| {{- /* |
| Copyright VMware, Inc. |
| SPDX-License-Identifier: APACHE-2.0 |
| */}} |
| |
| {{- if .Values.networkPolicy.enabled }} |
| kind: NetworkPolicy |
| apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} |
| metadata: |
| name: {{ template "common.names.fullname" . }} |
| namespace: {{ include "common.names.namespace" . | quote }} |
| labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} |
| app.kubernetes.io/component: keycloak |
| {{- if .Values.commonAnnotations }} |
| annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} |
| {{- end }} |
| spec: |
| {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} |
| podSelector: |
| matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} |
| app.kubernetes.io/component: keycloak |
| policyTypes: |
| - Ingress |
| - Egress |
| {{- if .Values.networkPolicy.allowExternalEgress }} |
| egress: |
| - {} |
| {{- else }} |
| egress: |
| - ports: |
| # Allow dns resolution |
| - port: 53 |
| protocol: UDP |
| - port: 53 |
| protocol: TCP |
| {{- range $port := .Values.networkPolicy.kubeAPIServerPorts }} |
| - port: {{ $port }} |
| {{- end }} |
| # Allow connection to PostgreSQL |
| - ports: |
| - port: {{ include "keycloak.databasePort" . | trimAll "\"" | int }} |
| {{- if .Values.postgresql.enabled }} |
| to: |
| - podSelector: |
| matchLabels: |
| app.kubernetes.io/name: postgresql |
| app.kubernetes.io/instance: {{ .Release.Name }} |
| {{- end }} |
| # Allow connection to other keycloak nodes |
| - ports: |
| - port: {{ .Values.containerPorts.infinispan }} |
| - port: {{ .Values.containerPorts.http }} |
| {{- if .Values.tls.enabled }} |
| - port: {{ .Values.containerPorts.https }} |
| {{- end }} |
| to: |
| - podSelector: |
| matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} |
| app.kubernetes.io/component: keycloak |
| {{- if .Values.networkPolicy.extraEgress }} |
| {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} |
| {{- end }} |
| {{- end }} |
| ingress: |
| - ports: |
| - port: {{ .Values.containerPorts.infinispan }} |
| - port: {{ .Values.containerPorts.http }} |
| {{- if .Values.tls.enabled }} |
| - port: {{ .Values.containerPorts.https }} |
| {{- end }} |
| {{- if not .Values.networkPolicy.allowExternal }} |
| from: |
| - podSelector: |
| matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} |
| - podSelector: |
| matchLabels: |
| {{ template "common.names.fullname" . }}-client: "true" |
| {{- if .Values.networkPolicy.ingressNSMatchLabels }} |
| - namespaceSelector: |
| matchLabels: |
| {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} |
| {{ $key | quote }}: {{ $value | quote }} |
| {{- end }} |
| {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} |
| podSelector: |
| matchLabels: |
| {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} |
| {{ $key | quote }}: {{ $value | quote }} |
| {{- end }} |
| {{- end }} |
| {{- end }} |
| {{- end }} |
| {{- $extraIngress := coalesce .Values.networkPolicy.additionalRules .Values.networkPolicy.extraIngress }} |
| {{- if $extraIngress }} |
| {{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }} |
| {{- end }} |
| {{- end }} |