Enable NetworkPolicy by default

Closes #1072 Signed-off-by: Pedro Ruivo <[email protected]> Signed-off-by: Alexander Schwartz <[email protected]> Co-authored-by: Alexander Schwartz <[email protected]>
keycloak · Dec 6, 2024 · 5061f0e · 5061f0e
1 parent b90b9c4
commit 5061f0e
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 5 deletions.
diff --git a/.github/workflows/provision-minikube.yml b/.github/workflows/provision-minikube.yml
@@ -53,12 +53,12 @@ jobs:
       - name: Setup minikube-Kubernetes
         uses: manusa/[email protected]
         with:
-          minikube version: 'v1.28.0'
+          minikube version: 'v1.32.0'
           # the version of Kubernetes needs to be in-sync with `rebuild.sh`
-          kubernetes version: 'v1.25.3'
+          kubernetes version: 'v1.27.10'
           github token: ${{ secrets.GITHUB_TOKEN }}
           driver: docker
-          start args: --memory 4096
+          start args: --addons=ingress --memory 4096 --cni cilium
       - name: Provision on PostgreSQL DB
         working-directory: provision/minikube
         run: |

diff --git a/provision/common/Taskfile.yaml b/provision/common/Taskfile.yaml
@@ -30,6 +30,7 @@ vars:
   ENV_DATA_JSON_PATH: "{{.ROOT_DIR}}/../environment_data.json"
   KC_REPOSITORY: '{{default "" .KC_REPOSITORY}}'
   KC_BRANCH: '{{default "" .KC_BRANCH}}'
+  KC_NETWORK_POLICY: '{{default "true" .KC_NETWORK_POLICY}}'
 tasks:
 
   split:
@@ -76,6 +77,7 @@ tasks:
       - echo {{.KC_EXTERNAL_INFINISPAN}} > .task/var-KC_EXTERNAL_INFINISPAN
       - echo {{.KC_HOSTNAME_OVERRIDE}} > .task/var-KC_HOSTNAME_OVERRIDE
       - echo {{.KC_HEALTH_HOSTNAME}} > .task/var-KC_HEALTH_HOSTNAME
+      - echo {{.KC_NETWORK_POLICY}} > .task/var-KC_NETWORK_POLICY
       - |
         jq -n --arg cpu_requests_per_pod "{{ .KC_CPU_REQUESTS }}" \
           --arg cpu_limits_per_pod "{{ .KC_CPU_LIMITS }}" \
@@ -146,6 +148,7 @@ tasks:
       - test "{{.KC_EXTERNAL_INFINISPAN}}" == "$(cat .task/var-KC_EXTERNAL_INFINISPAN)"
       - test "{{.KC_HOSTNAME_OVERRIDE}}" == "$(cat .task/var-KC_HOSTNAME_OVERRIDE)"
       - test "{{.KC_HEALTH_HOSTNAME}}" == "$(cat .task/var-KC_HEALTH_HOSTNAME)"
+      - test "{{.KC_NETWORK_POLICY}}" == "$(cat .task/var-KC_NETWORK_POLICY)"
 
   mvnw:
     dir: ../..

diff --git a/provision/keycloak-tasks/Utils.yaml b/provision/keycloak-tasks/Utils.yaml
@@ -258,6 +258,7 @@ tasks:
         --set externalInfinispan={{ .KC_EXTERNAL_INFINISPAN }}
         --set multiSite={{ .KC_MULTI_SITE }}
         --set nodePortsEnabled=false
+        --set networkPolicy.enabled={{ .KC_NETWORK_POLICY }}
         ../minikube/keycloak
     preconditions:
       - test -f {{.KUBECONFIG}}

diff --git a/provision/minikube/Taskfile.yaml b/provision/minikube/Taskfile.yaml
@@ -222,6 +222,7 @@ tasks:
         --set infinispan.remoteStore.enabled={{ .KC_REMOTE_STORE }}
         --set infinispan.remoteStore.host={{ .KC_REMOTE_STORE_HOST }}
         --set infinispan.remoteStore.port={{ .KC_REMOTE_STORE_PORT }}
+        --set networkPolicy.enabled={{ .KC_NETWORK_POLICY }}
         keycloak
       - >
         bash -c '

diff --git a/provision/minikube/keycloak/templates/keycloak.yaml b/provision/minikube/keycloak/templates/keycloak.yaml
@@ -50,6 +50,10 @@ spec:
       haproxy.router.openshift.io/balance: roundrobin
       haproxy.router.openshift.io/disable_cookies: 'true'
 {{end}}
+  {{- if .Values.networkPolicy.enabled }}
+  networkPolicy:
+    enabled: true
+  {{- end }}
 {{ if .Values.keycloakImage }}
   image: {{ .Values.keycloakImage }} # <2>
   startOptimized: {{ .Values.startOptimized }} # <2>

diff --git a/provision/minikube/keycloak/values.yaml b/provision/minikube/keycloak/values.yaml
@@ -51,3 +51,5 @@ infinispan:
     enabled: false
     port: 11222
     username: developer
+networkPolicy:
+  enabled: true
diff --git a/provision/minikube/rebuild.sh b/provision/minikube/rebuild.sh
@@ -38,8 +38,7 @@ if [ "$GITHUB_ACTIONS" == "" ]; then
   minikube config set driver ${DRIVER}
   minikube config set container-runtime docker
   # the version of Kubernetes needs to be in-sync with `provision-minikube.yml`
-  minikube start --disk-size=64GB --container-runtime=docker --driver=${DRIVER} --docker-opt="default-ulimit=nofile=102400:102400" --kubernetes-version=v1.25.3
+  minikube start --addons=ingress --disk-size=64GB --container-runtime=docker --driver=${DRIVER} --docker-opt="default-ulimit=nofile=102400:102400" --kubernetes-version=v1.27.10 --cni cilium
 fi
-minikube addons enable ingress
 rm -rf .task
 echo "Minikube initialized. Now run 'task' to provision it with Keycloak"
diff --git a/provision/openshift/Taskfile.yaml b/provision/openshift/Taskfile.yaml
@@ -277,6 +277,7 @@ tasks:
         --set externalInfinispan={{ .KC_EXTERNAL_INFINISPAN }}
         --set multiSite={{ .KC_MULTI_SITE }}
         --set nodePortsEnabled=false
+        --set networkPolicy.enabled={{ .KC_NETWORK_POLICY }}
         ../minikube/keycloak
       - >
         bash -c '