我有一个 Kubernetes 集群,在其中部署了以下部署和服务:
apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
app: keycloak
name: keycloak
spec:
type: NodePort
ports:
- name: http
protocol: TCP
port: 8080
selector:
app: keycloak
name: keycloak
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
name: keycloak
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
name: keycloak
labels:
app: keycloak
name: keycloak
spec:
restartPolicy: Always
containers:
- name: keycloak
image: jboss/keycloak
ports:
- containerPort: 8080
protocol: TCP
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 400m
memory: 512Mi
env:
- name: KEYCLOAK_LOGLEVEL
value: "DEBUG"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "password"
- name: DB_USER
valueFrom:
secretKeyRef:
name: postgres-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: password
- name: DB_ADDR
valueFrom:
configMapKeyRef:
name: postgres-configmap
key: HOST
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: postgres-configmap
key: PORT
- name: DB_DATABASE
valueFrom:
configMapKeyRef:
name: postgres-configmap
key: DATABASE
- name: DB_VENDOR
value: "postgres"
我的 pod 中运行 keycloak 的日志确认我的 keycloak 正在运行并使用提供的 Postgres 数据库。我尝试添加以下入口规则:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: keycloak
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
rules:
- host: auth.mydomain.com
http:
paths:
- path: /
backend:
serviceName: keycloak
servicePort: 8080
- path: /auth
backend:
serviceName: keycloak
servicePort: 8080
并且我能够访问 Keycloak 主页,但是一旦我单击管理控制台,我不断收到错误:
We're sorry .... HTTPS required
。将 PROXY_ADDRESS_FORWARDING 变量设置为“true”并没有帮助使其正确。我不只是想在端口 8443 上运行 keycloak,所以我真的在寻找除此之外的另一种解决方案。
您需要在入口内设置TLS终止
spec:
tls:
- hosts:
- auth.mydomain.com
secretName: tls-secret
创建的秘密,其中包含
auth.mydomain.com
的证书:
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
namespace: default
type: kubernetes.io/tls
data:
tls.crt:LS0S[...]0tLhsrQo=
tls.key:LS0t[...]LS1CRUdJ=
这将使您的入口控制器使用提供的 TLS 证书终止流量,并将未加密的 HTTP 流量转发到您的
keycloak
服务。