[keycloak] Add OpenShift route (codecentric#18)

Signed-off-by: Simon Rüegg <simon.ruegg@vshn.ch>

charts/keycloak/Chart.yaml

@@ -1,5 +1,5 @@
 name: keycloak
-version: 4.12.0
+version: 4.13.0
 appVersion: 5.0.0
 description: Open Source Identity and Access Management For Modern Applications and Services
 keywords:

charts/keycloak/README.md

@@ -90,9 +90,17 @@ Parameter | Description | Default
 `keycloak.ingress.enabled` | if `true`, an ingress is created | `false`
 `keycloak.ingress.annotations` | annotations for the ingress | `{}`
 `keycloak.ingress.labels` | Additional labels for the Keycloak ingress | `{}`
-`keycloak.ingress.path` | if `true`, an ingress is created | `/`
+`keycloak.ingress.path` | Path for the ingress | `/`
 `keycloak.ingress.hosts` | a list of ingress hosts | `[keycloak.example.com]`
 `keycloak.ingress.tls` | a list of [IngressTLS](https://v1-9.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.9/#ingresstls-v1beta1-extensions) items | `[]`
+`keycloak.route.enabled` | If `true`, an OpenShift route is created | `false`
+`keycloak.route.annotations` | Annotations for the route | `{}`
+`keycloak.route.labels` | Additional labels for the Keycloak route | `{}`
+`keycloak.route.path` | Path for the route | `/`
+`keycloak.route.host` | The host name of the route. If left empty, a name will be generated by OpenShift | `""`
+`keycloak.route.tls.enabled` | If `true`, TLS is enabled for the route | `true`
+`keycloak.route.tls.insecureEdgeTerminationPolicy` | Insecure edge termination policy of the route. Can be `None`, `Redirect` or `Allow` | `Redirect`
+`keycloak.route.tls.termination` | TLS termination of the route. Can be `edge`, `passthrough` or `reencrypt` | `edge`
 `keycloak.persistence.deployPostgres` | If true, the PostgreSQL chart is installed | `false`
 `keycloak.persistence.existingSecret` | Name of an existing secret to be used for the database password (if `keycloak.persistence.deployPostgres=false`). Otherwise a new secret is created | `""`
 `keycloak.persistence.existingSecretKey` | The key for the database password in the existing secret (if `keycloak.persistence.deployPostgres=false`) | `password`

charts/keycloak/templates/route.yaml

@@ -0,0 +1,35 @@
+{{- $route := .Values.keycloak.route -}}
+{{- if $route.enabled -}}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: {{ template "keycloak.fullname" . }}
+{{- with $route.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "keycloak.name" . }}
+    chart: {{ template "keycloak.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- with $route.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+{{- if $route.host }}
+  host: {{ $route.host }}
+{{- end }}
+  path: {{ $route.path }}
+  port:
+    targetPort: http
+  to:
+    kind: Service
+    name: {{ template "keycloak.fullname" $ }}-http
+    weight: 100
+  {{- if $route.tls.enabled }}
+  tls:
+    insecureEdgeTerminationPolicy: {{ $route.tls.insecureEdgeTerminationPolicy }}
+    termination: {{ $route.tls.termination }}
+  {{- end }}
+{{- end -}}

charts/keycloak/values.yaml

@@ -212,6 +212,29 @@ keycloak:
     #     - keycloak.example.com
     #   secretName: tls-keycloak
 
+  ## OpenShift route configuration.
+  ## ref: https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html
+  route:
+    enabled: false
+    path: /
+
+    annotations: {}
+      # kubernetes.io/tls-acme: "true"
+      # haproxy.router.openshift.io/disable_cookies: "true"
+      # haproxy.router.openshift.io/balance: roundrobin
+
+    labels: {}
+      # key: value
+
+    # Host name for the route
+    host:
+
+    # TLS configuration
+    tls:
+      enabled: true
+      insecureEdgeTerminationPolicy: Redirect
+      termination: edge
+
   ## Persistence configuration
   persistence:
     # If true, the Postgres chart is deployed