我有一个带有 Spring Boot 应用程序的 minikube Kubernetes 集群,该应用程序对在同一集群中运行的 Keycloak 服务器进行 SecurityFilterChain 身份验证。 “mps.internal”指向 127.0.0.1。该应用程序和 Keycloak 可通过“mps.internal”使用。
问题是 Spring Boot 应用程序 Pod 在尝试验证 JWT 令牌时返回“连接被拒绝”。
Caused by: org.springframework.web.reactive.function.client.WebClientRequestException: finishConnect(..) failed: Connection refused: mps.internal/127.0.0.1:80
at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:136) ~[spring-webflux-6.1.10.jar:6.1.10]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ Request to GET http://mps.internal/auth/realms/mps/.well-known/openid-configuration [DefaultWebClient]
Spring Boot应用部署和服务:
apiVersion: apps/v1
kind: Deployment
metadata:
name: composite-product
labels:
app: composite-product
spec:
replicas: 1
selector:
matchLabels:
app: composite-product
template:
metadata:
labels:
app: composite-product
spec:
containers:
- name: composite-product
image: hands-on/composite-product
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: composite-product-service
spec:
selector:
app: composite-product
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
Keycloak部署和服务:
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:25.0.2
args: ["start-dev"]
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: keycloak-service
spec:
selector:
app: keycloak
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
这是入口配置:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
spec:
rules:
- host: mps.internal
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: composite-product-service
port:
number: 8080
- path: /auth
pathType: Prefix
backend:
service:
name: keycloak-service
port:
number: 8080
应用程序的应用程序 yaml:
springdoc:
swagger-ui.path: /openapi/swagger-ui.html
api-docs.path: /openapi/v3/api-docs
pathsToMatch: /**
swagger-ui:
oauth2-redirect-url: /swagger-ui/oauth2-redirect.html
oAuthFlow:
authorizationUrl: http://mps.internal/auth/realms/${APP_KEYCLOAK_REALM}/protocol/openid-connect/auth
tokenUrl: http://mps.internal/auth/realms/${APP_KEYCLOAK_REALM}/protocol/openid-connect/token
spring.security.oauth2.resourceserver.jwt.issuer-uri: http://mps.internal/auth/realms/${APP_KEYCLOAK_REALM}
该项目可在 GitHub 上获取:
有什么我错过的吗,已经尝试了我想到的一切,但还无法修复它。
我有理由相信错误是由于入口造成的。不要通过入口,尝试直接使用
http://keycloak-service:8080
调用 Keycloak 服务,看看是否有效。此外,您正在尝试将 Keycloak 与基于路径的路由一起使用,我不确定 Keycloak 是否支持这一点。即使您的应用程序能够连接,也很可能最终会给出 404 未找到错误,因为路径无法识别。
还需要注意的是,错误显示“mps.internal/127.0.0.1:80”,这不是一个有效的 URL。