我目前正在 GKE 集群中使用 StatefulSet 部署 Keycloak。我已经设置了一个负载均衡器服务来公开 Keycloak,但我在使用我的域名访问 Keycloak 时遇到问题。相关配置如下:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: keycloak
namespace: default
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
serviceName: "keycloak-headless"
template:
metadata:
labels:
app: keycloak
spec:
serviceAccountName: keycloak-sa
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:latest
args: ["start"]
ports:
- containerPort: 8080
name: http
- containerPort: 8443
name: https
volumeMounts:
- name: keycloak-tls-volume
mountPath: /etc/x509/https
readOnly: true
env:
- name: KC_BOOTSTRAP_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_BOOTSTRAP_ADMIN_USERNAME
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_BOOTSTRAP_ADMIN_PASSWORD
- name: KC_DB
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_DB
- name: KC_DB_URL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_DB_URL
- name: KC_HOSTNAME
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HOSTNAME
- name: KC_HEALTH_ENABLED
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HEALTH_ENABLED
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_DB_USERNAME
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_DB_PASSWORD
- name: KC_HTTPS_CERTIFICATE_FILE
value: "/etc/x509/https/tls.crt"
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: "/etc/x509/https/tls.key"
readinessProbe:
httpGet:
scheme: HTTPS
path: /health/ready
port: 9000
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
httpGet:
scheme: HTTPS
path: /health/live
port: 9000
initialDelaySeconds: 60
periodSeconds: 20
timeoutSeconds: 5
resources:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "2000m"
volumes:
- name: keycloak-tls-volume
secret:
secretName: keycloak-tls
tolerations:
- key: "keycloak"
operator: "Exists"
effect: "NoSchedule"
这是我的服务
apiVersion: v1
kind: Service
metadata:
name: keycloak-service
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
- name: jgroup
port: 7600
targetPort: 7600
selector:
app: keycloak
type: ClusterIP
clusterIP: None
这是我的入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-ingress
annotations:
kubernetes.io/ingress.class: "gce"
networking.gke.io/enable-global-access: "true"
spec:
tls:
- hosts:
- houseofllm.com
secretName: keycloak-tls
rules:
- host: houseofllm.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak-service
port:
number: 8080
什么有效: 端口转发:当我使用 kubectl port-forward keycloak-0 8443:8443 -n default 启用端口转发时,我可以通过 https://localhost:8443 访问 Keycloak,一切正常。
什么不起作用: 域名访问:当我尝试使用我的域名(例如 https://mydomainname.com:8443 或 https://mydomainname.com)访问 Keycloak 时,我收到一条错误消息“Safari 找不到服务器。”
附加信息: 我在 Keycloak 设置中配置了有效的 TLS 证书。
问题:
我将其范围缩小到入口问题,因为后端配置不健康。但我还是不知道为什么它不健康。
如果我不使用入口并使用服务负载均衡器,那么一切都会正常。以下配置有效。
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: keycloak
namespace: default
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
serviceName: "keycloak-service"
template:
metadata:
labels:
app: keycloak
spec:
serviceAccountName: keycloak-sa
securityContext:
fsGroup: 1000
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:latest
args: ["start","--cache-stack=kubernetes", "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true"]
ports:
- containerPort: 8080
name: http
- containerPort: 8443
name: https
- name: jgroups
containerPort: 7600
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- name: keycloak-tls-volume
mountPath: /etc/x509/https
readOnly: true
env:
- name: KC_BOOTSTRAP_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_BOOTSTRAP_ADMIN_USERNAME
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_BOOTSTRAP_ADMIN_PASSWORD
- name: KC_DB
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_DB
- name: KC_DB_URL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_DB_URL
- name: KC_HOSTNAME
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HOSTNAME
- name: KC_HEALTH_ENABLED
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HEALTH_ENABLED
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_DB_USERNAME
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_DB_PASSWORD
- name: KC_HTTPS_CERTIFICATE_FILE
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_HTTPS_CERTIFICATE_FILE
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_HTTPS_CERTIFICATE_KEY_FILE
- name: KC_PROXY
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_PROXY
- name: jgroups.dns.query
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: JGROUPS_DNS_QUERY
- name: PROXY_ADDRESS_FORWARDING
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: PROXY_ADDRESS_FORWARDING
- name: KC_METRICS_ENABLED
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_METRICS_ENABLED
- name: KC_HTTP_ENABLED
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HTTP_ENABLED
- name: KC_HTTP_RELATIVE_PATH
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HTTP_RELATIVE_PATH
- name: KC_HOSTNAME_URL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HOSTNAME_URL
- name: KC_HOSTNAME_ADMIN_URL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HOSTNAME_URL
- name: JAVA_OPTS_APPEND
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: JAVA_OPTS_APPEND
- name: KC_LOG_LEVEL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_LOG_LEVEL
resources:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "2000m"
volumes:
- name: keycloak-tls-volume
secret:
secretName: keycloak-tls
tolerations:
- key: "keycloak"
operator: "Exists"
effect: "NoSchedule"
apiVersion: v1
kind: Service
metadata:
name: keycloak-service
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
- name: jgroup
port: 7600
targetPort: 7600
selector:
app: keycloak
type: LoadBalancer
入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 2500m
nginx.ingress.kubernetes.io/proxy-buffer-size: 12k
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
ingressClassName: nginx
rules:
- host: houseofllm.com
http:
paths:
- backend:
service:
name: keycloak-service
port:
number: 8080
path: /keycloak/(.*)
pathType: Prefix
任何帮助或指导将不胜感激!
我不完全确定,但在我的工作配置中,我看到主机也传递给了启动命令,但我在你的配置中没有看到
start --optimized --hostname=<your_domain_name>