🌈部署 Keycloak
开始部署 Keycloak,涉及到的核心的环境变量如下表所示:
KC_HTTP_PORT
8080
HTTP 端口
KC_HTTPS_PORT
8443
HTTPS 端口
KC_HTTPS_CERTIFICATE_FILE
/mnt/certificates/tls.crt
生产环境需通过 HTTPS 访问,这里是之前部署的 SSL 证书
KC_HTTPS_CERTIFICATE_KEY_FILE
/mnt/certificates/tls.key
生产环境需通过 HTTPS 访问,这里是之前部署的 SSL 证书
KC_DB
mysql
数据库类型,这里用 mysql
KC_DB_URL
jdbc:mysql://mysql-db-service.mysql:3306/keycloak?characterEncoding=UTF-8
数据库连接地址,这里通过之前部署的 mysql 的 Service 进行访问
KC_DB_USERNAME
root
mysql账号
KC_DB_PASSWORD
testpassword
mysql密码
KC_HEALTH_ENABLED
true
开启健康检查
KC_METRICS_ENABLED
true
开启监控指标
KC_CACHE
ispn
KC_CACHE_STACK
kubernetes
KC_PROXY
passthrough
KEYCLOAK_ADMIN
admin
初始admin账号
KEYCLOAK_ADMIN_PASSWORD
changeme
初始admin密码
KC_TRUSTSTORE_PATHS
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
用于访问 k8s 集群
部署用的 YAML 如下:
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: keycloak
name: keycloak
namespace: keycloak
spec:
podManagementPolicy: OrderedReady
replicas: 3
selector:
matchLabels:
app: keycloak
serviceName: ""
template:
metadata:
labels:
app: keycloak
spec:
containers:
- args:
- -Djgroups.dns.query=keycloak-discovery.keycloak
- --verbose
- start
env:
- name: KC_HOSTNAME
value: test.keycloak.org
- name: KC_FEATURES
value: multi-site
- name: KC_TRANSACTION_XA_ENABLED
value: "false"
- name: KC_HTTP_PORT
value: "8080"
- name: KC_HTTPS_PORT
value: "8443"
- name: KC_HTTPS_CERTIFICATE_FILE
value: /mnt/certificates/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /mnt/certificates/tls.key
- name: KC_DB
value: mysql
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
key: username
name: keycloak-db-secret
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: keycloak-db-secret
- name: KC_DB_URL
value: jdbc:mysql://mysql-db-service.mysql:3306/keycloak?characterEncoding=UTF-8
- name: KC_DB_POOL_INITIAL_SIZE
value: "30"
- name: KC_DB_POOL_MIN_SIZE
value: "30"
- name: KC_DB_POOL_MAX_SIZE
value: "30"
- name: KC_HEALTH_ENABLED
value: "true"
- name: KC_CACHE
value: ispn
- name: KC_CACHE_STACK
value: kubernetes
- name: KC_PROXY
value: passthrough
- name: KC_HTTP_MAX_QUEUED_REQUESTS
value: "1000"
- name: KC_LOG_CONSOLE_OUTPUT
value: json
- name: KC_METRICS_ENABLED
value: "true"
- name: KC_HTTP_POOL_MAX_THREADS
value: "66"
- name: KEYCLOAK_ADMIN
value: "admin"
- name: KEYCLOAK_ADMIN_PASSWORD
value: "changeme"
- name: KC_TRUSTSTORE_PATHS
value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
image: quay.io/keycloak/keycloak:23.0.7
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /health/live
port: 8443
scheme: HTTPS
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: keycloak
ports:
- containerPort: 8443
name: https
protocol: TCP
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /health/ready
port: 8443
scheme: HTTPS
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: "6"
memory: 2250M
requests:
cpu: "2"
memory: 1250M
startupProbe:
failureThreshold: 600
httpGet:
path: /health/started
port: 8443
scheme: HTTPS
periodSeconds: 1
successThreshold: 1
timeoutSeconds: 1
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /mnt/certificates
name: keycloak-tls-certificates
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: keycloak-tls-certificates
secret:
defaultMode: 420
optional: false
secretName: keycloak-tls-secret
updateStrategy:
rollingUpdate:
partition: 0
type: RollingUpdate至此,K8S 中的资源视图如下:
最后更新于
这有帮助吗?