Seperate your K8s cluster, Identity Provider and Private Registry.

My proposal is that your k8s cluster or management should be completely seperate from your private registry. Then your private reigstry should be completely seperate from your identity provider.

The main reason is we want to decrease the chance of circular dependencies - that can never be fixed.

Should all be in different places

private registry
identity provider (keycloak)
rancher

Circular Dependency Example

Your registry uses keycloak as the authentication provider.
But the image keycloak uses is custom and resides in the private registry.
If something happens and Rancher needs to pull the image again - keycloak will go down.
But now it won't be able to pull the image because the identityprovider is down.

Circular Dependencies

Keycloak Image in your private registry secured by Keycloak

An accident waiting to happen.

If your k8s cannot pull the