# 1.查看关的资源配置
step 1.查看pod
root@luban-controlplane1 metallb]# kubectl describe pod keycloak-0 -n keycloak
Name: keycloak-0
Namespace: keycloak
Priority: 0
Service Account: default
Node: luban-worker3/192.168.10.169
Start Time: Wed, 18 Jun 2025 13:45:07 +0800
Labels: app=keycloak
app.kubernetes.io/component=server
app.kubernetes.io/instance=keycloak
app.kubernetes.io/managed-by=keycloak-operator
apps.kubernetes.io/pod-index=0
controller-revision-hash=keycloak-68b6bd47bc
ippool.network.kubesphere.io/name=default-ipv4-ippool
statefulset.kubernetes.io/pod-name=keycloak-0
Annotations: cni.projectcalico.org/containerID: 2f54285014351d1a6c18f7b09665bfe8ab1ae5dc7d724e1c469d9dd1fe624427
cni.projectcalico.org/podIP: 10.233.101.142/32
cni.projectcalico.org/podIPs: 10.233.101.142/32
operator.keycloak.org/watched-secret-hash: 603e7d0d4b057956286a56a9156c809a334c8743094991f2f040f47ad03f406
Status: Running
IP: 10.233.101.142
IPs:
IP: 10.233.101.142
Controlled By: StatefulSet/keycloak
Containers:
keycloak:
Container ID: containerd://1a3a8f34b351ed869bf56fd3023962f91aa99c4625c6becb9b769240ec548b86
Image: hub.registry.local/keycloak/keycloak:26.2.0
Image ID: hub.registry.local/keycloak/keycloak@sha256:526dd7595efd6b36ae4f3f513b5c68b546a8ae19df92fb7575df12296930ecd7
Ports: 8443/TCP, 8080/TCP, 9000/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Args:
-Djgroups.dns.query=keycloak-discovery.keycloak
-Djgroups.bind.address=$(POD_IP)
--verbose
start
State: Running
Started: Wed, 18 Jun 2025 13:45:50 +0800
Ready: True
Restart Count: 0
Limits:
memory: 2Gi
Requests:
memory: 1700Mi
Liveness: http-get https://:9000/health/live delay=0s timeout=1s period=10s #success=1 #failure=3
Readiness: http-get https://:9000/health/ready delay=0s timeout=1s period=10s #success=1 #failure=3
Startup: http-get https://:9000/health/started delay=0s timeout=1s period=1s #success=1 #failure=600
Environment:
KC_HOSTNAME: keycloak.xiangxun.org
KC_HTTP_PORT: 8080
KC_HTTPS_PORT: 8443
KC_HTTPS_CERTIFICATE_FILE: /mnt/certificates/tls.crt
KC_HTTPS_CERTIFICATE_KEY_FILE: /mnt/certificates/tls.key
KC_DB: postgres
KC_DB_USERNAME: <set to the key 'username' in secret 'postgresql-db-credentials'> Optional: false
KC_DB_PASSWORD: <set to the key 'password' in secret 'postgresql-db-credentials'> Optional: false
KC_DB_URL_HOST: postgres-service
KC_PROXY_HEADERS: xforwarded
KC_BOOTSTRAP_ADMIN_USERNAME: <set to the key 'username' in secret 'keycloak-initial-admin'> Optional: false
KC_BOOTSTRAP_ADMIN_PASSWORD: <set to the key 'password' in secret 'keycloak-initial-admin'> Optional: false
KC_HEALTH_ENABLED: true
KC_CACHE: ispn
KC_CACHE_STACK: kubernetes
POD_IP: (v1:status.podIP)
KC_TRUSTSTORE_PATHS: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
KC_TRACING_SERVICE_NAME: keycloak
KC_TRACING_RESOURCE_ATTRIBUTES: k8s.namespace.name=keycloak
Mounts:
/mnt/certificates from keycloak-tls-certificates (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-9tqnb (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
keycloak-tls-certificates:
Type: Secret (a volume populated by a Secret)
SecretName: keycloak-tls
Optional: false
kube-api-access-9tqnb:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events: <none>
[root@luban-controlplane1 metallb]#
````
该服务的后端容器组IP 10.233.101.142, 提供 8443 端口的服务
step 2.查看应用的svc
[root@luban-controlplane1 metallb]# kubectl describe svc keycloak-service -n keycloak
Name: keycloak-service
Namespace: keycloak
Labels: app=keycloak
app.kubernetes.io/instance=keycloak
app.kubernetes.io/managed-by=keycloak-operator
Annotations: javaoperatorsdk.io/previous: ca2febc6-3be0-4dab-bd0b-f26f6319a16e,3234858
Selector: app.kubernetes.io/instance=keycloak,app.kubernetes.io/managed-by=keycloak-operator,app=keycloak
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.233.28.225
IPs: 10.233.28.225
Port: https 8443/TCP
TargetPort: 8443/TCP
Endpoints: 10.233.101.142:8443
Port: management 9000/TCP
TargetPort: 9000/TCP
Endpoints: 10.233.101.142:9000
Session Affinity: None
Internal Traffic Policy: Cluster
Events: <none>
[root@luban-controlplane1 metallb]#
后端服务的IP地址为 clusterip 10.233.28.225, 服务端口 8443
step 3.查看 ingress
[root@luban-controlplane1 metallb]# kubectl get ingress -n keycloak
NAME CLASS HOSTS ADDRESS PORTS AGE
keycloak-ingress kubesphere-router-namespace-keycloak keycloak.xiangxun.org 192.168.10.167 80, 443 14h
[root@luban-controlplane1 metallb]#
[root@luban-controlplane1 metallb]# kubectl describe ingress keycloak-ingress -n keycloak
Name: keycloak-ingress
Labels: <none>
Namespace: keycloak
Address: 192.168.10.167
Ingress Class: kubesphere-router-namespace-keycloak
Default backend: <default>
TLS:
keycloak-tls terminates keycloak.xiangxun.org
Rules:
Host Path Backends
keycloak.xiangxun.org
/ keycloak-service:8443 (10.233.101.142:8443)
Annotations: kubesphere.io/creator: admin
nginx.ingress.kubernetes.io/backend-protocol: https
Events:
Type Reason Age From Message
Normal Sync 2m43s (x1703 over 14h) nginx-ingress-controller Scheduled for sync
Normal Sync 2m43s (x1703 over 14h) nginx-ingress-controller Scheduled for sync
Normal Sync 2m43s (x1703 over 14h) nginx-ingress-controller Scheduled for sync
[root@luban-controlplane1 metallb]#
ingree 获取到网关地址 192.168.10.167,代理到后端的 keycloak-service:8443
step 4.查看 Ingress Controller 配置
[root@luban-controlplane1 metallb]# kubectl get pods -n kubesphere-controls-system
NAME READY STATUS RESTARTS AGE
kubesphere-router-extension-gateway-7c7dbfc46b-d9x4d 1/1 Running 1 (2d16h ago) 5d18h
kubesphere-router-keycloak-6dc5d7cbdd-r2jqz 1/1 Running 0 12h
kubesphere-router-zll-585f577855-wgbpk 1/1 Running 0 42h
[root@luban-controlplane1 metallb]#
[root@luban-controlplane1 metallb]# kubectl describe pod kubesphere-router-keycloak-6dc5d7cbdd-r2jqz -n kubesphere-controls-system
Name: kubesphere-router-keycloak-6dc5d7cbdd-r2jqz
Namespace: kubesphere-controls-system
Priority: 0
Service Account: kubesphere-router-keycloak
Node: luban-worker1/192.168.10.167
Start Time: Wed, 18 Jun 2025 19:57:56 +0800
Labels: app.kubernetes.io/component=controller
app.kubernetes.io/instance=kubesphere-router-keycloak
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/part-of=ingress-nginx
app.kubernetes.io/version=1.12.1
helm.sh/chart=ingress-nginx-4.12.1-ks
ippool.network.kubesphere.io/name=default-ipv4-ippool
pod-template-hash=6dc5d7cbdd
Annotations: cni.projectcalico.org/containerID: 1950e775568ce3ad4bcb6c304a0d19f391771ceecc3eb2b8e97ea61108d6dfef
cni.projectcalico.org/podIP: 10.233.100.149/32
cni.projectcalico.org/podIPs: 10.233.100.149/32
sidecar.istio.io/inject: false
Status: Running
IP: 10.233.100.149
IPs:
IP: 10.233.100.149
Controlled By: ReplicaSet/kubesphere-router-keycloak-6dc5d7cbdd
Containers:
controller:
Container ID: containerd://0d16edd1836dfbb0fd8289d057fc8d363befd9148b5924d7cc7429e0a29bbbf1
Image: hub.registry.local/ks/kubesphere/ingress-nginx-controller:v1.12.1
Image ID: hub.registry.local/ks/kubesphere/ingress-nginx-controller@sha256:de50c2a78af53ffea2a5a96f11ba92a05e033266c0c270c33df837ae0311eeaf
Ports: 80/TCP, 443/TCP, 10254/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
SeccompProfile: RuntimeDefault
Args:
/nginx-ingress-controller
--election-id=kubesphere-router-namespace-keycloak
--controller-class=k8s.io/ingress-nginx
--ingress-class=nginx
--configmap=$(POD_NAMESPACE)/kubesphere-router-keycloak
--enable-metrics=true
State: Running
Started: Wed, 18 Jun 2025 19:58:18 +0800
Ready: True
Restart Count: 0
Liveness: http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
Readiness: http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
Environment:
POD_NAME: kubesphere-router-keycloak-6dc5d7cbdd-r2jqz (v1:metadata.name)
POD_NAMESPACE: kubesphere-controls-system (v1:metadata.namespace)
LD_PRELOAD: /usr/local/lib/libmimalloc.so
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-tt4wv (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-tt4wv:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: kubernetes.io/os=linux
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events: <none>
[root@luban-controlplane1 metallb]#
step 5.查看 Ingress Controller svc
[root@luban-controlplane1 metallb]# kubectl get svc -n kubesphere-controls-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubesphere-router-extension-gateway NodePort 10.233.48.56 <none> 80:30116/TCP,443:31834/TCP 5d21h
kubesphere-router-keycloak NodePort 10.233.3.220 <none> 80:31993/TCP,443:30197/TCP 40h
kubesphere-router-keycloak-metrics ClusterIP 10.233.21.75 <none> 10254/TCP 40h
kubesphere-router-zll NodePort 10.233.3.78 <none> 80:32655/TCP,443:30834/TCP 45h
kubesphere-router-zll-metrics ClusterIP 10.233.54.41 <none> 10254/TCP 45h
[root@luban-controlplane1 metallb]#
[root@luban-controlplane1 metallb]# kubectl describe svc kubesphere-router-keycloak -n kubesphere-controls-system
Name: kubesphere-router-keycloak
Namespace: kubesphere-controls-system
Labels: app.kubernetes.io/component=controller
app.kubernetes.io/instance=kubesphere-router-keycloak
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/part-of=ingress-nginx
app.kubernetes.io/version=1.12.1
helm.sh/chart=ingress-nginx-4.12.1-ks
Annotations: meta.helm.sh/release-name: kubesphere-router-keycloak
meta.helm.sh/release-namespace: kubesphere-controls-system
Selector: app.kubernetes.io/component=controller,app.kubernetes.io/instance=kubesphere-router-keycloak,app.kubernetes.io/name=ingress-nginx
Type: NodePort
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.233.3.220
IPs: 10.233.3.220
Port: http 80/TCP
TargetPort: http/TCP
NodePort: http 31993/TCP
Endpoints: 10.233.100.149:80
Port: https 443/TCP
TargetPort: https/TCP
NodePort: https 30197/TCP
Endpoints: 10.233.100.149:443
Session Affinity: None
External Traffic Policy: Cluster
Internal Traffic Policy: Cluster
Events: <none>
[root@luban-controlplane1 metallb]#
Ingress Controller Servic 的 type 为 NodePort
[root@luban-controlplane1 metallb]# kubectl get svc kubesphere-router-keycloak -n kubesphere-controls-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubesphere-router-keycloak NodePort 10.233.21.6 <none> 80:31871/TCP,443:30686/TCP 71s
[root@luban-controlplane1 metallb]#
step 6.配置域名 DNS 记录
在域名提供商控制台添加 A 记录:
cat >> /etc/hosts <<EOF
192.168.10.164 keycloak.xiangxun.org
EOF
# 2.更新 Ingress 规则
配置 HTTPS(推荐),HTTPS 使用标准端口 443,可自动隐藏端口号。
步骤 1:创建 TLS 证书(示例使用自签名)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key \
-out tls.crt \
-subj "/CN=keycloak.xiangxun.org"
kubectl create secret tls keycloak-tls \
--key tls.key \
--cert tls.crt \
-n default
步骤 2:更新 Ingress 规则
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # 强制 HTTPS
spec:
tls:
hosts:
keycloak.xiangxun.org
secretName: keycloak-tls
rules:
host: keycloak.xiangxun.org
http:
paths:
path: /
pathType: Prefix
backend:
service:
name: keycloak-service
port:
number: 8443
# 3.测试访问
# HTTP 访问(自动重定向到 HTTPS)
curl -I http://keycloak.xiangxun.org
# HTTPS 访问(无端口号)
curl -I https://keycloak.xiangxun.org
结果:使用 nodeport 方式无法进行域名访问。