Skip to content

tingweiwang / oidc-k8s

Go to a project
Commit 74e20cf0 by tingweiwang
Options

fix

1 parent 2915bdab
Inline Side-by-side
Showing with 555 additions and 5 deletions
keycloak/cert/1.sh 0 → 100755
#!/bin/bash
usage()
{
echo "Usage: $0 [-a [rsa|ecc]] [-d <domain>] [-n <name>] [-h]"
echo " Options:"
echo " -a algorithm.[rsa|ecc]"
echo " -d domain.example: xxx.com,abc.org,*.abc.org"
echo " -n server key name"
echo " -h help"
exit 1
}
srv_key_name="server"
while getopts "a:d:n:h" arg #选项后面的冒号表示该选项需要参数
do
case $arg in
a)
alg=$OPTARG #算法
;;
d)
all_domain=$OPTARG #域名,逗号分隔
;;
n)
srv_key_name=$OPTARG #服务器证书名称
;;
h)
usage
exit 0
;;
?) #当有不认识的选项的时候arg为?
usage
exit 1
;;
esac
done
domain="domain.com"
san="DNS:*.${domain},DNS:${domain}"
if [ -n "${all_domain}" ]; then
#分割域名
OLD_IFS="$IFS"
IFS=","
domain_array=($all_domain)
IFS="$OLD_IFS"
domain_len=${#domain_array[@]}
domain=${domain_array[0]}
san=""
for ((i=0;i<domain_len;i++))
{
if [ $i = 0 ];then
san="DNS:${domain_array[i]}"
else
san="${san},DNS:${domain_array[i]}"
fi
}
fi
ca_subj="/C=CN/ST=Hubei/L=Wuhan/O=MY/CN=MY CA"
server_subj="/C=CN/ST=Hubei/L=Wuhan/O=MY/CN=${domain}"
#其中C是Country,ST是state,L是local,O是Organization,OU是Organization Unit,CN是common name
days=14610 # 有效期40年
echo "san:${san}"
sdir="certs"
ca_key_file="${sdir}/ca.key"
ca_crt_file="${sdir}/ca.crt"
srv_key_file="${sdir}/${srv_key_name}.key"
srv_csr_file="${sdir}/${srv_key_name}.csr"
srv_crt_file="${sdir}/${srv_key_name}.crt"
srv_p12_file="${sdir}/${srv_key_name}.p12"
srv_fullchain_file="${sdir}/${srv_key_name}-fullchain.crt"
cfg_san_file="${sdir}/san.cnf"
#algorithm config
if [[ ${alg} = "rsa" ]] ; then
rsa_len=2048
elif [[ ${alg} = "ecc" ]] ; then
ecc_name=prime256v1
else
usage
exit 1
fi #ifend
echo "algorithm:${alg}"
mkdir -p ${sdir}
if [ ! -f "${ca_key_file}" ]; then
echo "------------- gen ca key-----------------------"
if [[ ${alg} = "rsa" ]] ; then
openssl genrsa -out ${ca_key_file} ${rsa_len}
elif [[ ${alg} = "ecc" ]] ; then
openssl ecparam -out ${ca_key_file} -name ${ecc_name} -genkey
fi #ifend
openssl req -new -x509 -days ${days} -key ${ca_key_file} -out ${ca_crt_file} -subj "${ca_subj}"
fi
if [ ! -f "${srv_key_file}" ]; then
echo "------------- gen server key-----------------------"
if [[ ${alg} = "rsa" ]] ; then
openssl genrsa -out ${srv_key_file} ${rsa_len}
elif [[ ${alg} = "ecc" ]] ; then
openssl ecparam -genkey -name ${ecc_name} -out ${srv_key_file}
fi #ifend
openssl req -new -sha256 -key ${srv_key_file} -out ${srv_csr_file} -subj "${server_subj}"
printf "[ SAN ]\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName=${san}" > ${cfg_san_file}
openssl x509 -req -days ${days} -sha256 -CA ${ca_crt_file} -CAkey ${ca_key_file} -CAcreateserial -in ${srv_csr_file} -out ${srv_crt_file} -extfile ${cfg_san_file} -extensions SAN
cat ${srv_crt_file} ${ca_crt_file} > ${srv_fullchain_file}
openssl pkcs12 -export -inkey ${srv_key_file} -in ${srv_crt_file} -CAfile ${ca_crt_file} -chain -out ${srv_p12_file}
fi
keycloak/cert/ssl/seetatech.com.key 0 → 100644
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAoz6hJq6jd5hn9W1F3xBMwwI8kz8t40wyokK+wlSj4Zo5X+t1
8nWBiTgs92TqWPro2WkMeWPpw418itODjeRyLW6v5Hjg4lKDN9BFBjTY7NtZWI3f
3J3HO5kDQMRSn8D3ToZeZSio9WinpmQ3Zaqmn7CFKqnfN9JU958sjYfY4hMPYvOd
en7ntsVImDtHdt2JJ7oBdhweNFvHQ/64JGXOC5XR8pXDZ2WGMpldxf/j009+621m
4Ill4Hz9ZIXyVgYWaJTnROabLYU2v+/82lWqyUw7nxdOfdMTj1BDa8MW8WA/QmBw
Xvbrg+k2FHW6nf63hYM1Y6uRjK1oXQIrPy8iEwIDAQABAoIBAGfdV2dnQja7z5lG
N2if1FdXOvdtAWNXfffjg7/dXpASMmMnS1pDDXIjPekCWmDW9AQwZHFv8rIreYxS
26cSLNtfS6aQinU1jquaZfB2+3ZoccZ4LnEOKk9vIbS5tOBURIW/1JuEbUwHlHO3
289h7rY39+KXRqEbwFf0/MHoJ0RfWo2Uzo0qwdEfiJ9zztvu/atD7CMD7r12I499
2VjaNiD4YPGFCzn70wa3FQPrMUKBDw4ogsq5BespiNgXBDdOeulPbbQMe7d51pmD
MN8bTv5+dP0q1vRFfCaqrSUzGTpwPd61l9mz9bItEJaEng8AGAr5TZy0CeF5gh/1
JbuFRLECgYEA45WlUmCeQjq55kKs/tp1x6BS/3sgXzmrgmLXzmU0Kz+zctQCqrOf
l1UlazUVhIq3LiJ6qvD6WouZey5SbhHNHLA6stdv6wkE1pgAPiVYD6CIMIIur2Qh
dEsaWMar7G2lYqGYQ2tmYHFgOEyo5qTV5FnRiaXIgxmca6pgZSC+6LcCgYEAt6B3
u78kRZaO7ZgK7GlKKqVXK/r1Wau+Mv3Z4hrrQqJXkqqTwUVnuWNBBFClrXO6dAei
SkN/X2QRkPX4zDfUOhMNs6z339iJFK6yfwC/4U8doeknnF4e5oszjEVjZv2GuWtD
GEpjkd++12ADOCucqywUJJoCsfsn2kV6aPr4nYUCgYEAknJtW8EIlZ2smls1bxms
yLSGNBhLEHvPvatVK188Xsgy9SUwQiAsBfmohoA2RH/uuCU/wlgnAbTrIrUAHgwe
bOOKIiM3xYqcLmrJXTQyonuup2heGkbYsDjTz2SopQ85aWqKzHeD/XN3c0MBPMm9
SZ/ykhy4FoSYfz+3n9uefakCgYEAhsuwOU02JjNAlp9vHV6pSCb5l9pwszPEuo/o
mvdhzhd4K702G8GEQ+3dc3p0NKDotXZJJzTnUrIVxxEZY2h0TXFhNI17pIHDF0Cq
3VpCgPXf7dRG9J2PF3QGEil5r8faV1Cq/zDUaOgTouzjUB+LsYf4/WllIxwYhD1O
f7QEPzUCgYEA0qVli+Z4puPhtbSN1sgZJEn1svK34nk/3az3Khg7dnhE26v0mo5B
V7VLVyfzIScjfIy7nU3aEP26sfpbD0O6ni7JaGp9VDzcXnR9cnDniUhGcwpKIMGf
0dITh3B2iFywfYAwbJdlLyYg3cnOCPlBCoP7Wm0Uekaa1urkgpqoUdY=
-----END RSA PRIVATE KEY-----
keycloak/cert/ssl/seetatech.com.pem 0 → 100644
-----BEGIN CERTIFICATE-----
MIIFljCCBH6gAwIBAgIQAUY5oWipnHnltksP8mxNMzANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMTkxMjE5MDAwMDAwWhcNMjAxMjE4MTIwMDAwWjAa
MRgwFgYDVQQDDA8qLnNlZXRhdGVjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCjPqEmrqN3mGf1bUXfEEzDAjyTPy3jTDKiQr7CVKPhmjlf63Xy
dYGJOCz3ZOpY+ujZaQx5Y+nDjXyK04ON5HItbq/keODiUoM30EUGNNjs21lYjd/c
ncc7mQNAxFKfwPdOhl5lKKj1aKemZDdlqqafsIUqqd830lT3nyyNh9jiEw9i8516
fue2xUiYO0d23YknugF2HB40W8dD/rgkZc4LldHylcNnZYYymV3F/+PTT37rbWbg
iWXgfP1khfJWBhZolOdE5psthTa/7/zaVarJTDufF0590xOPUENrwxbxYD9CYHBe
9uuD6TYUdbqd/reFgzVjq5GMrWhdAis/LyITAgMBAAGjggKCMIICfjAfBgNVHSME
GDAWgBRVdE+yck/1YLpQ0dfmUVyaAYca1zAdBgNVHQ4EFgQUVi5UVWeyoOjytKLX
iTHFAKJprYMwKQYDVR0RBCIwIIIPKi5zZWV0YXRlY2guY29tgg1zZWV0YXRlY2gu
Y29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwTAYDVR0gBEUwQzA3BglghkgBhv1sAQIwKjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgEwgYAGCCsGAQUFBwEBBHQw
cjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEoGCCsGAQUF
BzAChj5odHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRW5jcnlwdGlvbkV2ZXJ5
d2hlcmVEVlRMU0NBLUcxLmNydDAJBgNVHRMEAjAAMIIBBAYKKwYBBAHWeQIEAgSB
9QSB8gDwAHYAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFvHOyu
lwAABAMARzBFAiALl0vVEy3okuciafXcvHTZ8iubNvol75IGK7VPWQheNgIhANWn
udqdwRX9l0i6gaKgH9Y4YUuTsR+0Pz5R4/57KwhFAHYAXqdz+d9WwOe1Nkh90Eng
MnqRmgyEoRIShBh1loFxRVgAAAFvHOyuOgAABAMARzBFAiBk3LLLcfItONynlURG
8Haf6jD8wsFubKRvtWLPtJu4mQIhAOsjutqc4296jVduIKH9mX2aIkyHDOzncurd
DColF3WcMA0GCSqGSIb3DQEBCwUAA4IBAQCwZxZtf/eIwrXmfqrNHrqBo4YqFqFP
RmJAeyr2bcz+xbQQ/+zlwR30OjhkZfNVfRNXl6feq1LQcQzW9ugcZidZ59yvEI2Z
qdNdn3JsqboxlrIQZojzeBlghaXYPKE3R2pdPe/RNJ2wjZYaLiGM1sjIduqfTdys
0CNnlYKrlHmvfnvEkr7DTn0OPPCRd9sV+VA0agTY4LnczlPcZYkSLo2WJx8oSXAe
vRsWyQgPZtS8sMPDhzPsKj1Hb9ZVkJaFsna2ap0vL+oMxAvcuaha/HG0cPtSwdDf
dJZjqVNDboN0HDQ0J3YgmdXeJ3amn/mv0D7FNMD1liC/bw5CKPuoYFws
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMjcxMjQ2MTBaFw0yNzExMjcxMjQ2MTBaMG4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPeP6wkab41dyQh6mKc
oHqt3jRIxW5MDvf9QyiOR7VfFwK656es0UFiIb74N9pRntzF1UgYzDGu3ppZVMdo
lbxhm6dWS9OK/lFehKNT0OYI9aqk6F+U7cA6jxSC+iDBPXwdF4rs3KRyp3aQn6pj
pp1yr7IB6Y4zv72Ee/PlZ/6rK6InC6WpK0nPVOYR7n9iDuPe1E4IxUMBH/T33+3h
yuH3dvfgiWUOUkjdpMbyxX+XNle5uEIiyBsi4IvbcTCh8ruifCIi5mDXkZrnMT8n
wfYCV6v6kDdXkbgGRLKsR4pucbJtbKqIkUGxuZI2t7pfewKRc5nWecvDBZf3+p1M
pA8CAwEAAaOCAU8wggFLMB0GA1UdDgQWBBRVdE+yck/1YLpQ0dfmUVyaAYca1zAf
BgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAK3Gp6/aGq7aBZsxf/oQ+TD/B
SwW3AU4ETK+GQf2kFzYZkby5SFrHdPomunx2HBzViUchGoofGgg7gHW0W3MlQAXW
M0r5LUvStcr82QDWYNPaUy4taCQmyaJ+VB+6wxHstSigOlSNF2a6vg4rgexixeiV
4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
keycloak/create-secret.sh 0 → 100755
kubectl create secret -n keycloak tls keycloak-secret --key ./cert/ssl/seetatech.com.key --cert ./cert/ssl/seetatech.com.pem
keycloak/deployment.yaml
...@@ -36,10 +36,19 @@ spec: ...@@ -36,10 +36,19 @@ spec:
value: seetatech value: seetatech
- name: KEYCLOAK_USER - name: KEYCLOAK_USER
value: admin value: admin
- name: PROXY_ADDRESS_FORWARDING
value: "true"
image: jboss/keycloak image: jboss/keycloak
ports: ports:
- containerPort: 8080 - containerPort: 8080
resources: {} volumeMounts:
- name: https-cert
mountPath: "/etc/x509/https"
readOnly: true
volumes: ###配置https
- name: https-cert
secret:
secretName: keycloak-secret
initContainers: initContainers:
- name: init-postgres-keycloak-service - name: init-postgres-keycloak-service
image: busybox image: busybox
......
keycloak/ingress-controller/deployment.yaml 0 → 100644
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
# wait up to five minutes for the drain of connections
terminationGracePeriodSeconds: 300
serviceAccountName: nginx-ingress-serviceaccount
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- name: nginx-ingress-controller
image: hb.seetatech.com/wangtingwei/nginx-ingress-controller:0.26.1
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
keycloak/ingress-controller/rbac.yaml 0 → 100644
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
keycloak/ingress-controller/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30097
protocol: TCP
- name: https
port: 443
targetPort: 443
nodePort: 30098
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
keycloak/ingress.yaml
...@@ -2,7 +2,22 @@ apiVersion: extensions/v1beta1 ...@@ -2,7 +2,22 @@ apiVersion: extensions/v1beta1
kind: Ingress kind: Ingress
metadata: metadata:
name: keycloak-ingress name: keycloak-ingress
namespace: keycloak
######################添加annotation修改nginx配置信息,解决上传文件413 too large限制################
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: "102400m"
###########################################################################
spec: spec:
backend: tls:
serviceName: keycloak - hosts:
servicePort: 8080 - keycloak.seetatech.com
\ No newline at end of file secretName: keycloak-secret
rules:
- host: keycloak.seetatech.com
http:
paths:
- backend:
serviceName: keycloak
servicePort: 8080
kubelogin/kubelogin 0 → 100755
The file could not be displayed because it is too large.
kubelogin/kubelogin_linux_amd64.zip 0 → 100644
No preview for this file type
rbac-test/admin-rbac.yaml 0 → 100644
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: managers-role-binding
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
rbac-test/create-user.sh 0 → 100644
#!/bin/bash
echo "创建wangtingwei用户"
kubectl config set-credentials wangtingwei \
--auth-provider=oidc \
--auth-provider-arg=idp-issuer-url=https://keycloak.seetatech.com:30098/auth/realms/master \
--auth-provider-arg=client-id=kubernetes-kpl \
--auth-provider-arg=client-secret=bd6a660c-aba1-451f-af8e-7f2d018a86e0 \
--auth-provider-arg=refresh-token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZTZmMmZlNi1lYTU3LTQyYWEtYTFiNS0zZmRhOTQ5MjMwZTkifQ.eyJleHAiOjE1ODk2MjI4OTAsImlhdCI6MTU4OTYyMTA5MCwianRpIjoiMDA4MzdiOTktNThjZS00MTZmLTllNzUtODZhNWM3Zjc1OTZhIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5zZWV0YXRlY2guY29tOjMwMDk4L2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6Imh0dHBzOi8va2V5Y2xvYWsuc2VldGF0ZWNoLmNvbTozMDA5OC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiI4NWNkNTU2ZS1jMjM4LTQyOWQtYTY1NS03ZWNlMTJmMzEwNzYiLCJ0eXAiOiJSZWZyZXNoIiXRlcy1rcGwiLCJzZXNzaW9uX3N0YXRlIjoiODlhNzE2YmQtZTZmOC00NGRhLWEwMTAtZjJmNGRlOTBkZDgxIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSJ9.00sttAQsKGQ__x3YnUGMhCfKbb1onuoCPteIwgfKPTw \
--auth-provider-arg=id-token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYRlJBXzMwOEZFeDZCVUFVUEpQdVd0RWVnTEpXQkJmaVZGaUVVZlp5cU5nIn0.eyJleHAiOjE1ODk2MjExNTAsImlhdCI6MTU4OTYyMTA5MCwiYXV0aF90aW1lIjowLCJqdGkiOiI4M2QxZTI3Yi00MWNmLTQwZDEtYWI1My1mMjdjMWE5NTU4NjkiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnNlZXRhdGVjaC5jyZWFsbXMvbWFzdGVyIiwiYXVkIjoia3ViZXJuZXRlcy1rcGwiLCJzdWIiOiI4NWNkNTU2ZS1jMjM4LTQyOWQtYTY1NS03ZWNlMTJmMzEwNzYiLCJ0eXAiOiJJRCIsImF6cCI6Imt1YmVybmV0ZXMta3BsIiwic2Vzc2lvbl9zdGF0ZSI6Ijg5YTcxNmJkLWU2ZjgtNDRkYS1hMDEwLWYyZjRkZTkwZGQ4MSIsImFjciIJpZmllZCI6ZmFsc2UsImdyb3VwcyI6WyJkZXZlbG9wIl0sInByZWZlcnJlZF91c2VybmFtZSI6Indhbmd0aW5nd2VpIn0.VG6k2_wZwdnIL-2adLDWCstsBiECd-qAvp3VeA6xLhCWF1DaH6YAnGp75QURZ6KlwZUAUdLIY03jz7cbvGO03sj64z-83wWFfMFo5WZDGlwMbm_Y9GSWLRMdDe1m0E4kkjEvfuozG2tHXfpWIlVz5K2Rpa-N7xEHoUUq_nXm53K_qL-AW6lgdER_UWA6APs82iT2A6iB6yCDVtNL3hFYSCMXslP2rBcJ9gsWfHZXxGFHNcLM83ntXcJck0cnnQiG2sHZfjYMpHwHcBCrG7D2WwFI-GVb36I5GLP8IRworM-TgYQ2G3I-ocKhbCwwcSDa4QA
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!