我已经设法使用 kubernetes-version='v1.13.11' 在 minikube 上运行 KeyCloak 和 Kong。
我正在使用这个版本,因为我想最终部署到 GCP 集群。
当我尝试打开 PROXY_IP:HTTP_PORT/auth 时,我得到以下响应:
**"Kong Error An invalid response was received from the
upstream server."**
我认为我应该得到的是 KeyCloak 主页。
重现步骤:
minikube start --kubernetes-version='v1.13.11'
kubectl apply -f keycloack.yaml
kubectl apply -f kong-all-in-one.yaml
kubectl apply -f kong-ingress.yaml
export PROXY_IP=$(minikube service kong-proxy --url --format "{{ .IP }}" | head -1)
export HTTP_PORT=$(minikube service kong-proxy --url --format "{{ .Port }}" | head -1)
- 访问
$PROXY_IP:$HTTP_PORT/auth
密钥斗篷.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: keycloak-db
name: keycloak-db
spec:
ports:
- port: 5432
selector:
app: keycloak-db
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app: keycloak-datastore
name: keycloak-datastore
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: keycloak-db
name: keycloak-db
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app: keycloak-db
spec:
containers:
- env:
- name: POSTGRES_DB
value: keycloak
- name: POSTGRES_PASSWORD
value: password
- name: POSTGRES_USER
value: keycloak
image: postgres:9.6
name: keycloak-db
ports:
- containerPort: 5432
volumeMounts:
- mountPath: /var/lib/postresql/key/data
name: keycloak-datastore
restartPolicy: Always
volumes:
- name: keycloak-datastore
persistentVolumeClaim:
claimName: keycloak-datastore
---
apiVersion: v1
kind: Service
metadata:
labels:
app: keycloak-service
name: keycloak-service
spec:
ports:
- name: http
port: 8383
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
selector:
app: keycloak
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: keycloak-http
labels:
app: keycloak
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app: keycloak
spec:
containers:
- env:
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: DB_ADDR
value: keycloak-db
- name: DB_DATABASE
value: keycloak
- name: DB_PASSWORD
value: password
- name: DB_USER
value: keycloak
- name: DB_VENDOR
value: postgres
- name: KEYCLOAK_LOGLEVEL
value: DEBUG
- name: KEYCLOAK_PASSWORD
value: admin
- name: KEYCLOAK_USER
value: admin
- name: POSTGRES_PORT
value: "5432"
image: jboss/keycloak:8.0.1
name: keycloak
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
restartPolicy: Always
kong-all-in-one.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongconsumers.configuration.konghq.com
spec:
additionalPrinterColumns:
- JSONPath: .username
description: Username of a Kong Consumer
name: Username
type: string
- JSONPath: .metadata.creationTimestamp
description: Age
name: Age
type: date
group: configuration.konghq.com
names:
kind: KongConsumer
plural: kongconsumers
shortNames:
- kc
scope: Namespaced
validation:
openAPIV3Schema:
properties:
credentials:
items:
type: string
type: array
custom_id:
type: string
username:
type: string
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongcredentials.configuration.konghq.com
spec:
additionalPrinterColumns:
- JSONPath: .type
description: Type of credential
name: Credential-type
type: string
- JSONPath: .metadata.creationTimestamp
description: Age
name: Age
type: date
- JSONPath: .consumerRef
description: Owner of the credential
name: Consumer-Ref
type: string
group: configuration.konghq.com
names:
kind: KongCredential
plural: kongcredentials
scope: Namespaced
validation:
openAPIV3Schema:
properties:
consumerRef:
type: string
type:
type: string
required:
- consumerRef
- type
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongingresses.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
kind: KongIngress
plural: kongingresses
shortNames:
- ki
scope: Namespaced
validation:
openAPIV3Schema:
properties:
proxy:
properties:
connect_timeout:
minimum: 0
type: integer
path:
pattern: ^/.*$
type: string
protocol:
enum:
- http
- https
- grpc
- grpcs
type: string
read_timeout:
minimum: 0
type: integer
retries:
minimum: 0
type: integer
write_timeout:
minimum: 0
type: integer
type: object
route:
properties:
headers:
additionalProperties:
items:
type: string
type: array
type: object
https_redirect_status_code:
type: integer
methods:
items:
type: string
type: array
preserve_host:
type: boolean
protocols:
items:
enum:
- http
- https
- grpc
- grpcs
type: string
type: array
regex_priority:
type: integer
strip_path:
type: boolean
upstream:
properties:
algorithm:
enum:
- round-robin
- consistent-hashing
- least-connections
type: string
hash_fallback:
type: string
hash_fallback_header:
type: string
hash_on:
type: string
hash_on_cookie:
type: string
hash_on_cookie_path:
type: string
hash_on_header:
type: string
healthchecks:
properties:
active:
properties:
concurrency:
minimum: 1
type: integer
healthy:
properties:
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
successes:
minimum: 0
type: integer
type: object
http_path:
pattern: ^/.*$
type: string
timeout:
minimum: 0
type: integer
unhealthy:
properties:
http_failures:
minimum: 0
type: integer
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
tcp_failures:
minimum: 0
type: integer
timeout:
minimum: 0
type: integer
type: object
type: object
passive:
properties:
healthy:
properties:
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
successes:
minimum: 0
type: integer
type: object
unhealthy:
properties:
http_failures:
minimum: 0
type: integer
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
tcp_failures:
minimum: 0
type: integer
timeout:
minimum: 0
type: integer
type: object
type: object
type: object
host_header:
type: string
slots:
minimum: 10
type: integer
type: object
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongplugins.configuration.konghq.com
spec:
additionalPrinterColumns:
- JSONPath: .plugin
description: Name of the plugin
name: Plugin-Type
type: string
- JSONPath: .metadata.creationTimestamp
description: Age
name: Age
type: date
- JSONPath: .disabled
description: Indicates if the plugin is disabled
name: Disabled
priority: 1
type: boolean
- JSONPath: .config
description: Configuration of the plugin
name: Config
priority: 1
type: string
group: configuration.konghq.com
names:
kind: KongPlugin
plural: kongplugins
shortNames:
- kp
scope: Namespaced
validation:
openAPIV3Schema:
properties:
config:
type: object
disabled:
type: boolean
plugin:
type: string
protocols:
items:
enum:
- http
- https
- grpc
- grpcs
- tcp
- tls
type: string
type: array
run_on:
enum:
- first
- second
- all
type: string
required:
- plugin
version: v1
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kong-serviceaccount
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kong-ingress-clusterrole
rules:
- apiGroups:
- ""
resources:
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
- kongcredentials
- kongconsumers
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kong-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kong-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: kong-serviceaccount
namespace: default
---
apiVersion: v1
data:
servers.conf: |
# Prometheus metrics server
server {
server_name kong_prometheus_exporter;
listen 0.0.0.0:9542; # can be any other port as well
access_log off;
location /metrics {
default_type text/plain;
content_by_lua_block {
local prometheus = require "kong.plugins.prometheus.exporter"
prometheus:collect()
}
}
location /nginx_status {
internal;
stub_status;
}
}
# Health check server
server {
server_name kong_health_check;
listen 0.0.0.0:9001; # can be any other port as well
access_log off;
location /health {
return 200;
}
}
kind: ConfigMap
metadata:
name: kong-server-blocks
namespace: default
---
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-type: nlb
name: kong-proxy
namespace: default
spec:
externalTrafficPolicy: Local
ports:
- name: proxy
port: 80
protocol: TCP
targetPort: 8000
- name: proxy-ssl
port: 443
protocol: TCP
targetPort: 8443
selector:
app: ingress-kong
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: 8080
selector:
app: ingress-kong
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ingress-kong
name: ingress-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: ingress-kong
template:
metadata:
annotations:
prometheus.io/port: "9542"
prometheus.io/scrape: "true"
traffic.sidecar.istio.io/includeInboundPorts: ""
labels:
app: ingress-kong
spec:
containers:
- env:
- name: KONG_DATABASE
value: "off"
- name: KONG_NGINX_WORKER_PROCESSES
value: "1"
- name: KONG_NGINX_HTTP_INCLUDE
value: /kong/servers.conf
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 ssl
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2
image: kong:1.4
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- kong quit
livenessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 9001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-ssl
protocol: TCP
- containerPort: 9542
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 9001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
securityContext:
runAsUser: 1000
volumeMounts:
- mountPath: /kong
name: kong-server-blocks
- args:
- /kong-ingress-controller
- --kong-url=https://localhost:8444
- --admin-tls-skip-verify
- --publish-service=default/kong-proxy
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.7.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
serviceAccountName: kong-serviceaccount
volumes:
- configMap:
name: kong-server-blocks
name: kong-server-blocks
kong-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: keycloak-ingress
spec:
rules:
- http:
paths:
- path: /auth
backend:
serviceName: keycloak-service
servicePort: 8383
更新以回应评论:
$ kubectl describe ingress keycloak-ingress
Name: keycloak-ingress
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
*
/auth keycloak-service:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"keycloak-ingress","namespace":"default"},"spec":{"rules":[{"http":{"paths":[{"backend":{"serviceName":"keycloak-service","servicePort":80},"path":"/auth"}]}}]}}