My proposal is that your
k8s cluster or
management should be completely seperate from your private registry. Then your private reigstry should be completely seperate from your identity provider.
The main reason is we want to decrease the chance of circular dependencies – that can never be fixed.
Should all be in different places
identity provider (keycloak)
Circular Dependency Example
Your registry uses keycloak as the authentication provider.
But the image keycloak uses is custom and resides in the private registry.
If something happens and Rancher needs to pull the image again – keycloak will go down.
But now it won’t be able to pull the image because the identityprovider is down.
Keycloak Image in your private registry secured by Keycloak
An accident waiting to happen.
If your k8s cannot pull the