Set up Keycloak in the OpenShift test configuration

* Install cert-manager and Keycloak via Helm in 0_openshift-setup,
replacing the manual oc apply step for cert-manager
* Expose Keycloak through an OpenShift Route with edge TLS termination
at keycloak.apps-crc.testing, serving at root /
* Configure the TheiaCloud realm, test users (foo/bar), and admin group
membership via the existing modules/keycloak terraform module
* Add a null_resource wait loop so the realm setup runs only after
Keycloak is fully reachable
* Enable Keycloak authentication in 4-01_openshift_monitor via helm set
overrides and switch service.protocol to https
* Add keycloak values (realm, clientId, clientSecret, cookieSecret) to
valuesOpenShiftMonitor.yaml as explicit defaults
* Update openshift.md and test.md for the new dependency setup, login
flow, and hostname table

Author: jfaltermeier

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [1.3.0] - unreleased
+
+- [java/operator] Add OpenShift support with Route-based session routing [#486](https://github.com/eclipse-theia/theia-cloud/pull/486)
+
+### Breaking Changes in 1.3.0
+
+- [java/operator] Ingress and session URL logic extracted from `LazySessionHandler` and `EagerSessionHandler` into the new `SessionRoutingStrategy` interface. Custom operator extensions that override or extend these handlers may need to inject `SessionRoutingStrategy` instead of directly using `IngressPathProvider` and `TheiaCloudIngressUtil`.
+- [java/operator] `TheiaCloudDeploymentUtil.getSessionURL()` methods (which took `IngressPathProvider`) have been removed. Use `SessionRoutingStrategy.getSessionURL()` instead. A new `TheiaCloudDeploymentUtil.extractHost()` utility method is provided.
+
 ## [1.2.0] - 2026-04-09
 
 - [java/operator] Fix ingress rules not being fully removed on session deletion [#456](https://github.com/eclipse-theia/theia-cloud/pull/456)

terraform/test-configurations/0_openshift-setup/.terraform.lock.hcl

@@ -0,0 +1,17 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: keycloak
+  namespace: keycloak
+spec:
+  host: ${hostname}
+  to:
+    kind: Service
+    name: keycloak
+    weight: 100
+  port:
+    targetPort: http
+  wildcardPolicy: None
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect

terraform/test-configurations/0_openshift-setup/main.tf

@@ -0,0 +1,46 @@
+fullnameOverride: "keycloak"
+httpRelativePath: "/"
+
+auth:
+  adminUser: admin
+
+image:
+  # Configure using repository bitnamilegacy because bitnami has removed the bitnami repository in favor of a paid service
+  repository: bitnamilegacy/keycloak
+
+postgresql:
+  enabled: true
+  # Configure using repository bitnamilegacy because bitnami has removed the bitnami repository in favor of a paid service
+  image:
+    repository: bitnamilegacy/postgresql
+  volumePermissions:
+    image:
+      repository: bitnamilegacy/os-shell
+    enabled: false
+  metrics:
+    image:
+      repository: bitnamilegacy/bitnami-exporter
+  primary:
+    podSecurityContext:
+      enabled: false
+    containerSecurityContext:
+      enabled: false
+
+# Keycloak is exposed via an OpenShift Route, not a Kubernetes Ingress
+ingress:
+  enabled: false
+
+service:
+  type: ClusterIP
+
+# Keycloak sits behind an OpenShift Route with edge TLS termination,
+# so it receives plain HTTP internally
+proxy: edge
+
+# OpenShift assigns UIDs from a namespace-specific range via its Security Context
+# Constraints (SCC). The Bitnami chart defaults (fsGroup: 1001, runAsUser: 1001)
+# are rejected by the restricted SCC. Disabling them lets OpenShift take over.
+podSecurityContext:
+  enabled: false
+containerSecurityContext:
+  enabled: false