随着 bitnami 放弃维护开源的社区版本 charts,Keycloak 部署的相对较优方案则应当考虑官方的 Operator。
具体文档参见 Keycloak Operator Installation – Keycloak。早期 Keycloak Operator 依赖 olm 进行安装和管理,现在新版允许直接通过 yaml 安装了,可以自行选择。
安装 Operator Lifecycle Manager
如果选择通过 olm 管理 Keycloak Operator,那么可以参考 QuickStart | Operator Lifecycle Manager,可以使用 operator-sdk 或者 yaml 进行安装。
等待 olm 安装并就绪。
安装 Keycloak Operator(使用 olm)
olm 就绪后,你可以列出 Catalog Source:
user@hostname:~# kubectl get catalogsources.operators.coreos.com -A
NAMESPACE NAME DISPLAY TYPE PUBLISHER AGE
olm operatorhubio-catalog Community Operators grpc OperatorHub.io 5d记下这个名字 operatorhubio-catalog,然后让 LLM 根据文档 Keycloak Operator Installation – Keycloak 帮我们生成 Keycloak CRD yaml。
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: keycloak-operators
namespace: keycloak
spec:
targetNamespaces:
- keycloak
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: keycloak-operator
namespace: keycloak
spec:
channel: fast
name: keycloak-operator
source: operatorhubio-catalog
sourceNamespace: olm
installPlanApproval: Manual这里需要手动批准才会继续执行安装:
user@hostname:~# kubectl get installplans.operators.coreos.com -A
NAMESPACE NAME CSV APPROVAL APPROVED
keycloak install-97p69 keycloak-operator.v26.6.3 Manual false
user@hostname:~# kubectl -n keycloak edit installplans.operators.coreos.com install-97p69将 spec.approved 修改为 true,保存并退出即可。此时应该可以看到 Operator 开始运行。
user@hostname:~# kubectl -n keycloak get po
NAME READY STATUS RESTARTS AGE
keycloak-operator-5dc6b64db4-7sqxs 1/1 Running 0 5d安装 Keycloak
同理,让 AI 根据 kubectl explain 结果生成 yaml,先生成骨架,然后按需求逐步添加调度、数据库 TLS、反代请求头等参数,下面给出一份可用示例。
---
apiVersion: k8s.keycloak.org/v2beta1
kind: Keycloak
metadata:
name: keycloak
namespace: keycloak
spec:
instances: 1
scheduling:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- node-name
tolerations:
- key: node.kubernetes.io/unschedulable
operator: Exists
effect: NoSchedule
db:
vendor: mysql
host: mysql.example.com
port: 3306
database: keycloak
usernameSecret:
name: keycloak-db
key: username
passwordSecret:
name: keycloak-db
key: password
truststores:
database-tls-ca:
configMap:
name: keycloak-database-tls-ca
additionalOptions:
- name: db-tls-mode
value: verify-server
- name: proxy-headers
value: xforwarded
http:
httpEnabled: true
hostname:
hostname: keycloak.example.com这里也给出一份 Gateway 的示例,使用 Traefik,预先配置好 cert-manager 及其 Issuer:
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: keycloak-gateway
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
gatewayClassName: traefik
listeners:
- hostname: keycloak.example.com
name: websecure
port: 8443
protocol: HTTPS
tls:
certificateRefs:
- name: keycloak-tls
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: keycloak-route
spec:
hostnames:
- keycloak.example.com
parentRefs:
- name: keycloak-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: keycloak-service
port: 8080同时,可以到 MySQL 中验证一下连接是否已经开启了 TLS:
SELECT
THREAD_ID,
PROCESSLIST_USER,
PROCESSLIST_HOST,
CONNECTION_TYPE
FROM performance_schema.threads
WHERE PROCESSLIST_USER IS NOT NULL;此时安装应该已经就绪,可以检查 Pod:
user@hostname:~# kubectl -n keycloak get po
NAME READY STATUS RESTARTS AGE
keycloak-0 1/1 Running 0 94m
keycloak-operator-5dc6b64db4-7sqxs 1/1 Running 0 5dPod 正常运行且检查日志无问题之后,即可获取初始临时管理员账密进行操作了。
user@hostname:~# kubectl -n keycloak get secret keycloak-initial-admin -oyaml
发表回复