Add NetworkPolicy for the Keycloak namespace

[p-rog]

Adds network isolation for the keycloak-system namespace using the default-deny + per-pod allow pattern (same approach as Vault in PR #18).

Depends on rhbk-chart PR #10 (merged) which adds the NetworkPolicy templates to the wrapper chart.

Changes:

• Add overrides/values-keycloak-network-policy.yaml with per-pod rules for keycloak, postgresql-db, rhbk-operator, and realm import job
• Enable via extraValueFiles in values-hub.yaml for the rh-keycloak application

Per-pod rules:

• Keycloak egress: DNS, PostgreSQL (5432), JGroups clustering (7800/57800), Kubernetes API, SPIRE OIDC (443)
• PostgreSQL: ingress from keycloak and realm import pods only (5432), egress DNS only
• Operator: egress DNS, Kubernetes API, Keycloak management (9000), Keycloak HTTPS (8443)
• Realm import job: egress DNS, PostgreSQL, Kubernetes API, Keycloak HTTPS

The operator-managed keycloak-network-policy (ingress for keycloak pods) is left untouched.

Tested on OCP 4.21 — Keycloak login, OIDC from ACS/qtodo, SPIFFE federated auth, JGroups clustering, operator reconciliation, and realm import job all verified working with policies applied.

[mlorenzofr]

It works well

Quick question, now that I'm reviewing it: Do we want to add the keycloak app to the NetworkPolicy (pod keycloak-0 / label app=keycloak)?

[p-rog]

Quick question, now that I'm reviewing it: Do we want to add the keycloak app to the NetworkPolicy (pod keycloak-0 / label app=keycloak)?

The keycloak pod ingress is already handled by the operator-managed keycloak-network-policy. The RHBK operator creates and maintains it automatically (ports 8443, 7800/57800, 9000). I decided not to duplicate or override it since the operator would revert any changes. Our keycloak-egress-network-policy covers only the egress side which the operator doesn't manage.