Kubernetes 中的 Keyclock:503 服务暂时不可用
[英]Keyclock in Kubernetes: 503 Service Temporarily Unavailable
问题描述
Following the instructions on the Keycloak docs site below, I'm trying to set up Keycloak to run in a Kubernetes cluster.
按照下面 Keycloak 文档站点上的说明,我正在尝试将 Keycloak 设置为在 Kubernetes 集群中运行。 I have an Ingress Controller set up which successfully works for a simple test page.我有一个 Ingress Controller 设置,它成功地适用于一个简单的测试页面。 Cloudflare points the domain to the ingress controllers IP. Cloudflare 将域指向入口控制器 IP。
Keycloak deploys successfully ( Admin console listening on http://127.0.0.1:9990 ), but when going to the domain I get a message from NGINX: 503 Service Temporarily Unavailable . Keycloak 部署成功( Admin console listening on http://127.0.0.1:9990 ),但是在访问域时,我收到来自 NGINX: 503 Service Temporarily Unavailable的消息。
https://www.keycloak.org/getting-started/getting-started-kube https://www.keycloak.org/getting-started/getting-started-kube
Here's the Kubernetes config:这是 Kubernetes 配置:
apiVersion: v1
kind: Service
metadata:
name: keycloak-cip
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
selector:
name: keycloak
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
kubernetes.io/ingress.class: nginx
service.beta.kubernetes.io/linode-loadbalancer-default-protocol: https
service.beta.kubernetes.io/linode-loadbalancer-port-443: '{ "tls-secret-name": "my-secret", "protocol": "https" }'
spec:
rules:
- host: my.domain.com
http:
paths:
- backend:
serviceName: keycloak-cip
servicePort: 8080
tls:
- hosts:
- my.domain.com
secretName: my-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: default
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:12.0.3
env:
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "admin"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
readinessProbe:
httpGet:
path: /auth/realms/master
port: 8080
initialDelaySeconds: 90
periodSeconds: 5
failureThreshold: 30
successThreshold: 1
revisionHistoryLimit: 1
Edit:编辑:
TLS should be handled by the ingress controller. TLS 应由入口 controller 处理。
-- --
Edit 2:编辑2:
If I go into the controller using kubectl exec, I can do curl -L http://127.0.0.1:8080/auth which successfully retrieves the page: <title>Welcome to Keycloak</title> . If I go into the controller using kubectl exec, I can do curl -L http://127.0.0.1:8080/auth which successfully retrieves the page: <title>Welcome to Keycloak</title> . So I'm sure that keycloak is running.所以我确定keycloak正在运行。 It's just that either traffic doesn't reach the pod, or keycloak doesn't respond.只是流量没有到达 pod,或者 keycloak 没有响应。
If I use the ClusterIP instead but otherwise keep the call above the same, I get a Connection timed out .如果我改用 ClusterIP 但保持通话不变,我会得到一个Connection timed out 。 I tried both ports 80 and 8080 with the same result.我尝试了端口 80 和 8080,结果相同。
2 个解决方案
解决方案1
1 2021-06-04 22:56:10
The following configuration is required to run keycloak behind ingress controller :在入口 controller后面运行keycloak需要以下配置:
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_HOSTNAME
value: "my.domain.com"
So I think adding correct KEYCLOAK_HOSTNAME value should solve your issue.所以我认为添加正确的KEYCLOAK_HOSTNAME值应该可以解决您的问题。
I had a similar issue with Traefik Ingress Controller: Can't expose Keycloak Server on AWS with Traefik Ingress Controller and AWS HTTPS Load Balancer我有一个与 Traefik Ingress Controller 类似的问题: 无法使用 Traefik Ingress Controller 和 AWS HTTPS 负载均衡器在 AWS 上公开 Keycloak 服务器
You can find the full code of my configuration here: https://github.com/skyglass-examples/user-management-keycloak你可以在这里找到我的配置的完整代码: https://github.com/skyglass-examples/user-management-keycloak
解决方案2
0 2021-02-24 08:47:18
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.