQL
ingress from keycloak, and operator egress to Kubernetes API:

```yaml
defaultDenyNetworkPolicy:
  enabled: true

networkPolicy:
  keycloak:
    enabled: true
    egress:
      - ports:
        - protocol: UDP
          port: 5353
        - protocol: TCP
          port: 5353
        to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: openshift-dns
      - ports:
        - protocol: TCP
          port: 5432
        to:
        - podSelector:
            matchLabels:
              app: postgresql-db
  postgresql:
    enabled: true
    ingress:
      - ports:
        - protocol: TCP
          port: 5432
        from:
        - podSelector:
            matchLabels:
              app: keycloak
    egress:
      - ports:
        - protocol: UDP
          port: 5353
        - protocol: TCP
          port: 5353
        to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: openshift-dns
  operator:
    enabled: true
    egress:
      - ports:
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 6443
```

Patterns can supply these values via `extraValueFiles` in their
`values-hub.yaml` to keep network policy configuration separate from the main
chart values.