背景
由于keycloak官网给的生产部署方式过于复杂,配置参数太多,对于新手有一定的难度,部署的过程出现的意外网上很难找到答案;而且官方没有给出通俗易懂的集群部署方式,经过几天的摸索实践了自己的部署方式,总结记录下来,也方便大家参考。
一.部署环境:麒麟v10(64位)
[roott]# uname -a
Linux 4.19.90-17.ky10.aarch64 #1 SMP Sun Jun 28 14:27:40 CST 2020 aarch64 aarch64 aarch64 GNU/Linux
二.部署方式:容器部署(docker-compose + openssl) 1.keycloak以production方式启动,要求使用域名并且要启用https,这里我们使用td.idm.com做为域名,并采用自签的https证书
1.使用openssl自签证书
openssl req -newkey rsa:2048 -nodes
-keyout server.key.pem -x509 -days 3650 -out server.crt.pem
2.给证书访问权限(注意:一定要给权限,否则production模式启动失败)
chmod -R 644 /home/tdpt/cert/server.crt.pem
chmod -R 644 /home/tdpt/cert/server.key.pem
3.编写docker-compose.yml
version: '3'
services:
keycloak:
container_name: keycloak-prod
image: quay.io/keycloak/keycloak:18.0.0
environment:
# KC_DB: mysql
# KC_DB_URL: jdbc:mysql://ip:port/dbName?useUnicode=true&characterEncoding=UTF-8&serverTimezone=Asia/Shanghai
KC_DB_URL_HOST: {ip}
KC_DB_URL_PORT: {port}
KC_DB_URL_DATABASE: {dbName}
KC_DB_USERNAME: {dbUsername}
KC_DB_PASSWORD: {dbPassword}
KEYCLOAK_ADMIN: {kc_admin}
KEYCLOAK_ADMIN_PASSWORD: {kc_password}
KC_HOSTNAME: td.idm.com
KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/conf/server.crt.pem
KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/conf/server.key.pem
# DEBUG_PORT: '*:8787'
# DEBUG: 'true'
volumes:
- ./providers:/opt/keycloak/providers
- /home/tdpt/cert/server.crt.pem:/opt/keycloak/conf/server.crt.pem
- /home/tdpt/cert/server.key.pem:/opt/keycloak/conf/server.key.pem
command: start
ports:
- 8443:8443
注意:使用start-dev命令,即deployment模式下可以使用KC_DB,KC_DB_URL参数,但是start 命令,即production模式下会报错,找不到jdbc:mysql驱动;这里使用8443端口。
其他参数参考:www.keycloak.org/server/conf… www.keycloak.org/server/cont…
三.负载均衡
通过nginx的ip_hash方式实现负载均衡和高可用
upstream keycloak_ssl {
ip_hash;
server ip1:8443;
server ip2:8443;
server ip3:8443;
}
server {
listen 8443 ssl;
server_name td.idm.com;
ssl_certificate /opt/unisoftware/services/nginx/cert/server.crt;
ssl_certificate_key /opt/unisoftware/services/nginx/cert/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://keycloak_ssl;
}
}
四.Q&A
1.docker-compose启动报错Strict hostname resolution configured but no hostname was set?
解决:添加KC_HOSTNAME参数
- docker-compose启动报错Key material not provided to setup HTTPS. Please configure your keys/certificates or start the server in development mode.
解决:KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/conf/server.crt.pem KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/conf/server.key.pem
- docker-compose启动报错ERROR: /opt/keycloak/conf/keys/server.crt.pem
解决:
chmod -R 644 /home/tdpt/cert/server.key.pem
chmod -R 644 /home/tdpt/cert/server.crt.pem
4.docker-compose启动报错,找不到驱动jdbc:mysql
解决:不要使用KC_DB_URL,使用KC_DB_URL_HOST,KC_DB_URL_PORT,KC_DB_URL_DATABASE
