fix: account for keycloak HA ports (#619)

## Description
Fixes a number of issues to fix support Keycloak for HA deployments
* scopes AuthorizationPolicy to port 8080 (http) to avoid denying
JGroups traffic
* adds 7800 and 57800 to headless service and pod to ensure Istio routes
traffic correctly.
* adds network policy to allow internamespace traffic on 7800 + 57800

Note: It was not immediately obvious that port 57800 is used by
Keycloak's HA deployment. I noticed traffic on 57800 when debugging and
did some research and determined it was related to used for Infinispan's
"failure discovery protocol". The number is computed based on the [port
offset](https://infinispan.org/docs/stable/titles/server/server.html#jgroups-system-properties_cluster-transport),
so port offset (50000) + 7800 = 57800.
 
## Related Issue
Fixes #620

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

Author: rjferguson21

.github/workflows/slim-dev-test.yaml

@@ -11,7 +11,7 @@ on:
       - src/istio/*
       - src/prometheus-stack/*
       - packages/slim-dev/*
-      - bundles/core-slim-dev/*
+      - bundles/k3d-slim-dev/*
       - .github/workflows/slim-dev*
 
 # Permissions for the GITHUB_TOKEN used by the workflow.

bundles/k3d-slim-dev/uds-bundle.yaml

@@ -36,8 +36,6 @@ packages:
     # x-release-please-start-version
     ref: 0.24.1
     # x-release-please-end
-    optionalComponents:
-      - metrics-server
     overrides:
       istio-admin-gateway:
         uds-istio-config:

src/istio/oscal-component.yaml

@@ -425,6 +425,7 @@ component-definition:
                   "to": [
                     {
                       "operation": {
+                        "ports": ["8080"],
                         "paths": ["/admin*", "/realms/master*"]
                       }
                     }

src/keycloak/chart/templates/istio-admin.yaml

@@ -12,6 +12,8 @@ spec:
   rules:
     - to:
         - operation:
+            ports: 
+              - "8080"
             paths:
               - "/admin*"
               - "/realms/master*"
@@ -21,6 +23,8 @@ spec:
               - istio-admin-gateway
     - to:
         - operation:
+            ports: 
+              - "8080"
             paths:
             - /metrics*
       from:
@@ -30,16 +34,23 @@ spec:
             - monitoring
     - to:
         - operation:
+            ports: 
+              - "8080"
             paths:
               # Never allow anonymous client registration except from the pepr-system namespace
               # This is another fallback protection, as the KC policy already blocks it
               - "/realms/{{ .Values.realm }}/clients-registrations/*"
       from:
         - source:
-            notNamespaces: ["pepr-system"]
+            notNamespaces: 
+              - "pepr-system"
     - when:
         - key: request.headers[istio-mtls-client-certificate]
           values: ["*"]
+      to:
+        - operation:
+            ports: 
+              - "8080"
       from:
         - source:
             notNamespaces:

src/keycloak/chart/templates/service-headless.yaml

@@ -14,5 +14,13 @@ spec:
       port: 80
       targetPort: http
       protocol: TCP
+    - name: tcp
+      port: 7800
+      targetPort: tcp
+      protocol: TCP
+    - name: tcp-fd
+      port: 57800
+      targetPort: tcp-fd
+      protocol: TCP
   selector:
     {{- include "keycloak.selectorLabels" . | nindent 4 }}

src/keycloak/chart/templates/statefulset.yaml

@@ -136,7 +136,7 @@ spec:
             # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack.
             # https://www.keycloak.org/server/caching
             - name: JAVA_OPTS_APPEND
-              value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
+              value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local
 
             # Postgres database configuration
             - name: KC_DB 
@@ -189,6 +189,12 @@ spec:
             - name: http
               containerPort: 8080
               protocol: TCP
+            - name: tcp
+              containerPort: 7800
+              protocol: TCP
+            - name: tcp-fd
+              containerPort: 57800
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /health/live

src/keycloak/chart/templates/uds-package.yaml

@@ -60,6 +60,19 @@ spec:
         port: {{ .Values.postgresql.port }}
         remoteGenerated: Anywhere
       {{- end }}
+      {{- if .Values.autoscaling.enabled }}
+      # HA for keycloak
+      - direction: Ingress
+        remoteGenerated: IntraNamespace
+        ports:
+          - 7800
+          - 57800
+      - direction: Egress
+        remoteGenerated: IntraNamespace
+        ports:
+          - 7800
+          - 57800
+      {{- end }}
 
     expose:
       - description: "remove private paths from public gateway"