My proposal is that your k8s cluster or management should be completely seperate from your private registry. Then your private reigstry should be completely seperate from your identity provider.
The main reason is we want to decrease the chance of circular dependencies – that can never be fixed.
Should all be in different places
private registry
identity provider (keycloak)
rancher
Circular Dependency Example
Your registry uses keycloak as the authentication provider.
But the image keycloak uses is custom and resides in the private registry.
If something happens and Rancher needs to pull the image again – keycloak will go down.
But now it won’t be able to pull the image because the identityprovider is down.
Circular Dependencies
Keycloak Image in your private registry secured by Keycloak
An accident waiting to happen.
If your k8s cannot pull the