티스토리 뷰

MLOps

Keycloak Install (with. Helm)

문타리 2025. 3. 17.

Keycloak Install (with. Helm)

Nginx Ingress Controller 에서 HTTPS 트래픽을 그대로 Keycloak 에 전달하는 설정

# 작업 디렉토리 이동
mkdir -p /root/files/keycloak
cd /root/files/keycloak

# 개인 키 생성
openssl genrsa -out keycloak.key 2048

# 인증서 서명 요청 (CSR) 생성
openssl req -new -key keycloak.key -out keycloak.csr -subj "/CN=keycloak.local"

# 자체 서명된 인증서 생성 (3650일 유효)
openssl x509 -req -days 3650 -in keycloak.csr -signkey keycloak.key -out keycloak.crt

kubectl create ns keycloak
kubectl create secret tls keycloak-tls-secret \
  --cert=/root/files/keycloak/keycloak.crt \
  --key=/root/files/keycloak/keycloak.key \
  -n keycloak

# Helm 저장소 추가 및 업데이트
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
helm repo list

helm pull bitnami/keycloak --version 24.4.9

tar -xvf keycloak-24.4.9.tgz

cat <<EOF | tee /root/files/keycloak/override_values.yaml
auth:
  adminUser: admin
  adminPassword: "admin"
tls:
  enabled: true
  autoGenerated: false
  existingSecret: keycloak-tls-secret
  usePem: true
postgresql:
  enabled: true     # external DB 사용할 경우 false로 변경
  auth:
    postgresPassword: "test123"
    username: admin_keycloak
    password: "test123"
    database: db_keycloak
  architecture: standalone
EOF

cd /root/files/keycloak
helm upgrade -i keycloak keycloak-24.4.9.tgz  --namespace=keycloak --create-namespace -f /root/files/keycloak/override_values.yaml

# 삭제
# helm delete keycloak -n keycloak
# kubectl delete namespace keycloak --force --grace-period=0

SSL 인증서 생성

$> certbot certonly --manual --preferred-challenges dns -d keycloak.wooyoung85.net
...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.keycloak.wooyoung85.net.

with the following value:

GHs9sw9AYJsjvvRc1jC3Cm0sRVMT7YotZlmLFY8V0vs

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.keycloak.wooyoung85.net.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you ve just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
...

Kubernetes Ingress 에 인증서 적용

ll /etc/letsencrypt/live/keycloak.wooyoung85.net/

kubectl create secret tls keycloak-ingress-tls-secret \
--key /etc/letsencrypt/live/keycloak.wooyoung85.net/privkey.pem \
--cert /etc/letsencrypt/live/keycloak.wooyoung85.net/fullchain.pem \
-n keycloak

kubectl get secret -n keycloak keycloak-tls-secret

cat <<EOF | tee ~/keycloak-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-ingress
  namespace: keycloak
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /  # 요청 경로를 리다이렉트
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - keycloak.wooyoung85.net
    secretName: keycloak-ingress-tls-secret
  ingressClassName: "nginx"  # NGINX Ingress Controller 사용
  rules:
  - host: keycloak.wooyoung85.net
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: keycloak
            port:
              number: 443
EOF
kubectl apply -f ~/keycloak-ingress.yaml




SSL Termination 설정 (참고용)

  • proxy: edge 를 사용하면 keycloak 내부에서 SSL 통신하지 않도록 구성할 수 있음
  • Nginx Ingress Controller 에서 SSL Termination 하는 설정 (keycloak 연결 포트 80)
  • 아래 내용은 참고하기 위해 남겨둔 것임
    🙃 중요 정보를 다루는 시스템은 클러스터 내에서도 SSL 통신하는 것을 권장함
cd /root/files/keycloak

# Keycloak Helm Values 설정
cat <<EOF | tee /root/files/keycloak/override_values.yaml
auth:
  adminUser: admin
  adminPassword: "admin"
tls:
  enabled: false
  autoGenerated: false
proxy: edge         # SSL Termination
postgresql:
  enabled: true     # external DB 사용할 경우 false로 변경 
  auth:
    postgresPassword: "test123"
    username: admin_keycloak
    password: "test123"
    database: db_keycloak
  architecture: standalone
EOF

helm install keycloak keycloak-24.4.9.tgz  --namespace=keycloak --create-namespace -f /root/files/keycloak/override_values.yaml

# SSL 인증서 생성
...

# Ingress 설정 
cat <<EOF | tee ~/keycloak-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-ingress
  namespace: keycloak
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /  # 요청 경로를 리다이렉트
spec:
  tls:
  - hosts:
    - keycloak.wooyoung85.net
    secretName: keycloak-tls-secret
  ingressClassName: "nginx"  # NGINX Ingress Controller 사용
  rules:
  - host: keycloak.wooyoung85.net
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: keycloak
            port:
              number: 80
EOF
kubectl apply -f ~/keycloak-ingress.yaml

'MLOps' 카테고리의 다른 글

Kubeflow Dex 와 Keycloak 연동 가이드  (0) 2025.03.17
Kubeflow SSL Config  (0) 2025.03.17
Kubeflow Expose  (0) 2025.03.14
Kubeflow Install (v1.9.1)  (0) 2025.03.14
Kubeflow Install in Kind Cluster  (1) 2025.03.14
댓글