From 5c8859f69dd4ef47a50dc62bd66ec6832773fe8d Mon Sep 17 00:00:00 2001 From: Andrew Becker Date: Tue, 29 Nov 2022 21:25:52 +0000 Subject: [PATCH] Create NetPol to allow Ingress to RHSSO NetPol is created only if external access is enabled. --- roles/tackle/tasks/main.yml | 6 ++++++ .../customresource-rhsso-keycloak.yml.j2 | 3 +++ .../networkpolicy-rhsso-keycloak.yml.j2 | 16 ++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 roles/tackle/templates/networkpolicy-rhsso-keycloak.yml.j2 diff --git a/roles/tackle/tasks/main.yml b/roles/tackle/tasks/main.yml index 70d7c0e..eae7e60 100644 --- a/roles/tackle/tasks/main.yml +++ b/roles/tackle/tasks/main.yml @@ -145,6 +145,12 @@ retries: 30 delay: 5 + - name: "Create RHSSO Ingress Network Policy" + k8s: + state: present + definition: "{{ lookup('template', 'networkpolicy-rhsso-keycloak.yml.j2') }}" + when: rhsso_external_access | bool + - name: "Setup PathFinder PostgreSQL PersistentVolume" k8s: state: present diff --git a/roles/tackle/templates/customresource-rhsso-keycloak.yml.j2 b/roles/tackle/templates/customresource-rhsso-keycloak.yml.j2 index fa8a751..7e2abc0 100644 --- a/roles/tackle/templates/customresource-rhsso-keycloak.yml.j2 +++ b/roles/tackle/templates/customresource-rhsso-keycloak.yml.j2 @@ -10,3 +10,6 @@ spec: instances: 1 externalAccess: enabled: {{ rhsso_external_access }} + keycloakDeploymentSpec: + podlabels: + role: {{ rhsso_service_name }} diff --git a/roles/tackle/templates/networkpolicy-rhsso-keycloak.yml.j2 b/roles/tackle/templates/networkpolicy-rhsso-keycloak.yml.j2 new file mode 100644 index 0000000..fa6da88 --- /dev/null +++ b/roles/tackle/templates/networkpolicy-rhsso-keycloak.yml.j2 @@ -0,0 +1,16 @@ +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ rhsso_service_name }}-external + namespace: {{ app_namespace }} + labels: + app: {{ rhsso_service_name }} +spec: + podSelector: + matchLabels: + role: {{ rhsso_service_name }} + ingress: + - ports: + - protocol: TCP + port: {{ rhsso_port }}