Skip to content

Commit

Permalink
Merge pull request #20 from projectsyn/fix-netpol
Browse files Browse the repository at this point in the history
Disable network policy for Keycloak by default
  • Loading branch information
ccremer authored Jun 9, 2021
2 parents 68b0e9c + c563501 commit 989d1f1
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 2 deletions.
14 changes: 13 additions & 1 deletion class/defaults.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ parameters:
enabled: false
annotations: {}
secretName: ${keycloak:fqdn}
controllerNamespace: ingress-nginx
route:
enabled: false
# Labels can be extended in the config hierarchy by providing further
Expand Down Expand Up @@ -140,8 +141,19 @@ parameters:
labels: ${keycloak:labels}
host: ${keycloak:fqdn}
networkPolicy:
enabled: true
# Note: Do not enable when using ingress controller with hostNetwork=true.
enabled: false
# Note: On Syn-managed OpenShift4 clusters there should be already NetworkPolicies that allow traffic from Ingress controller out-of-the-box.
extraFrom:
- podSelector:
matchLabels:
app: ingress-nginx
namespaceSelector:
matchLabels:
name: ${keycloak:ingress:controllerNamespace}
service:
# Workaround until https://github.com/codecentric/helm-charts/pull/432 is solved
httpPort: 8080
labels: ${keycloak:labels}
serviceMonitor:
enabled: ${keycloak:monitoring:enabled}
Expand Down
15 changes: 15 additions & 0 deletions component/main.jsonnet
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
// main template for keycloak
local kap = import 'lib/kapitan.libjsonnet';
local kube = import 'lib/kube.libjsonnet';
local rl = import 'lib/resource-locker.libjsonnet';
local inv = kap.inventory();
// The hiera parameters for the component
local params = inv.parameters.keycloak;
Expand Down Expand Up @@ -59,9 +60,23 @@ local db_cert_secret = kube.Secret(params.database.tls.certSecretName) {
},
};

// Add a label to the namespace of the ingress-controller for the network policy selector.
local ns_patch =
rl.Patch(
kube.Namespace(params.ingress.controllerNamespace),
{
metadata: {
labels: {
name: params.ingress.controllerNamespace,
},
},
}
);

// Define outputs below
{
'00_namespace': namespace,
[if params.ingress.enabled && params.helm_values.networkPolicy.enabled then '01_ingress_controller_ns_patch']: ns_patch,
'10_admin_secret': admin_secret,
'11_db_secret': db_secret,
[if params.database.tls.enabled then '12_db_certs']: db_cert_secret,
Expand Down
20 changes: 19 additions & 1 deletion docs/modules/ROOT/pages/explanations/default-features.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,26 @@ This page gives an overview over the defaults.

- Installs single-node PostgreSQL as the built-in database provider
- Encrypted connection to database
- Enabled network policies to protect from unexpected connections
- Enabled network policy for database to protect from unexpected connections
- Prometheus ServiceMonitor to scrape metrics
- 2 replicas of Keycloak, with anti-affinity
- Enabled Ingress
- Configured requests and limits for CPU and memory resources

== Disabled features

=== Network policy for Keycloak

This component also supports installing a network policy to better control which pods can connect to Keycloak.
The network policy is disabled by default since it depends on the cluster setup whether they work correctly or not.

[WARNING]
====
Do not enable network policy if your cluster has an ingress controller installed where its pods are using the host network (`hostNetwork: true)`.
At least with the Calico network plugin, network policy label selectors targeting the host networked ingress pods do not work.
We recommend to keep this feature disabled in that case.
====

However, if you don't need an ingress controller to connect to Keycloak, or using an ingress controller that doesn't use host network, network policy might be enabled.

NOTE: The network policy for the built-in database is not affected and is enabled by default (if using the built-in database).
10 changes: 10 additions & 0 deletions docs/modules/ROOT/pages/references/parameters.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,16 @@ default:: `${keycloak:fqdn}`
Allows overwriting the default TLS secret name of `${keycloak:fqdn}`.


== `ingress.controllerNamespace`

[horizontal]
type:: string
default:: `ingress-nginx`

The namespace where the ingress controller is running.
This is only relevant when enabling the network policy with `helm_values.networkPolicy.enabled`.


== `route.enabled`

[horizontal]
Expand Down

0 comments on commit 989d1f1

Please sign in to comment.