From 894071299a7bc5f963963fbf5765924ff8733b16 Mon Sep 17 00:00:00 2001
From: Pascal Iske <info@pascaliske.dev>
Date: Sun, 7 Jan 2024 01:39:45 +0100
Subject: [PATCH] feat(keycloak): implement ingress route and certificate
 objects into chart

---
 charts/keycloak/Chart.yaml                  |  4 +-
 charts/keycloak/README.md                   | 18 +++++++-
 charts/keycloak/templates/_helpers.tpl      | 40 ++++++++++++++++++
 charts/keycloak/templates/certificate.yaml  | 26 ++++++++++++
 charts/keycloak/templates/ingressroute.yaml | 47 +++++++++++++++++++++
 charts/keycloak/values.yaml                 | 33 +++++++++++++++
 6 files changed, 164 insertions(+), 4 deletions(-)
 create mode 100644 charts/keycloak/templates/certificate.yaml
 create mode 100644 charts/keycloak/templates/ingressroute.yaml

diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml
index 99f9abc1..69418d28 100644
--- a/charts/keycloak/Chart.yaml
+++ b/charts/keycloak/Chart.yaml
@@ -3,7 +3,7 @@ apiVersion: v2
 type: application
 name: keycloak
 description: A Helm chart for Keycloak
-version: 0.0.3
+version: 0.1.0
 # renovate: image=quay.io/keycloak/keycloak
 appVersion: "23.0.3"
 
@@ -27,4 +27,4 @@ dependencies:
 annotations:
   artifacthub.io/changes: |-
     - kind: added
-      description: 'Added the possibility to specify env values from secrets.'
+      description: 'Implement ingress route and certificate objects.'
diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md
index e6bac99a..2b999392 100644
--- a/charts/keycloak/README.md
+++ b/charts/keycloak/README.md
@@ -2,7 +2,7 @@
 
 > A Helm chart for Keycloak
 
-[![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ](https://charts.pascaliske.dev/charts/keycloak/)[![Version: 0.0.3](https://img.shields.io/badge/Version-0.0.3-informational?style=flat-square) ](https://charts.pascaliske.dev/charts/keycloak/)[![AppVersion: 21.1.1](https://img.shields.io/badge/AppVersion-21.1.1-informational?style=flat-square) ](https://charts.pascaliske.dev/charts/keycloak/)
+[![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ](https://charts.pascaliske.dev/charts/keycloak/)[![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ](https://charts.pascaliske.dev/charts/keycloak/)[![AppVersion: 23.0.3](https://img.shields.io/badge/AppVersion-23.0.3-informational?style=flat-square) ](https://charts.pascaliske.dev/charts/keycloak/)
 
 * <https://github.com/pascaliske/helm-charts>
 * <https://github.com/keycloak/keycloak>
@@ -40,6 +40,13 @@ The following values can be used to adjust the helm chart.
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| certificate.annotations | object | `{}` | Additional annotations for the certificate object. |
+| certificate.create | bool | `false` | Create an Certificate object for the exposed chart. |
+| certificate.dnsNames | list | `[]` | List of subject alternative names for the certificate. |
+| certificate.issuerRef.kind | string | `"ClusterIssuer"` | Type of the referenced certificate issuer. Can be "Issuer" or "ClusterIssuer". |
+| certificate.issuerRef.name | string | `""` | Name of the referenced certificate issuer. |
+| certificate.labels | object | `{}` | Additional labels for the certificate object. |
+| certificate.secretName | string | `""` | Name of the secret in which the certificate will be stored. Defaults to the first item in dnsNames. |
 | controller.annotations | object | `{}` | Additional annotations for the controller object. |
 | controller.enabled | bool | `true` | Create a workload for this chart. |
 | controller.kind | string | `"StatefulSet"` | Type of the workload object. |
@@ -52,6 +59,13 @@ The following values can be used to adjust the helm chart.
 | image.repository | string | `"quay.io/keycloak/keycloak"` | The repository to pull the image from. |
 | image.tag | string | `.Chart.AppVersion` | The docker tag, if left empty chart's appVersion will be used. |
 | imagePullSecrets | list | `[]` |  |
+| ingressRoute.annotations | object | `{}` | Additional annotations for the ingress route object. |
+| ingressRoute.create | bool | `false` | Create an IngressRoute object for exposing this chart. |
+| ingressRoute.entryPoints | list | `[]` | List of [entry points](https://doc.traefik.io/traefik/routing/routers/#entrypoints) on which the ingress route will be available. |
+| ingressRoute.labels | object | `{}` | Additional labels for the ingress route object. |
+| ingressRoute.middlewares | list | `[]` | List of [middleware objects](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-middleware) for the ingress route. |
+| ingressRoute.rule | string | `""` | [Matching rule](https://doc.traefik.io/traefik/routing/routers/#rule) for the underlying router. |
+| ingressRoute.tlsSecretName | string | `""` | Use an existing secret containing the TLS certificate. |
 | nameOverride | string | `""` |  |
 | ports.http.enabled | bool | `true` | Enable the port inside the `Controller` and `Service` objects. |
 | ports.http.nodePort | string | `nil` | The external port used if `.service.type` == `NodePort`. |
@@ -86,4 +100,4 @@ The following values can be used to adjust the helm chart.
 
 ## License
 
-[MIT](../LICENSE.md) – © 2023 [Pascal Iske](https://pascaliske.dev)
+[MIT](../LICENSE.md) – © 2024 [Pascal Iske](https://pascaliske.dev)
diff --git a/charts/keycloak/templates/_helpers.tpl b/charts/keycloak/templates/_helpers.tpl
index 5ae124b1..6f364b70 100644
--- a/charts/keycloak/templates/_helpers.tpl
+++ b/charts/keycloak/templates/_helpers.tpl
@@ -60,3 +60,43 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Certificate name
+*/}}
+{{- define "keycloak.certificate.name" -}}
+{{- if not (empty .Values.certificate.dnsNames) }}
+{{- first .Values.certificate.dnsNames }}
+{{- else }}
+{{- include "keycloak.fullname" . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Certificate secret name
+*/}}
+{{- define "keycloak.certificate.secretName" -}}
+{{- if not (empty .Values.certificate.secretName) }}
+{{- .Values.certificate.secretName }}
+{{- else }}
+{{- include "keycloak.certificate.name" . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Certificate issuer reference name
+*/}}
+{{- define "keycloak.certificate.issuerRefName" -}}
+{{- required "Mandatory field \".certificate.issuerRef.name\" is empty!" .Values.certificate.issuerRef.name -}}
+{{- end }}
+
+{{/*
+IngressRoute TLS secret name
+*/}}
+{{- define "keycloak.ingressRoute.tlsSecretName" -}}
+{{- if not (empty .Values.ingressRoute.tlsSecretName) }}
+{{- .Values.ingressRoute.tlsSecretName }}
+{{- else if .Values.certificate.create }}
+{{- include "keycloak.certificate.name" . }}
+{{- end }}
+{{- end }}
diff --git a/charts/keycloak/templates/certificate.yaml b/charts/keycloak/templates/certificate.yaml
new file mode 100644
index 00000000..9eb9e060
--- /dev/null
+++ b/charts/keycloak/templates/certificate.yaml
@@ -0,0 +1,26 @@
+{{- if and .Values.certificate.create .Values.service.enabled -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "keycloak.certificate.name" . }}
+  labels:
+    {{- include "keycloak.labels" . | nindent 4 }}
+    {{- with .Values.certificate.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.certificate.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ include "keycloak.certificate.secretName" . }}
+  {{- with .Values.certificate.dnsNames }}
+  dnsNames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.certificate.issuerRef }}
+  issuerRef:
+    kind: {{ default "ClusterIssuer" .kind }}
+    name: {{ include "keycloak.certificate.issuerRefName" $ }}
+  {{- end }}
+{{- end }}
diff --git a/charts/keycloak/templates/ingressroute.yaml b/charts/keycloak/templates/ingressroute.yaml
new file mode 100644
index 00000000..8dfae787
--- /dev/null
+++ b/charts/keycloak/templates/ingressroute.yaml
@@ -0,0 +1,47 @@
+{{- if and .Values.ingressRoute.create .Values.service.enabled -}}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ printf "%s-route" (include "keycloak.fullname" . ) }}
+  labels:
+    {{- include "keycloak.labels" . | nindent 4 }}
+    {{- with .Values.ingressRoute.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.ingressRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingressRoute.entryPoints }}
+  entryPoints:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  routes:
+    - kind: Rule
+      match: '{{ required "Mandatory field \".ingressRoute.rule\" is empty!" .Values.ingressRoute.rule }} && (PathPrefix(`/api`) || PathPrefix(`/dav`) || PathPrefix(`/.well-known`))'
+      services:
+        - kind: Service
+          name: {{ printf "%s-web" (include "keycloak.fullname" . ) }}
+          namespace: {{ .Release.Namespace }}
+          port: {{ .Values.ports.api.port }}
+      {{- with .Values.ingressRoute.middlewares }}
+      middlewares:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    - kind: Rule
+      match: {{ required "Mandatory field \".ingressRoute.rule\" is empty!" .Values.ingressRoute.rule }}
+      services:
+        - kind: Service
+          name: {{ printf "%s-web" (include "keycloak.fullname" . ) }}
+          namespace: {{ .Release.Namespace }}
+          port: {{ .Values.ports.frontend.port }}
+      {{- with .Values.ingressRoute.middlewares }}
+      middlewares:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  {{- with (include "keycloak.ingressRoute.tlsSecretName" .) }}
+  tls:
+    secretName: {{ . }}
+  {{- end }}
+{{- end }}
diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml
index ac50f38e..b0e7e32f 100644
--- a/charts/keycloak/values.yaml
+++ b/charts/keycloak/values.yaml
@@ -52,6 +52,39 @@ serviceMonitor:
   # -- Additional labels for the service monitor object.
   labels: {}
 
+ingressRoute:
+  # -- Create an IngressRoute object for exposing this chart.
+  create: false
+  # -- List of [entry points](https://doc.traefik.io/traefik/routing/routers/#entrypoints) on which the ingress route will be available.
+  entryPoints: []
+  # -- [Matching rule](https://doc.traefik.io/traefik/routing/routers/#rule) for the underlying router.
+  rule: ''
+  # -- List of [middleware objects](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-middleware) for the ingress route.
+  middlewares: []
+  # -- Use an existing secret containing the TLS certificate.
+  tlsSecretName: ''
+  # -- Additional annotations for the ingress route object.
+  annotations: {}
+  # -- Additional labels for the ingress route object.
+  labels: {}
+
+certificate:
+  # -- Create an Certificate object for the exposed chart.
+  create: false
+  # -- List of subject alternative names for the certificate.
+  dnsNames: []
+  # -- Name of the secret in which the certificate will be stored. Defaults to the first item in dnsNames.
+  secretName: ''
+  issuerRef:
+    # -- Type of the referenced certificate issuer. Can be "Issuer" or "ClusterIssuer".
+    kind: ClusterIssuer
+    # -- Name of the referenced certificate issuer.
+    name: ''
+  # -- Additional annotations for the certificate object.
+  annotations: {}
+  # -- Additional labels for the certificate object.
+  labels: {}
+
 env:
   # -- Timezone for the container.
   - name: TZ