[英]Can't expose Keycloak Server on AWS with Traefik Ingress Controller and AWS HTTPS Load Balancer
I have successfully exposed two microservices on AWS with Traefik Ingress Controller and AWS HTTPS Load Balancer on my registered domain.我已经在我注册的域上使用Traefik Ingress Controller和AWS HTTPS 负载均衡器成功地在AWS上公开了两个微服务。
Here is the source code: https://github.com/skyglass-examples/user-management-keycloak这是源代码: https://github.com/skyglass-examples/user-management-keycloak
I can easily access both microservices with https url:我可以使用 https url 轻松访问这两个微服务:
https://users.skycomposer.net/usermgmt/swagger-ui/index.html
https://users.skycomposer.net/whoami
So, it seems that Traefik Ingress Controller and AWS HTTPS Load Balancer configured correctly.因此,似乎Traefik Ingress Controller和AWS HTTPS 负载均衡器配置正确。
Unfortunately, Keycloak Server doesn't work in this environment.不幸的是, Keycloak Server不能在这种环境中工作。 When I try to access it by https url:
当我尝试通过 https url 访问它时:
https://users.skycomposer.net/keycloak
I receive the following response:我收到以下回复:
404 page not found
Do I miss something in my configuration?我是否错过了配置中的某些内容?
Here are some keycloak kubernetes manifests , which I use:这是我使用的一些keycloak kubernetes manifests :
keycloak-config.yaml: keycloak-config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak
data:
KEYCLOAK_USER: admin@keycloak
KEYCLOAK_MGMT_USER: mgmt@keycloak
JAVA_OPTS_APPEND: '-Djboss.bind.address.management=0.0.0.0'
PROXY_ADDRESS_FORWARDING: 'true'
KEYCLOAK_LOGLEVEL: INFO
ROOT_LOGLEVEL: INFO
DB_VENDOR: H2
keycloak-deployment.yaml:密钥斗篷部署.yaml:
kind: Deployment
apiVersion: apps/v1
metadata:
name: keycloak
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: jboss/keycloak:12.0.4
imagePullPolicy: Always
ports:
- containerPort: 9990
hostPort: 9990
volumeMounts:
- name: keycloak-data
mountPath: /opt/jboss/keycloak/standalone/data
env:
- name: KEYCLOAK_USER
valueFrom:
configMapKeyRef:
name: keycloak
key: KEYCLOAK_USER
- name: KEYCLOAK_MGMT_USER
valueFrom:
configMapKeyRef:
name: keycloak
key: KEYCLOAK_MGMT_USER
- name: JAVA_OPTS_APPEND
valueFrom:
configMapKeyRef:
name: keycloak
key: JAVA_OPTS_APPEND
- name: DB_VENDOR
valueFrom:
configMapKeyRef:
name: keycloak
key: DB_VENDOR
- name: PROXY_ADDRESS_FORWARDING
valueFrom:
configMapKeyRef:
name: keycloak
key: PROXY_ADDRESS_FORWARDING
- name: KEYCLOAK_LOGLEVEL
valueFrom:
configMapKeyRef:
name: keycloak
key: KEYCLOAK_LOGLEVEL
- name: ROOT_LOGLEVEL
valueFrom:
configMapKeyRef:
name: keycloak
key: ROOT_LOGLEVEL
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak
key: KEYCLOAK_PASSWORD
- name: KEYCLOAK_MGMT_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak
key: KEYCLOAK_MGMT_PASSWORD
volumes:
- name: keycloak-data
persistentVolumeClaim:
claimName: keycloak-pvc
keycloak-service.yaml: keycloak-service.yaml:
apiVersion: v1
kind: Service
metadata:
name: keycloak
spec:
ports:
- protocol: TCP
name: web
port: 80
targetPort: 9990
selector:
app: keycloak
traefik-ingress.yaml: traefik-ingress.yaml:
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
name: traefik-lb
spec:
controller: traefik.io/ingress-controller
---
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
metadata:
name: "traefik-usermgmt-ingress"
spec:
ingressClassName: "traefik-lb"
rules:
- host: "keycloak.skycomposer.net"
http:
paths:
- path: "/usermgmt"
backend:
serviceName: "usermgmt"
servicePort: 80
---
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
metadata:
name: "traefik-whoami-ingress"
spec:
ingressClassName: "traefik-lb"
rules:
- host: "keycloak.skycomposer.net"
http:
paths:
- path: "/whoami"
backend:
serviceName: "whoami"
servicePort: 80
---
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
metadata:
name: "traefik-keycloak-ingress"
spec:
ingressClassName: "traefik-lb"
rules:
- host: "keycloak.skycomposer.net"
http:
paths:
- path: "/keycloak"
backend:
serviceName: "keycloak"
servicePort: 80
See all other files on my github : https://github.com/skyglass-examples/user-management-keycloak查看我的github上的所有其他文件: https://github.com/skyglass-examples/user-management-keycloak
I also checked the logs for keycloak pod, running on my K3S Kubernetes Cluster:我还检查了在我的 K3S Kubernetes 集群上运行的 keycloak pod 的日志:
20:57:34,147 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 12.0.4 (WildFly Core 13.0.3.Final) started in 43054ms - Started 687 of 972 services (687 services are lazy, passive or on-demand)
20:57:34,153 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
20:57:34,153 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
Everything seems to be fine, Admin console is listening on http://127.0.0.1:9990一切似乎都很好,管理控制台正在监听http://127.0.0.1:9990
I also tried using 9990 target port in deployment and service manifests, instead of 8080 , but still the same result.我还尝试在部署和服务清单中使用9990目标端口,而不是8080 ,但结果仍然相同。
Right - the admin console is listening on 127.0.0.1
.对 - 管理控制台正在监听
127.0.0.1
。 This is not the outside world interface.这不是外界界面。 This is "localhost".
这是“本地主机”。
You have two choices here.你在这里有两个选择。 You can start Keycloak with a command line argument like:
您可以使用命令行参数启动 Keycloak,例如:
bin/standalone.sh -Djboss.bind.address.management=0.0.0.0
This starts the management console on port 9990 but on the 0.0.0.0
interface which is to say all interfaces.这会在端口 9990 上启动管理控制台,但会在
0.0.0.0
接口(即所有接口)上启动。 So you can still connect to it on localhost but it will now be listening on other (ie Ethernet) interfaces.因此,您仍然可以在 localhost 上连接到它,但它现在将在其他(即以太网)接口上进行侦听。
Another option is to modify the standalone/configuration/standalone.xml
file and change:另一种选择是修改
standalone/configuration/standalone.xml
文件并更改:
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
to just be:只是:
<interfaces>
<interface name="management">
<inet-address value="0.0.0.0"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
or whatever address that you'd like Keycloak to listen on.或您希望 Keycloak 收听的任何地址。 Of course, you can change the public address too if you'd like.
当然,如果您愿意,您也可以更改公共地址。
Note that the port is controlled in a different way.请注意,端口以不同的方式控制。 The standard way of controlling this is to to run with something like:
控制它的标准方法是使用类似的东西运行:
bin/standalone.sh -Djboss.socket.binding.port-offset=1000
In this example all ports have 1000 added to them.在此示例中,所有端口都添加了 1000。 So the management port went from 9990 to 10990 as 1000 was added to the base.
因此,管理端口从 9990 变为 10990,因为 1000 添加到基础。
As a general statement I usually place a proxy (AJP or HTTP) in front of all of my Wildfly servers.作为一般性声明,我通常在所有 Wildfly 服务器前面放置一个代理(AJP 或 HTTP)。 That way none of this matters and your proxy connects to, for example,
127.0.0.1
, port 9990
.这样,这些都不重要,您的代理连接到例如
127.0.0.1
端口9990
。 But, of course, that's up to you.但是,当然,这取决于你。
I have found one small workaround, but unfortunately, this is not the best solution for me.我找到了一个小的解决方法,但不幸的是,这对我来说不是最好的解决方案。
I forwarded the port:我转发了端口:
kubectl port-forward --address 0.0.0.0 service/keycloak 32080:http
Now Keycloak Server is available on:现在 Keycloak Server 可用于:
http://localhost:32080/auth/
But how to make it available externally by this url?但是如何通过这个 url 使其在外部可用?
https://keycloak.skycomposer.net/keycloak/auth
It is still not clear to me, why the keycloak is not visible from the outside, with my current configuration.我仍然不清楚,为什么在我目前的配置下从外面看不到 keycloak。
Finally solved the issue.终于解决了问题。
The following configuation is required to run keycloak behind traefik :在traefik后面运行keycloak需要以下配置:
PROXY_ADDRESS_FORWARDING=true
KEYCLOAK_HOSTNAME=${YOUR_KEYCLOAK_HOSTNAME}
Also, I had to use the root path " / " for the ingress rule:此外,我必须使用根路径“ / ”作为入口规则:
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
metadata:
name: "traefik-keycloak-ingress"
spec:
ingressClassName: "traefik-lb"
rules:
- host: "keycloak.skycomposer.net"
http:
paths:
- path: "/"
backend:
serviceName: "keycloak"
servicePort: 80
Here, you can find other configuration properties, which you might find useful: https://github.com/Artiume/docker/blob/master/traefik-SSO.yml在这里,您可以找到其他可能有用的配置属性: https://github.com/Artiume/docker/blob/master/traefik-SSO.yml
Believe it or not, this is the only resource on the internet, which mentioned KEYCLOAK_HOSTNAME to fix my problem.信不信由你,这是互联网上唯一提到KEYCLOAK_HOSTNAME来解决我的问题的资源。 Two days of searching by keyword " keycloak traefik 404 " and no results!
用关键字“ keycloak traefik 404 ”搜索了两天,没有结果!
You can find the full fixed code, with correct configuration, on my github: https://github.com/skyglass-examples/user-management-keycloak您可以在我的 github 上找到具有正确配置的完整固定代码: https://github.com/skyglass-examples/user-management-keycloak
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.