我正在尝试使用 Operator 将 Keycloak 部署到 kubernetes 集群上。 我需要该应用程序存在于“/auth”而不是“/”上。 我正在使用 ingress-nginx 入口控制器并使用 helm 模板创建入口。
ingress-template.yaml:
{{- if .Values.auth.ingress.enabled -}}
{{- $fullName := printf "%s-%s" (include "appname.fullname" .) .Values.auth.name }}
{{- $svcPort := .Values.auth.service.port -}}
{{- if and .Values.auth.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.auth.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "appname.labels" . | nindent 4 }}
{{- with .Values.auth.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.auth.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.auth.ingress.className }}
{{- end }}
{{- if .Values.auth.ingress.tls }}
tls:
{{- range .Values.auth.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.auth.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-service
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ include "appname.fullname" . }}-{{ .Values.auth.name }}-service
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
keycloak-template.yaml:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: {{ include "appname.fullname" . }}-{{ .Values.auth.name }}
spec:
{{/**
image: {{ .Values.auth.image.repository }}:{{ .Values.auth.image.tag }}
**/}}
ingress:
enabled: false
db:
vendor: {{ .Values.auth.config.vendor }}
usernameSecret:
name: {{ .Values.auth.secret.name }}
key: {{ .Values.auth.secret.usernameKey }}
passwordSecret:
name: {{ .Values.auth.secret.name }}
key: {{ .Values.auth.secret.passwordKey }}
host: "appname-{{ .Values.authdb.name }}.{{ .Release.Namespace }}.svc.cluster.local"
database: {{ .Values.auth.config.dbname }}
port: {{ .Values.authdb.config.dbport }}
schema: {{ .Values.auth.config.schema }}
poolInitialSize: 1
poolMinSize: 1
poolMaxSize: 3
http:
httpEnabled: true
httpPort: {{ .Values.auth.service.port }}
httpsPort: {{ .Values.auth.service.httpsPort }}
tlsSecret: ingress-certificate
hostname:
strict: false
strictBackchannel: false
features:
enabled:
- docker
- authorization
disabled:
- step-up-authentication
transaction:
xaEnabled: false
unsupported:
podTemplate:
metadata:
labels:
{{- include "appname.labels" . | nindent 10 }}
name: {{ include "appname.fullname" . }}-{{ .Values.auth.name }}
spec:
containers:
- name: {{ include "appname.fullname" . }}-{{ .Values.auth.name }}
env:
{{/**}}
- name: PROXY_ADDRESS_FORWARDING
value: "{{ .Values.auth.extraEnv.proxyForwarding.value }}"
- name: KC_HTTP_RELATIVE_PATH
value: "/keycloak"
**/}}
- name: KC_PROXY
value: "edge"
- name: KC_EXTRA_ARGS
value: "--proxy edge"
- name: KC_HOSTNAME_PATH
value: "/auth"
- name: KC_LOG_LEVEL
value: DEBUG
- name: KC_HOSTNAME_URL
value: "https://devapp.myapps.co.uk/auth"
values.yaml:
auth:
name: auth
replicaCount: 1
image:
tag: "1.42.1"
repository: appname.azurecr.io/appname-keycloak
pullPolicy: IfNotPresent
extraEnv:
proxyForwarding:
value: "true"
ingress:
enabled: true
className: nginx
hosts:
- host: prodapp.myapps.co.uk
paths:
- path: /auth
pathType: Prefix
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/protocol: http
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-*"
tls: []
config:
name: auth-configmap
dbname: database
path: /auth
vendor: postgres
address: '{{ include "appname.fullname" . }}-{{ .Values.authdb.name }}.{{ .Release.Namespace }}.svc.cluster.local'
schema: public
dbhost: "appname-auth-database.appname.svc.cluster.local"
secret:
name: auth-database-env
usernameKey: POSTGRES_USER
passwordKey: POSTGRES_PASSWORD
args: ["start-dev --import-realm"]
probes:
liveness: /auth/
readiness: /auth/realms/master
service:
type: ClusterIP
port: 8080
httpsPort: 8443
nodeSelector: {}
tolerations: []
affinity: {}
serviceAccount:
create: true
annotations: {}
name: ""
podAnnotations: {}
podSecurityContext: {}
securityContext: {}
resources: {}
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
当我通过 helm 安装图表时,一切似乎都部署得很好,但我在 /auth 下浏览到的每个路径都被路由到在其 pod 中运行的 keycloak 应用程序,但我从 keycloak 返回了所有资源的 404。 keycloak 日志或入口控制器日志中没有其他错误。
任何有关我配置错误的帮助将不胜感激:-)
我尝试将入口配置为进行目标重写,而不是配置 keycloak 的 Web 上下文,这意味着 keycloak 期望“/”上的流量,并且入口控制器在将流量转发到时将 URL 从“/auth”重写为“/” pod,但这会导致 keycloak 写入需要解析“/”的 URL,因此它不起作用。
尝试改变
- name: KC_HTTP_RELATIVE_PATH
value: "/keycloak"
到
- name: KC_HTTP_RELATIVE_PATH
value: "/auth"
在
keycloak-template.yaml