Keycloak net policy

Summary

Adds network policies for keycloak

Closes https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/443

marked this merge request as ready

added statusreview label

added keycloak label

Package MR: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/merge_requests/20/diffs

https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/chart/templates/bigbang/network-policies/allow-monitoring.yaml#L1

https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/chart/templates/bigbang/network-policies/allow-internal-postgres.yaml#L1

And then also the "always allow/deny" policies.

Missing networkPolicies.enabled. I'm guessing that last group was pre-existing NPs, but is there any reason we can't slap the conditional on all of these?

approved this merge request

changed the description

Has there been testing without this policy present https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/chart/templates/bigbang/network-policies/always-allow-https.yaml

That policy makes the allow-monitoring and allow-istio networkpolicies redundant it looks like. And removing it would make Keycloak be even more secure instead of cluster open > keycloak httpManagementPort

resolved all threads

approved this merge request

merged

mentioned in commit 977b2653

changed milestone to %1.10.0