无法使用 Traefik 入口控制器和 AWS HTTPS 负载均衡器在 AWS 上公开 Keycloak 服务器 [英] Can't expose Keycloak Server on AWS with Traefik Ingress Controller and AWS HTTPS Load Balancer
问题描述
我已成功在 AWS 上公开了两个微服务,并在我的注册域上使用 Traefik Ingress Controller 和 AWS HTTPS 负载均衡器.
I have successfully exposed two microservices on AWS with Traefik Ingress Controller and AWS HTTPS Load Balancer on my registered domain.
这是源代码:https://github.com/skyglass-examples/user-management-keycloak
我可以使用 https url 轻松访问这两个微服务:
I can easily access both microservices with https url:
https://users.skycomposer.net/usermgmt/swagger-ui/index.html
https://users.skycomposer.net/whoami
因此,Traefik Ingress Controller 和 AWS HTTPS 负载均衡器 似乎配置正确.
So, it seems that Traefik Ingress Controller and AWS HTTPS Load Balancer configured correctly.
很遗憾,Keycloak Server 在此环境中不起作用.当我尝试通过 https url 访问它时:
Unfortunately, Keycloak Server doesn't work in this environment. When I try to access it by https url:
https://users.skycomposer.net/keycloak
我收到以下回复:
404 page not found
我是否遗漏了配置中的某些内容?
Do I miss something in my configuration?
以下是我使用的一些 keycloak kubernetes 清单:
Here are some keycloak kubernetes manifests, which I use:
keycloak-config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak
data:
KEYCLOAK_USER: admin@keycloak
KEYCLOAK_MGMT_USER: mgmt@keycloak
JAVA_OPTS_APPEND: '-Djboss.bind.address.management=0.0.0.0'
PROXY_ADDRESS_FORWARDING: 'true'
KEYCLOAK_LOGLEVEL: INFO
ROOT_LOGLEVEL: INFO
DB_VENDOR: H2
keycloak-deployment.yaml:
kind: Deployment
apiVersion: apps/v1
metadata:
name: keycloak
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: jboss/keycloak:12.0.4
imagePullPolicy: Always
ports:
- containerPort: 9990
hostPort: 9990
volumeMounts:
- name: keycloak-data
mountPath: /opt/jboss/keycloak/standalone/data
env:
- name: KEYCLOAK_USER
valueFrom:
configMapKeyRef:
name: keycloak
key: KEYCLOAK_USER
- name: KEYCLOAK_MGMT_USER
valueFrom:
configMapKeyRef:
name: keycloak
key: KEYCLOAK_MGMT_USER
- name: JAVA_OPTS_APPEND
valueFrom:
configMapKeyRef:
name: keycloak
key: JAVA_OPTS_APPEND
- name: DB_VENDOR
valueFrom:
configMapKeyRef:
name: keycloak
key: DB_VENDOR
- name: PROXY_ADDRESS_FORWARDING
valueFrom:
configMapKeyRef:
name: keycloak
key: PROXY_ADDRESS_FORWARDING
- name: KEYCLOAK_LOGLEVEL
valueFrom:
configMapKeyRef:
name: keycloak
key: KEYCLOAK_LOGLEVEL
- name: ROOT_LOGLEVEL
valueFrom:
configMapKeyRef:
name: keycloak
key: ROOT_LOGLEVEL
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak
key: KEYCLOAK_PASSWORD
- name: KEYCLOAK_MGMT_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak
key: KEYCLOAK_MGMT_PASSWORD
volumes:
- name: keycloak-data
persistentVolumeClaim:
claimName: keycloak-pvc
keycloak-service.yaml:
apiVersion: v1
kind: Service
metadata:
name: keycloak
spec:
ports:
- protocol: TCP
name: web
port: 80
targetPort: 9990
selector:
app: keycloak
traefik-ingress.yaml:
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
name: traefik-lb
spec:
controller: traefik.io/ingress-controller
---
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
metadata:
name: "traefik-usermgmt-ingress"
spec:
ingressClassName: "traefik-lb"
rules:
- host: "keycloak.skycomposer.net"
http:
paths:
- path: "/usermgmt"
backend:
serviceName: "usermgmt"
servicePort: 80
---
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
metadata:
name: "traefik-whoami-ingress"
spec:
ingressClassName: "traefik-lb"
rules:
- host: "keycloak.skycomposer.net"
http:
paths:
- path: "/whoami"
backend:
serviceName: "whoami"
servicePort: 80
---
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
metadata:
name: "traefik-keycloak-ingress"
spec:
ingressClassName: "traefik-lb"
rules:
- host: "keycloak.skycomposer.net"
http:
paths:
- path: "/keycloak"
backend:
serviceName: "keycloak"
servicePort: 80
查看我的 github 上的所有其他文件:https://github.com/skyglass-examples/user-management-keycloak
See all other files on my github: https://github.com/skyglass-examples/user-management-keycloak
我还检查了在我的 K3S Kubernetes 集群上运行的 keycloak pod 的日志:
I also checked the logs for keycloak pod, running on my K3S Kubernetes Cluster:
20:57:34,147 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 12.0.4 (WildFly Core 13.0.3.Final) started in 43054ms - Started 687 of 972 services (687 services are lazy, passive or on-demand)
20:57:34,153 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
20:57:34,153 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
一切似乎都很好,管理控制台正在监听 http://127.0.0.1:9990
Everything seems to be fine, Admin console is listening on http://127.0.0.1:9990
我也尝试在部署和服务清单中使用 9990 目标端口,而不是 8080,但结果仍然相同.
I also tried using 9990 target port in deployment and service manifests, instead of 8080, but still the same result.
推荐答案
终于解决了这个问题.
在 traefik 后面运行 keycloak 需要以下配置:
The following configuation is required to run keycloak behind traefik:
PROXY_ADDRESS_FORWARDING=true
KEYCLOAK_HOSTNAME=${YOUR_KEYCLOAK_HOSTNAME}
此外,我必须使用根路径/";对于入口规则:
Also, I had to use the root path "/" for the ingress rule:
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
metadata:
name: "traefik-keycloak-ingress"
spec:
ingressClassName: "traefik-lb"
rules:
- host: "keycloak.skycomposer.net"
http:
paths:
- path: "/"
backend:
serviceName: "keycloak"
servicePort: 80
在这里,您可以找到其他可能有用的配置属性:https://github.com/Artiume/docker/blob/master/traefik-SSO.yml
Here, you can find other configuration properties, which you might find useful: https://github.com/Artiume/docker/blob/master/traefik-SSO.yml
信不信由你,这是互联网上唯一提到 KEYCLOAK_HOSTNAME 来解决我的问题的资源.通过关键字keycloak traefik 404"搜索两天没有结果!
Believe it or not, this is the only resource on the internet, which mentioned KEYCLOAK_HOSTNAME to fix my problem. Two days of searching by keyword "keycloak traefik 404" and no results!
你可以在我的github上找到完整的固定代码,配置正确:https://github.com/skyglass-examples/user-management-keycloak
You can find the full fixed code, with correct configuration, on my github: https://github.com/skyglass-examples/user-management-keycloak
这篇关于无法使用 Traefik 入口控制器和 AWS HTTPS 负载均衡器在 AWS 上公开 Keycloak 服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
