feat: adds gateway api httproute support

wilmardo · wilmardo · commit a8b9a4784300 · 2025-11-21T09:04:30.000+01:00
Signed-off-by: wilmarguida &lt;w.denouden@guida.nl&gt;
diff --git a/charts/keycloakx/templates/httproute.yaml b/charts/keycloakx/templates/httproute.yaml
@@ -0,0 +1,99 @@
+{{- $httpRoute := .Values.httpRoute -}}
+{{- if $httpRoute.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ include "keycloak.fullname" . }}
+  labels:
+    {{- include "keycloak.labels" . | nindent 4 }}
+    {{- range $key, $value := $httpRoute.labels }}
+    {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
+    {{- end }}
+  {{- with $httpRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    {{- with $httpRoute.parentRefs }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range $httpRoute.rules }}
+    {{- with .matches }}
+    - matches:
+      {{- range . }}
+      {{- if .path }}
+        - path:
+            type: {{ .path.type }}
+            value: {{ tpl .path.value $ }}
+        {{- end }}
+      {{- else }}
+      {{ . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- end }}
+    {{- with .filters }}
+      filters:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+      backendRefs:
+        - name: {{ include "keycloak.fullname" $ }}-http
+          port:
+            name: {{ $httpRoute.servicePort }}
+    {{- end }}
+{{- end }}
+---
+{{- if $httpRoute.console.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ include "keycloak.fullname" . }}
+  labels:
+    {{- include "keycloak.labels" . | nindent 4 }}
+    {{- range $key, $value := $httpRoute.labels }}
+    {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
+    {{- end }}
+    {{- range $key, $value := $httpRoute.console.labels }}
+    {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
+    {{- end }}
+  {{- with $httpRoute.console.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+      {{- with pluck "parentRefs" $httpRoute.console $httpRoute | first }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with pluck "hostnames" $httpRoute.console $httpRoute | first }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range $httpRoute.console.rules }}
+    {{- with .matches }}
+    - matches:
+      {{- range . }}
+      {{- if .path }}
+        - path:
+            type: {{ .path.type }}
+            value: {{ tpl .path.value $ }}
+        {{- end }}
+      {{- else }}
+      {{ . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- end }}
+    {{- with .filters }}
+      filters:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+      backendRefs:
+        - name: {{ include "keycloak.fullname" $ }}-http
+          port:
+            name: {{ $httpRoute.servicePort }}
+    {{- end }}
+{{- end }}
diff --git a/charts/keycloakx/values.schema.json b/charts/keycloakx/values.schema.json
@@ -3,9 +3,69 @@
   "type": "object",
   "required": ["image"],
   "definitions": {
+    "httpRoute": {
+      "type": "object",
+      "properties": {
+        "annotations": {
+          "type": "object"
+        },
+        "enabled": {
+          "type": "boolean"
+        },
+        "labels": {
+          "type": "object"
+        },
+        "parentRefs": {
+          "type": "array",
+          "items": {
+            "properties": {
+              "name": {
+                "type": "string"
+              },
+              "sectionName": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "hostnames": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "rules": {
+          "type": "array",
+          "items": {
+            "$comment": "don't allow additionalProperties to make sure backendRefs isn't set by the user",
+            "additionalProperties": false,
+            "properties": {
+              "matches": {
+                "type": "array",
+                "items": {
+                  "$comment": "don't allow additionalProperties, only path matcher supported",
+                  "additionalProperties": false,
+                  "properties": {
+                    "path": {
+                      "type": "object"
+                    }
+                  }
+                }
+              },
+              "filters": {
+                "type": "array"
+              }
+            }
+          }
+        }
+      }
+    },
     "image": {
       "type": "object",
-      "required": ["repository", "tag"],
+      "required": [
+        "repository",
+        "tag"
+      ],
       "properties": {
         "pullPolicy": {
           "type": "string",
@@ -323,6 +383,22 @@
       },
       "type": "object"
     },
+    "httpRoute": {
+      "allOf": [
+        { "$ref": "#/definitions/httpRoute" },
+        {
+          "type": "object",
+          "properties": {
+            "servicePort": {
+              "type": "string"
+            },
+            "console": {
+              "$ref": "#/definitions/httpRoute"
+            }
+          }
+        }
+      ]
+    },
     "image": {
       "$ref": "#/definitions/image"
     },
diff --git a/charts/keycloakx/values.yaml b/charts/keycloakx/values.yaml
@@ -280,6 +280,56 @@ serviceHeadless:
   # Add additional ports to the headless service, e. g. for admin console or exposing JGroups ports
   extraPorts: []
 
+# -- Expose the service via gateway-api HTTPRoute
+# Requires Gateway API resources and suitable controller installed within the cluster
+# (see: https://gateway-api.sigs.k8s.io/guides/)
+httpRoute:
+  # HTTPRoute enabled.
+  enabled: false
+  # Additional HTTPRoute labels
+  labels: {}
+  # HTTPRoute annotations.
+  annotations: {}
+  # The Service port targeted by the HTTPRoute
+  servicePort: http
+  # Which Gateways this Route is attached to.
+  parentRefs:
+    - name: gateway
+      sectionName: http
+    # namespace: default
+  # Hostnames matching HTTP header.
+  hostnames:
+    - chart-example.local
+  # List of rules and filters applied.
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/'
+
+  # HTTPRoute for console only (/auth/admin)
+  console:
+    # If `true`, an HTTPRoute is created for console path only
+    enabled: false
+    # Additional HTTPRoute labels
+    labels: {}
+    # HTTPRoute annotations.
+    annotations: {}
+    # Which Gateways this Route is attached to.
+    parentRefs:
+      - name: gateway
+        sectionName: http
+      # namespace: default
+    # Hostnames matching HTTP header.
+    hostnames:
+      - chart-example.local
+    # List of rules and filters applied.
+    rules:
+      - matches:
+        - path:
+            type: PathPrefix
+            value: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/admin'
+
 ingress:
   # If `true`, an Ingress is created
   enabled: false
