我有一个Kubernetes集群,在其中部署了以下部署和服务:
apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
app: keycloak
name: keycloak
spec:
type: NodePort
ports:
- name: http
protocol: TCP
port: 8080
selector:
app: keycloak
name: keycloak
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
name: keycloak
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
name: keycloak
labels:
app: keycloak
name: keycloak
spec:
restartPolicy: Always
containers:
- name: keycloak
image: jboss/keycloak
ports:
- containerPort: 8080
protocol: TCP
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 400m
memory: 512Mi
env:
- name: KEYCLOAK_LOGLEVEL
value: "DEBUG"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "password"
- name: DB_USER
valueFrom:
secretKeyRef:
name: postgres-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: password
- name: DB_ADDR
valueFrom:
configMapKeyRef:
name: postgres-configmap
key: HOST
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: postgres-configmap
key: PORT
- name: DB_DATABASE
valueFrom:
configMapKeyRef:
name: postgres-configmap
key: DATABASE
- name: DB_VENDOR
value: "postgres"
运行keycloak的pod中的日志正在确认我的keycloak正在运行,并且正在使用提供的Postgres数据库。我尝试添加以下入口规则:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: keycloak
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
rules:
- host: auth.mydomain.com
http:
paths:
- path: /
backend:
serviceName: keycloak
servicePort: 8080
- path: /auth
backend:
serviceName: keycloak
servicePort: 8080
,我可以进入Keycloak主页,但是一旦单击管理控制台,我总是收到错误消息:We're sorry .... HTTPS required
。将PROXY_ADDRESS_FORWARDING变量设置为“ true”,无助于正确设置。我不只是想在端口8443上运行keycloak,所以我真的在寻找其他解决方案。
答案 0 :(得分:0)
您需要在入口内设置TLS termination
spec:
tls:
- hosts:
- auth.mydomain.com
secretName: tls-secret
具有创建的机密,其中包含auth.mydomain.com
的证书:
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
namespace: default
type: kubernetes.io/tls
data:
tls.crt:LS0S[...]0tLhsrQo=
tls.key:LS0t[...]LS1CRUdJ=
这将使您的入口控制器使用提供的TLS证书终止流量,并将未加密的HTTP流量转发到您的keycloak
服务。