egress rule for postgres should not be tied to devMode

[blancharda]

Overview

Currently, the egress rule for postgres is conditioned on devMode: false.
DevMode provides increased logging (among other things), and there are many reasons why you might want both. In any case, if an external database is configured, the egress rule should be created accordingly.

Environment

App version: 0.22.1-registry1

Steps to reproduce

1. devMode: true
2. configure an external postgres database
3. roll the dice

Expected result

If a postgres database is configured, the egress rule should be created accordingly

Actual Result

The rule is only created when devMode is false

Additional Context

This may be a case where the race (see related gitlab issue)between pepr creating the netpol and the keycloak pods starting up may have masked the behavior on initial install.. but now that pepr is more consistent in applying rules, upgrades in our long lived environments are failing to restart keycloak pods with JDBC connection timeouts.

[anthonywendt]

Wanted to add some more devMode issues when it comes to configuration of an external database. devMode is also used to template the secret that contains the postgres configuration as well as the statefulset that is created. devMode and external database configuration should not be coupled. Might need to create a separate issue to define the scope and possibly remove devMode. Or that may be resolved as part of this issue?

[anthonywendt]

Also, instead of creating a new issue I wanted to make sure it was clear that the race condition mentioned in the additional context of this issue is also resolved as part of this. The uds-package.yaml is part of the same helm chart that deploys keycloak itself. That uds-package.yaml needs to be decoupled from the keycloak helm chart and be applied and ready before keycloak is ever deployed.

[mjnagel]

Happy to dive in more and see if there's a different solution, but as @anthonywendt pointed out devMode does not allow you to use postgres currently (that was intentional, devMode is just meant to be for ephemeral dev). If the log level is the main reason you want dev mode it might be worth just moving those to a different conditional for debug mode or something similar.

[blancharda]

It's very unintuitive that configuring postgres connection info doesn't result in using postgres unless you know to disable the default devMode value..

[mjnagel]

@blancharda yeah agreed. There's a small note hidden in the readme that says by default, this package deploys Keycloak in "dev mode", which disables HA and uses an H2 database persisted to a PVC. This is not suitable for production use, but is useful for development and testing but I don't think that's sufficient here (especially since its in a readme in a subdir, not surfaced on the docs site).

A couple things I think we could/should do here:

• Be more clear in the docs about what devMode is/does - and ensure that this is more visible (i.e. docs site)
• Potentially use helm fail to block incompatible setup of devMode + postgres (block bad things path) OR modify conditionals so that a DB takes precedence over dev mode if provided (fix it for you path)
• Move debug logging to a separate/additional flag so that it can be toggled independently of devMode.