From 928e57eddc562808e015f654cd3d28d109aa42fb Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 25 Sep 2022 22:43:50 +0200
Subject: [PATCH] feat(keycloak): Add networkpolicy for inifispan to helm chart

This patch provides a network policy for infinispan that will allow
communication among keycloak pods to the inifispan ping port. This
should provide a first layer of firewall protection for the inifspan
protocol.
---
 charts/keycloak/Chart.yaml                   |  2 +-
 charts/keycloak/README.md                    |  3 ++-
 charts/keycloak/templates/networkpolicy.yaml | 17 +++++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 charts/keycloak/templates/networkpolicy.yaml

diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml
index 196681a5c..36598eaf2 100644
--- a/charts/keycloak/Chart.yaml
+++ b/charts/keycloak/Chart.yaml
@@ -7,5 +7,5 @@ icon: https://www.keycloak.org/resources/images/keycloak_icon_512px.svg
 sources:
   - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops
   - https://github.com/keycloak/keycloak
-version: 0.2.2
+version: 0.3.0
 appVersion: "19.0.2"
diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md
index e5887acf0..78aef9ec4 100644
--- a/charts/keycloak/README.md
+++ b/charts/keycloak/README.md
@@ -1,6 +1,6 @@
 # keycloak
 
-![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 19.0.2](https://img.shields.io/badge/AppVersion-19.0.2-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 19.0.2](https://img.shields.io/badge/AppVersion-19.0.2-informational?style=flat-square)
 
 (Alpha) A Helm chart for Keycloak on Kubernetes
 
@@ -43,6 +43,7 @@
 | metrics.interval | string | `nil` |  |
 | metrics.scrapeTimeout | string | `nil` |  |
 | nameOverride | string | `""` |  |
+| networkPolicy.create | bool | `false` | Creates a network policy for inifispan communication, does **not** take care of database or ingress communication |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
diff --git a/charts/keycloak/templates/networkpolicy.yaml b/charts/keycloak/templates/networkpolicy.yaml
new file mode 100644
index 000000000..273639bc4
--- /dev/null
+++ b/charts/keycloak/templates/networkpolicy.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.networkPolicy.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "keycloak.fullname" . }}-allow-infinispan
+  labels:
+    {{- include "keycloak.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    {{- include "keycloak.selectorLabels" . | nindent 4 }}
+  ingress:
+    - from:
+        - podSelector:
+            {{- include "keycloak.selectorLabels" . | nindent 12 }}
+      ports:
+        - port: 7800
+{{- end }}
-- 
GitLab